RE: Host-based auth against AD - MOSTLY SOLVED (was: New User and AD Question)

2011-03-02 Thread McNutt, Justin M.
Holy crap, it works! I spent some time un-doing as many of the other changes as I could find (that is, anything that deviates from the default and isn't shown below). So what follows should be everything needed to make this work. STEP 1: CUSTOM ATTRIBUTE = > My advice

Host-based auth against AD - MOSTLY SOLVED (was: New User and AD Question)

2011-03-02 Thread McNutt, Justin M.
> I think you'll have to do that. The tedious bit is matching > the domains in the regexps. > > My advice would be to define a local, internal-only attribute in > /etc/raddb/dictionary: > > ATTRIBUTE My-NT-Domain3003string Done. > ...then in your ntlm_auth helper, do: > > ntlm_

Re: New User and AD Question

2011-03-02 Thread Alan Buxey
Hi, > That is brilliant! We are going to deploy a second domain this summer, I > was wondering exactly how I would make our FR server work with both. I am > definitely going to give this a try! we just use the failover method. have 2 copies of the mschap module - each with labels to mar

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> Disjoint namespace is the term used if you have DNS names for windows > active directory members which are anything other than: > > samaccountname. > > So, if you give your hosts DNS hostnames of: > > samaccountname.dept. > > ...this is a disjoint namespace. This is a supported configuratio

Re: New User and AD Question

2011-03-02 Thread Phil Mayers
On 02/03/11 17:11, McNutt, Justin M. wrote: %{mschap:NT-Domain} is not a real variable; it's a dynamic expansion. There's no attribute you can "set", so you'll need to use another attribute (see my other email) Gotcha. I'm looking into that now (based on your other e-mail). That's very likely

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> %{mschap:NT-Domain} is not a real variable; it's a dynamic expansion. > There's no attribute you can "set", so you'll need to use another > attribute (see my other email) Gotcha. I'm looking into that now (based on your other e-mail). That's very likely do-able. > > I think it should be a

RE: New User and AD Question

2011-03-02 Thread Sallee, Stephen (Jake)
> My advice would be to define a local, internal-only attribute in > /etc/raddb/dictionary: > > ATTRIBUTE My-NT-Domain3003string > > ...and set this in your regexps: > > if (User-Name =~ /host[/].+[.]domain.com/) { >update request { > My-NT-Domain = "DOMAIN.COM" >} > } >

Re: New User and AD Question

2011-03-02 Thread Phil Mayers
On 02/03/11 14:43, McNutt, Justin M. wrote: So in the short term, I'd like to figure out a way to automatically match the DNS-style domain name based on the User-Name variable and update the NT-Domain variable so ntlm_auth will work for more cases. %{mschap:NT-Domain} is not a real variable; i

Re: New User and AD Question

2011-03-02 Thread Phil Mayers
Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 573 cli 00-90-4B-2F-80-B4) +- entering group post-auth {...} ++[exec] returns noop } # server campus-eap Sending Access-Accept of id 179 to 128.206.131.253 port 20009 Cool. Bad news: I have a multi-domain envi

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> McNutt, Justin M. wrote: > > ntlm_auth --request-nt-key --username='dnps-caplap-4$' > --domain=col.missouri.edu --challenge=(pasted-from-debug) > --nt-response=(pasted-from-debug) > > > > The result was: NT_KEY: (long hex string) > > Exactly. Now that you know what works, the only problem

Re: New User and AD Question

2011-03-02 Thread Alan DeKok
McNutt, Justin M. wrote: > ntlm_auth --request-nt-key --username='dnps-caplap-4$' > --domain=col.missouri.edu --challenge=(pasted-from-debug) > --nt-response=(pasted-from-debug) > > The result was: NT_KEY: (long hex string) Exactly. Now that you know what works, the only problem is creating

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> So, in /etc/raddb/modules/mschap, set (don't include the line > continuation \ I've added): > > ntlm_auth = "/path/to/ntlm_auth --request-nt-key \ >--username=%{mschap:User-Name} --domain=YOURDOMAIN \ >--challenge=... --nt-response=..." More good news (though expected): This change

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> > [mschap]expand: > --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> > --username=host/dnps-caplap-4.col.missouri.edu > > That is not "%{mschap:User-Name}". i.e. it's misconfigured Actually, I tried it both ways, since the longer string shown above was the default. > > [

