Holy crap, it works! I spent some time un-doing as many of the other changes
as I could find (that is, anything that deviates from the default and isn't
shown below). So what follows should be everything needed to make this work.
STEP 1: CUSTOM ATTRIBUTE
=
> My advice
> I think you'll have to do that. The tedious bit is matching
> the domains in the regexps.
>
> My advice would be to define a local, internal-only attribute in
> /etc/raddb/dictionary:
>
> ATTRIBUTE My-NT-Domain3003string
Done.
> ...then in your ntlm_auth helper, do:
>
> ntlm_
Hi,
> That is brilliant! We are going to deploy a second domain this summer, I
> was wondering exactly how I would make our FR server work with both. I am
> definitely going to give this a try!
we just use the failover method. have 2 copies of the mschap
module - each with labels to mar
> Disjoint namespace is the term used if you have DNS names for windows
> active directory members which are anything other than:
>
> samaccountname.
>
> So, if you give your hosts DNS hostnames of:
>
> samaccountname.dept.
>
> ...this is a disjoint namespace. This is a supported configuratio
On 02/03/11 17:11, McNutt, Justin M. wrote:
%{mschap:NT-Domain} is not a real variable; it's a dynamic
expansion. There's no attribute you can "set", so you'll need to
use another attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail).
That's very likely
> %{mschap:NT-Domain} is not a real variable; it's a dynamic expansion.
> There's no attribute you can "set", so you'll need to use another
> attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail). That's very
likely do-able.
> > I think it should be a
> My advice would be to define a local, internal-only attribute in
> /etc/raddb/dictionary:
>
> ATTRIBUTE My-NT-Domain3003string
>
> ...and set this in your regexps:
>
> if (User-Name =~ /host[/].+[.]domain.com/) {
>update request {
> My-NT-Domain = "DOMAIN.COM"
>}
> }
>
On 02/03/11 14:43, McNutt, Justin M. wrote:
So in the short term, I'd like to figure out a way to automatically
match the DNS-style domain name based on the User-Name variable and
update the NT-Domain variable so ntlm_auth will work for more cases.
%{mschap:NT-Domain} is not a real variable; i
Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port
573 cli 00-90-4B-2F-80-B4)
+- entering group post-auth {...}
++[exec] returns noop
} # server campus-eap
Sending Access-Accept of id 179 to 128.206.131.253 port 20009
Cool.
Bad news:
I have a multi-domain envi
> McNutt, Justin M. wrote:
> > ntlm_auth --request-nt-key --username='dnps-caplap-4$'
> --domain=col.missouri.edu --challenge=(pasted-from-debug)
> --nt-response=(pasted-from-debug)
> >
> > The result was: NT_KEY: (long hex string)
>
> Exactly. Now that you know what works, the only problem
McNutt, Justin M. wrote:
> ntlm_auth --request-nt-key --username='dnps-caplap-4$'
> --domain=col.missouri.edu --challenge=(pasted-from-debug)
> --nt-response=(pasted-from-debug)
>
> The result was: NT_KEY: (long hex string)
Exactly. Now that you know what works, the only problem is creating
> So, in /etc/raddb/modules/mschap, set (don't include the line
> continuation \ I've added):
>
> ntlm_auth = "/path/to/ntlm_auth --request-nt-key \
>--username=%{mschap:User-Name} --domain=YOURDOMAIN \
>--challenge=... --nt-response=..."
More good news (though expected): This change
> > [mschap]expand:
> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
> --username=host/dnps-caplap-4.col.missouri.edu
>
> That is not "%{mschap:User-Name}". i.e. it's misconfigured
Actually, I tried it both ways, since the longer string shown above was the
default.
> > [
> this output does not match with what you claim to have been using.
>
> please ensure that your ntlm_auth configuration is correct
> and the right one is being called.
> (this one in debug is looking at %{Stripped-User-Name} etc -
> you claimed to be using %{mschap:User-Name}
That's a test tha
> And what happens when you try to run ntlm_auth on the command-line?
>
> i.e. take the string printed by the server, and keep running it by
> hand. Play with the various parameters until it works.
> Then, configure
> the server to run it with those parameters.
