Hi all
The point is that at one time ntlm_auth stop to work on the primary server.
When I test it from the command line it says "No logon server"
I noticed in the logs that there were 10 attempts per minute with wrong
password from one of our routers. When I applied ACL on the router to block
t
Sorry, I made a mistake in the email.
My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name
)
Debug from radius -X :
Cisco-AVPair = "isakmp-group-id=CiscoGroup"
Acct-Session-Id = "61286"
User-Name = "domain\\user"
Cisco-AVPair = "connect-
Hi ,
My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name
)
Debug from radius -X :
Cisco-AVPair = "isakmp-group-id=CiscoGroup"
Acct-Session-Id = "61286"
User-Name = "domain\\user"
Cisco-AVPair = "connect-progress=No Progress"
Acc
As a hint, if you don't implement a rule for a different NT-Domain,
then the rules for that different NT-Domain won't be applied. Because
they don't exist.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you Alan , it makes sense. But it doe
Thank you phill, that's great help, but it still doesn't work as it
should.
Now I don't know how should I adjust the users file : )
I used
if ((NAS-IP-Address == 1.1.1.1) && "%{mschap:NT-Domain}" =
"vipdomainuser")) {
update control {
Auth-Type := ntlm_auth_
See "man unlang". Put the logic into raddb/sites-available/default,
the "authorize" section.
Uh... read the debug output, and look at the files in the "raddb"
directory. The directory has more than *one* file. This should be a
hint that the "users" file doesn't solve everything.
Jevos, Peter wrote:
> Fall-through attribute doesn’t work in this case, cause it is “falling”
> all the time ( even though it matches the condition )
You're not getting what I'm saying. The "users" file does *not* run
during the "authenticate" phase
Jevos, Peter wrote:
> How can I skip to the second DEFAULT if the first DEFAULT doesn’t pass ?
Use the "Fall-Through" attribute. See comments in the default "users"
file.
> So if request comes from the 10.1.1.2 and user doesn’t pass through
> authenticati
Hi
How can I skip to the second DEFAULT if the first DEFAULT doesn't pass ?
So if request comes from the 10.1.1.2 and user doesn't pass through
authentication, it should be forwarded to another DEFAULT ( with the
vpn_auth_name authentication).
Now it stops at the first DEFAULT
DEFAULT
On 04/11/10 16:15, Jevos, Peter wrote:
> Thank fo your reply, hoever as you can see from my previous posts, I
did
> it:
Frankly I find your posts confusing; your email client doesn't quote
properly and mangles the text wrapping, so I had no way to be sure.
Post full debug output o
On 04/11/10 15:52, Jevos, Peter wrote:
>>
>
> Dear Phil , thank you ,
> I removed Fall through parameter, it works partially, when user
comes
> from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1,
> it takes the Auth-Type := ntlm_auth_vpn ( which is wrong )
>
> Cisco-AVpair += "2nd:attribute"
>
> This is documented in the manpage and docs.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> Thank you, it helped but it still doesn't work as I wished:
>
> All I need is:
> When request comes from 10.1.1.252 and Tu
On 04/11/10 10:41, Jevos, Peter wrote:
> DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252
> Tunnel-Type = "ESP",
> Tunnel-Private-Group-ID = "Group1",
> Tunnel-Password = "cisco",
> Cisco-Avpair="ipsec:dns-servers=10.1.1.6 1
Hi , I tried to setup configuration from different sources from the
web, but it's not easy
I have cisco vpn access server where are more IPSEC proflles ( groups ).
They should be authenticated against Freeradius.
One profile called Group1 should be authenticated against ntlm_auth_vpn
( alread
>However it doesn’t work, cause every request match only the first DEFAULT
>statement, despite of that it comes from different NAS-IP-Address then
>10.1.1.1
>
>Do you know why it is happen ?
because, as documented, your MATCH statement must all be on the first line. the
second li
Hi
I have at the end of Users file two DEFAULTS statements:
DEFAULT Auth-Type := ntlm_auth_vpn_comp
NAS-IP-Address == 10.1.1.1,
Service-Type = Framed-User,
Framed-Protocol = PPP,
}
Quite simple and works great here for some other moduls (SQL)
Hope it helps.
Message original
>Date: Fri, 23 Jul 2010 18:45:30 +0200
>From:
freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.or
g (on behalf of "Jevos, Peter" )
>Subject: How to set prope
Hi guys
I'm really trying but it's not easy to find somehitng in the
documenatiion.