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> this output does not match with what you claim to have been using. > > please ensure that your ntlm_auth configuration is correct > and the right one is being called. > (this one in debug is looking at %{Stripped-User-Name} etc - > you claimed to be using %{mschap:User-Name} That's a test tha

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> And what happens when you try to run ntlm_auth on the command-line? > > i.e. take the string printed by the server, and keep running it by > hand. Play with the various parameters until it works. > Then, configure > the server to run it with those parameters. I dug through the debug outp

Re: New User and AD Question

2011-03-02 Thread Alan Buxey
Hi, > Found Auth-Type = EAP > +- entering group authenticate {...} > [eap] Request found, released from the list > [eap] EAP/mschapv2 > [eap] processing type mschapv2 > [mschapv2] +- entering group MS-CHAP {...} > [mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with > NT-Pas

Re: New User and AD Question

2011-03-02 Thread Phil Mayers
On 02/03/11 12:41, McNutt, Justin M. wrote: Also, here is the 'mschap' section from a recent attempt. I don't see anything. Did you forget an attachment? Um... yeah. I'm doing a couple of things at once. Here it is. Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request f

Re: New User and AD Question

2011-03-02 Thread Phil Mayers
On 02/03/11 12:51, Alan Buxey wrote: Hi, You tried to use a regexp to parse the username (usually a mistake IMHO) and put the "domain" bit into the "Proxy-To-Realm" attribute but Proxy-To-Realm instructs the server to do just that - which cancels local authentiction. which you resolve by putt

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> which you resolve by putting the right entries into proxy.conf > > eg > > col.missouri.edu { > strip > } Do you mean: realm col.missouri.edu { strip } ? --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New User and AD Question

2011-03-02 Thread Alan Buxey
Hi, > You tried to use a regexp to parse the username (usually a mistake IMHO) > and put the "domain" bit into the "Proxy-To-Realm" attribute but > Proxy-To-Realm instructs the server to do just that - which cancels > local authentiction. which you resolve by putting the right entries into pro

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> > Also, here is the 'mschap' section from a recent attempt. > > I don't see anything. Did you forget an attachment? Um... yeah. I'm doing a couple of things at once. Here it is. Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/m

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> In the most recent debug I see you posted (16:36 yesterday) > it's failing > because: > > [eap] Request is supposed to be proxied to Realm $2. Not doing EAP. > ++[eap] returns noop ... > You tried to use a regexp to parse the username (usually a mistake IMHO) > and put the "domain" bit into

Re: New User and AD Question

2011-03-02 Thread Phil Mayers
On 02/03/11 12:32, McNutt, Justin M. wrote: Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}". Despite this, "host/computer.domain" login attempts always fail. Hence, trying to do the translation manually via a regex and update clauses. And what happens when you try to run ntlm_a

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> > Note use of "%{mschap:User-Name}" and > "%{mschap:NT-Domain}". Despite this, "host/computer.domain" > login attempts always fail. Hence, trying to do the > translation manually via a regex and update clauses. > > And what happens when you try to run ntlm_auth on the command-line? > >

Re: New User and AD Question

2011-03-02 Thread Phil Mayers
On 02/03/11 12:09, McNutt, Justin M. wrote: These look like MS-CHAP machine-auth usernames; have you considered using: %{mschap:User-Name} %{mschap:NT-Domain} The mschap module has special handling for host/ names, and these will expand: host/name.domain.com to: name$ domain.com The trailin

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> And what happens when you try to run ntlm_auth on the command-line? > > i.e. take the string printed by the server, and keep running it by > hand. Play with the various parameters until it works. Then, configure > the server to run it with those parameters. I haven't, partly because it wo

Re: New User and AD Question

2011-03-02 Thread Alan DeKok
McNutt, Justin M. wrote: > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} > --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" > > Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}". Despite this,

RE: New User and AD Question

2011-03-02 Thread McNutt, Justin M.
> These look like MS-CHAP machine-auth usernames; have you > considered using: > > %{mschap:User-Name} > %{mschap:NT-Domain} > > The mschap module has special handling for host/ names, and > these will > expand: > > host/name.domain.com > > to: > > name$ > domain.com > > The trailing dolla