I dug through the debug outp
Hi,
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with
> NT-Pas
On 02/03/11 12:41, McNutt, Justin M. wrote:
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request f
On 02/03/11 12:51, Alan Buxey wrote:
Hi,
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the "domain" bit into the "Proxy-To-Realm" attribute but
Proxy-To-Realm instructs the server to do just that - which cancels
local authentiction.
which you resolve by putt
> which you resolve by putting the right entries into proxy.conf
>
> eg
>
> col.missouri.edu {
> strip
> }
Do you mean:
realm col.missouri.edu {
strip
}
?
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> You tried to use a regexp to parse the username (usually a mistake IMHO)
> and put the "domain" bit into the "Proxy-To-Realm" attribute but
> Proxy-To-Realm instructs the server to do just that - which cancels
> local authentiction.
which you resolve by putting the right entries into pro
> > Also, here is the 'mschap' section from a recent attempt.
>
> I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/m
> In the most recent debug I see you posted (16:36 yesterday)
> it's failing
> because:
>
> [eap] Request is supposed to be proxied to Realm $2. Not doing EAP.
> ++[eap] returns noop
...
> You tried to use a regexp to parse the username (usually a mistake IMHO)
> and put the "domain" bit into
On 02/03/11 12:32, McNutt, Justin M. wrote:
Note use of "%{mschap:User-Name}" and
"%{mschap:NT-Domain}". Despite this, "host/computer.domain"
login attempts always fail. Hence, trying to do the
translation manually via a regex and update clauses.
And what happens when you try to run ntlm_a
> > Note use of "%{mschap:User-Name}" and
> "%{mschap:NT-Domain}". Despite this, "host/computer.domain"
> login attempts always fail. Hence, trying to do the
> translation manually via a regex and update clauses.
>
> And what happens when you try to run ntlm_auth on the command-line?
>
>
On 02/03/11 12:09, McNutt, Justin M. wrote:
These look like MS-CHAP machine-auth usernames; have you considered
using:
%{mschap:User-Name} %{mschap:NT-Domain}
The mschap module has special handling for host/ names, and these
will expand:
host/name.domain.com
to:
name$ domain.com
The trailin
> And what happens when you try to run ntlm_auth on the command-line?
>
> i.e. take the string printed by the server, and keep running it by
> hand. Play with the various parameters until it works. Then, configure
> the server to run it with those parameters.
I haven't, partly because it wo
McNutt, Justin M. wrote:
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
> Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}". Despite this,
> These look like MS-CHAP machine-auth usernames; have you
> considered using:
>
> %{mschap:User-Name}
> %{mschap:NT-Domain}
>
> The mschap module has special handling for host/ names, and
> these will
> expand:
>
> host/name.domain.com
>
> to:
>
> name$
> domain.com
>
> The trailing dolla
On 03/01/2011 05:25 PM, McNutt, Justin M. wrote:
Now it matches, but something about the regex is still wrong (mainly,
the multi-character captures) because it's not expanding correctly.
Short version:
These look like MS-CHAP machine-auth usernames; have you considered using:
%{mschap:User-Na
> if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
> update control {
> Proxy-To-Realm := "%{2}"
> }
> }
Part of my troubleshooting involved changing the code to this:
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
> > Proxy-To-Realm := %{2}
> Proxy-To-Realm := "%{2}"
Yeah, I just figured that out. :/ Adjusting and re-testing.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
> update control {
> Proxy-To-Realm := %{2}
> }
> }
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
update control {
Proxy
> this stuff doesnt touch the User-Name - it just looks at it
> and alters the servers proxy choosing behaviour which
> is what makes it useful and powerful.
It's not doing it correctly yet. See previous message.
> the language is 'unlang' - its a built in parser in
> freeradius - making the s
> > if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
Something's wrong with the regex here. From the config:
if ( User-Name =~ /^host\/([^\.]+)\.(\S+)$/i ) {
>From radiusd -X:
User-Name = "host/dnps-caplap-4.col.missouri.edu"
...
? Evaluating (User-Name =~ /^host\/([^\.]+)\.(\S+)$/i) -
> Could you send us the output of radiusd -X for a computer auth?
Done. (See previous message with attachment.)
> If it works for users it should just work for machines.
Perhaps under certain circumstances, but not for us, apparently. Perhaps it's
the significant difference between the NT-sty
Hi,
> I took this code and modified it, assuming that if the code I wrote before
> (which tries to use "COL.MISSOURI.EDU" as the realm) doesn't work, I can use
> the code above to take FOO.MISSOURI.EDU and proxy to the NT domain FOO-USERS,
> which is more than just massaging the User-Name field
On 27/02/2011 18:08, McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based
authentication. Basically, how is it accomplished?