I have 2 modules ntlm_auth_vpn1/2 and I like to do failover.
I tried this but I was not sucesfull:
In the modules I have 2 files, ntlm_auth_vpn1 and ntlm_auth_vpn2
In the sites-available/default I have:
> > I have in the modules/ntlm_auth_vpn command:
there is another way to.
simply make a second copy of that moduleeg have
ntlm_auth_vpn1
and
ntlm_auth_vpn2
(each configured with what you want/need)
and then read: http://wiki.freeradius.org/Fail-over
you can then have this sort of thi
> I have in the modules/ntlm_auth_vpn command:
..
> Is it possible to add another command ( with different domain ) and to
> add OR in order to choose which one will pass ?
>
> Something like this:
>
> exec ntlm_auth_vpn {
>program = "/usr/bin/ntlm_auth --request-nt-key
> --domain
Hi
I have in the modules/ntlm_auth_vpn command:
exec ntlm_auth_vpn {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--password=%{User-Password} --require-membership-of=domain1"
> Is it possible to display type of authentication ( Auth-type ) that
the
> clients used during the authentication ?
In 2.1.9, see "msg_goodpass" in radiusd.conf. You can out anything
you want in there.
Hi Alan
Thank you for your answer. This feature is really useful, thanks.
However how sho
HI
Is it possible to display type of authentication ( Auth-type ) that the
clients used during the authentication ?
Thank
pet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> How can I force freradius to authenticate through domainame\username
Get radtest to send the same data as sent by the Cisco client. See
the server debug output in order to compare the two user names.
Alan DeKok.
Hi Alan, I forced radtest to pass, with this syntax:
1. radtest domainame\\
> ntlm_auth2 = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00} --require-membership-of=
> S-1-5-21-853024553-185696384-3473746203-512"
Err... no. That won't w
HI
I'd like to autheticate cisco vpn clients against the freeradius and AD
Prompt for the vpn client should be domainame\username.
In my smb.conf is as the delimiter:
winbind separator = \\ ( because backslash is special character, I had
to use twice )
This command works:
/usr/bin/ntlm_
Err... no. That won't work.
> But the vpn cisco clients are authenticated through
domainname\username
> and password
Then you don't need to edit the mschap configuration.
>
> Is this ntlm_auth2 in the mschap ok ? or should I remove
> --domain=%{%{mschap:NT-Domain}:} ?
Delete the "ntlm_
Dear Alan, thank you , I'm moving slowly forward : )
So now, I have created second ntlm_auth2 file in the modules directory,
with this command:
exec ntlm_auth2 {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Na
Jevos, Peter wrote:
> Thank you for your answer, but I don't understand
The documentation && debug mode is clear. Do you have a *specific*
question?
> I took it from the mailing list:
>
http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February
> /msg000
Jevos, Peter wrote:
> user Auth-Type := ntlm_auth
> Service-Type = NAS-Prompt-User,
> cisco-avpair = "shell:priv-lvl=15"
...
> And I added this lines into users file:
> DEFAULT Huntgroup-Name == "vpn"
> Auth-Type :
Hi
I installed the Freeradius and I'd like to authenticate cisco vpn
clients against AD
Clients are autheticated thorugh domainame\username and password and
they need to be a members of the AD group
I have already running AD authentication but with the access to the
router ( priv level 15 )
What
Jevos, Peter wrote:
> However I was not able to find in these links anything about the
> --require-membership-of
See the "man" page for ntlm_auth. It is just a Unix command that can
be run, like anything else.
> and the vpn cisco client example
> (also find on the
Jevos, Peter wrote:
> How should look like the ntlm_auth file ? How should look like mschap
module ?
> How should look like parameter --require-membership-of in these files
?
>
> How should look like users file ?
> These answers I was not able to find in any documentation
Rea
answers I was not able to find in any documentation
I'm using freeradius2-2.1.7-7.el5 ( RED HAT )
Thanks
On Fri, Jul 2, 2010 at 6:43 PM, Jevos, Peter wrote:
> Actually I'm not really clever, because main tutorial on the main pages is
> connected with the older version , and the
Hello friends
I was reading few tutorials regarding the Cisco authetication against
Freeradius and Windows AD.
Actually I'm not really clever, because main tutorial on the main pages
is connected with the older version , and there are more version of the
Freradius 2.0, a bit different:
http:
35 matches
Mail list logo