I have Googled and Googled, but only found references to the fact that it
*can* be done (mostly from archives of this list), but
> > # BOL, "host", a slash, one or more non-dot characters, a dot,
> > # one or more non-whitespace chars, EOL.
> > if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
> switch "%{2}" {
> case 'my-domain-string-1' {
> update control {
>
>>
>
> That looks like Perl. Perl, I can deal with. I do have multiple domains to
> attack. If I can come up with something generic that works for at least two
> domains, I'll post it here. Looks predictable enough. I'm thinking along
> the lines of something like this:
>
> # BOL, "host"
> ignore me. i'm tired. yes, this is a little bit of pain.
I understand. I wondered about that when I saw the ac.uk. You must be working
hours similar to mine. (That is, all of them.)
> you'll be best off using a bit of unlang eg
> (put this in the authorize section of your main virtual ser
Ha, sweet...
- Original Message -
From: McNutt, Justin M. [mailto:mcnu...@missouri.edu]
Sent: Monday, February 28, 2011 05:53 PM
To: FreeRadius users mailing list
Subject: RE: New User and AD Question: OT hijack
Yes, and no, respectively. My wife has taken the kids there, but I have
Hi,
> I'll try it, but I've read it, and I don't see how this (from realm module):
>
> #
> # 'domain\user'
> #
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> }
>
> Is going to apply to this:
>
> User-Name = "host/doit-tcb-agl.col.missouri.edu"
ignore me. i'm
.org] On Behalf Of Gary Gatten
> Sent: Monday, February 28, 2011 5:34 PM
> To: 'freeradius-users@lists.freeradius.org'
> Subject: Re: New User and AD Question: OT hijack
>
> First, is your last name really "McNutt"? And, have you ever
> been by the house
t; From:
> freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
> .org
> [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
> eeradius.org] On Behalf Of Alan Buxey
> Sent: Monday, February 28, 2011 4:42 PM
> To: FreeRadius users mailing list
> Subject: Re
iling list
Subject: RE: New User and AD Question
I'll try it, but I've read it, and I don't see how this (from realm module):
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
}
Is going to apply to this:
User-Nam
ot;
--J
> -Original Message-
> From:
> freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
> .org
> [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
> eeradius.org] On Behalf Of Alan Buxey
> Sent: Monday, February 28, 2011 4:42 PM
> To:
Hi,
> I don't have a modules/prefix file. I have a preprocess file, which is
> called at the top of the "authorize" section of the campus-eap virtual server
> (this is the default, I believe).
>
just add ntdomain as i said
read the realm module for description about fall through
alan
-
Li
e?
--J
> -Original Message-
> From:
> freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
> .org
> [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
> eeradius.org] On Behalf Of Alan Buxey
> Sent: Monday, February 28, 2011 3:16 PM
> To: FreeRadius us
hi,
in your campus-eap virtual server you are not making a call to
eg the prefix module (put straight after the preprocess module)
ie
preprocess
suffix
ntdomain
do this in the authorization and preacct sections to handle these better
alan
-
List info/subscribe/unsubscribe? See http://www.fr
Hi,
> Removing the shared secrets, LDAP user passwords, etc. was the redacting I
> was talking about. That, and removing the thousands of messages related to
> other users' auth attempts, if I had had to do this on a production server.
you can use radmin do get a full debug of a single client/N
Hi,
> Should I post the debug log here, or a pastebin, or...?
quick answer? post it here
want to wait until someone can be bothered to go to some random web page?
pastebin
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nt: Sunday, February 27, 2011 4:05 PM
> To: FreeRadius users mailing list
> Subject: RE: New User and AD Question
>
> Two comments about posting logs ...
>
> #1 Post the entire log of radiusd -X (NOT -XX, that has a
> bunch of timestamps we don't need) and don't reda
Kok
> Sent: Sunday, February 27, 2011 1:51 PM
> To: FreeRadius users mailing list
> Subject: Re: New User and AD Question
>
> McNutt, Justin M. wrote:
> > New member to the list, here. I have a question about AD
> computer-based
> > authentication. Basically, how is
om: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of McNutt, Justin M.
Sent: Sunday, February 27, 2011 2:05 PM
To: FreeRadius users mailing list
Subject: RE: New User and AD Question
>
> McNutt, Justin M. wrote:
> > New member to the list, here. I have a question about AD
> computer-based
> > authentication. Basically, how is it accomplished?
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
> It's pretty much the same as normal user authentica
McNutt, Justin M. wrote:
> New member to the list, here. I have a question about AD computer-based
> authentication. Basically, how is it accomplished?
http://deployingradius.com/documents/configuration/active_directory.html
It's pretty much the same as normal user authentication. PEAP goes
New member to the list, here. I have a question about AD computer-based
authentication. Basically, how is it accomplished?
I have Googled and Googled, but only found references to the fact that it *can*
be done (mostly from archives of this list), but little reference on HOW to do
it, other t
Yes uncomment thoose lines, then restart freeradius.
Re run radmin and pass it the "hup files" command.
regards
Don't forget to reply to the list it may help some else.
Le lundi 03 août 2009 à 14:14 +, paul.blal...@gmail.com a écrit :
> It looks like the control socket file
> in /etc/freer
Please reply to the list.
Le vendredi 31 juillet 2009 à 16:17 -0500, Paul Blalock a écrit :
> I tried the radmin> hup files, command, with no luck. The command was
> accepted, but it did nothing.
>
>
What version of freeradius are you runing?
If you have 2.1.1 or greater, just activate the co
Le vendredi 31 juillet 2009 à 14:45 -0500, Blalock, Paul (NCC) a écrit :
> I am setting up freeradius, and am having issues with adding users and
> having to restart radiusd to pick up the new users. Is sql the only
> other way to go, or is there a way to point the users file to another
> director
I am setting up freeradius, and am having issues with adding users and
having to restart radiusd to pick up the new users. Is sql the only
other way to go, or is there a way to point the users file to another
directory? Also, is there a way to have username passwords formatted as
(user pass) or (us
Am Dienstag, 10. Februar 2009 13:02:11 schrieb Michael Schwartzkopff:
> Hi,
>
> I am trying to get dialup_admin running. I have ldap directory and FR+LDAP
> works.
>
> I have the webserver running, see the start page and "Check Server" works.
>
> When I click &quo
Hi,
I am trying to get dialup_admin running. I have ldap directory and FR+LDAP
works.
I have the webserver running, see the start page and "Check Server" works.
When I click "New User" I see a blank page. Nothing in the /var/log/apache2
files.
Any help or hints? Than
Title: RE: new user - configuration question
Sorry I though I was sending in plain text ..
Ok .. I can go back and install MySQL and rebuild. I will also go ahead and install Apache before rebuilding. It does look as though dialup_admin and SQL will provide a more secure and easier method
st' are deprecated in favor of 'clients.conf'.
You should store your NASes in clients.conf
--
Regards,
Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65
- Original Message -
From: Berry, William
To: [EMAIL PROTECTED]
Sent: Monday, O
PROTECTED] On Behalf Of Anson Rinesmith
Sent: Monday, October 11, 2004
9:22 AM
To:
[EMAIL PROTECTED]
Subject: RE: new user -
configuration question
It depends on what features you want to
use, your “next phase” doesn’t tell us much.
There is no “NEED” to install MySQL
or Apache, unless you want a
, before installing freeradius.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Berry, William
Sent: Monday, October 11, 2004
9:08 AM
To: [EMAIL PROTECTED]
Subject: new user - configuration
question
This is my first attempt at setting up a RADIUS server. I
have
This is my first attempt at setting up a RADIUS server. I
have downloaded and successfully installed FreeRadius version 1.0.1 on a Red
Hat 8.0 Linux server. It seems to work fine based upon the testing included in the
installation instructions. I am now starting to read through the document
Hello guys i got this error using dialup_admin in
postgresql but before im using mysql and its workin. im just edited
radius.conf
sql_type: pgsql_server: localhostsql_port:
5432sql_command: /usr/local/bin/psql
Unable to add user test: ERROR: duplicate
key violates unique constraint "
: quinta-feira, 29 de janeiro de 2004 14:52
Para: '[EMAIL PROTECTED]'
Assunto: New user
Hi all...
My name is Fabio Brazilian and new in the list. I started to work with
freeradius in this week and like very. I hope can contribir and to solve
alguns of my problems Greetings,
Fábio Oliveira
Hi all...
My name is Fabio Brazilian and new in the list. I started to work with
freeradius in this week and like very. I hope can contribir and to solve
alguns of my problems
Greetings,
Fábio Oliveira dos Santos
__
71 matches
Mail list logo