Re: New User and AD Question

2011-03-02 Thread Phil Mayers
On 03/01/2011 05:25 PM, McNutt, Justin M. wrote: Now it matches, but something about the regex is still wrong (mainly, the multi-character captures) because it's not expanding correctly. Short version: These look like MS-CHAP machine-auth usernames; have you considered using: %{mschap:User-Na

RE: New User and AD Question

2011-03-01 Thread McNutt, Justin M.
> if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { > update control { > Proxy-To-Realm := "%{2}" > } > } Part of my troubleshooting involved changing the code to this: if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {

RE: New User and AD Question

2011-03-01 Thread McNutt, Justin M.
> > Proxy-To-Realm := %{2} > Proxy-To-Realm := "%{2}" Yeah, I just figured that out. :/ Adjusting and re-testing. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New User and AD Question

2011-03-01 Thread Alan Buxey
Hi, > if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { > update control { > Proxy-To-Realm := %{2} > } > } if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { update control { Proxy

RE: New User and AD Question

2011-03-01 Thread McNutt, Justin M.
> this stuff doesnt touch the User-Name - it just looks at it > and alters the servers proxy choosing behaviour which > is what makes it useful and powerful. It's not doing it correctly yet. See previous message. > the language is 'unlang' - its a built in parser in > freeradius - making the s

RE: New User and AD Question

2011-03-01 Thread McNutt, Justin M.
> > if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { Something's wrong with the regex here. From the config: if ( User-Name =~ /^host\/([^\.]+)\.(\S+)$/i ) { >From radiusd -X: User-Name = "host/dnps-caplap-4.col.missouri.edu" ... ? Evaluating (User-Name =~ /^host\/([^\.]+)\.(\S+)$/i) -

RE: New User and AD Question

2011-03-01 Thread McNutt, Justin M.
> Could you send us the output of radiusd -X for a computer auth? Done. (See previous message with attachment.) > If it works for users it should just work for machines. Perhaps under certain circumstances, but not for us, apparently. Perhaps it's the significant difference between the NT-sty

Re: New User and AD Question

2011-03-01 Thread Alan Buxey
Hi, > I took this code and modified it, assuming that if the code I wrote before > (which tries to use "COL.MISSOURI.EDU" as the realm) doesn't work, I can use > the code above to take FOO.MISSOURI.EDU and proxy to the NT domain FOO-USERS, > which is more than just massaging the User-Name field

Re: New User and AD Question

2011-02-28 Thread James J J Hooper
On 27/02/2011 18:08, McNutt, Justin M. wrote: New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but

RE: New User and AD Question

2011-02-28 Thread McNutt, Justin M.
> > # BOL, "host", a slash, one or more non-dot characters, a dot, > > # one or more non-whitespace chars, EOL. > > if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { > switch "%{2}" { > case 'my-domain-string-1' { > update control { >

Re: New User and AD Question

2011-02-28 Thread Arran Cudbard-Bell
>> > > That looks like Perl. Perl, I can deal with. I do have multiple domains to > attack. If I can come up with something generic that works for at least two > domains, I'll post it here. Looks predictable enough. I'm thinking along > the lines of something like this: > > # BOL, "host"

RE: New User and AD Question

2011-02-28 Thread McNutt, Justin M.
> ignore me. i'm tired. yes, this is a little bit of pain. I understand. I wondered about that when I saw the ac.uk. You must be working hours similar to mine. (That is, all of them.) > you'll be best off using a bit of unlang eg > (put this in the authorize section of your main virtual ser

Re: New User and AD Question: OT hijack

2011-02-28 Thread Gary Gatten
Ha, sweet... - Original Message - From: McNutt, Justin M. [mailto:mcnu...@missouri.edu] Sent: Monday, February 28, 2011 05:53 PM To: FreeRadius users mailing list Subject: RE: New User and AD Question: OT hijack Yes, and no, respectively. My wife has taken the kids there, but I have

Re: New User and AD Question

2011-02-28 Thread Alan Buxey
Hi, > I'll try it, but I've read it, and I don't see how this (from realm module): > > # > # 'domain\user' > # > realm ntdomain { > format = prefix > delimiter = "\\" > } > > Is going to apply to this: > > User-Name = "host/doit-tcb-agl.col.missouri.edu" ignore me. i'm

RE: New User and AD Question: OT hijack

2011-02-28 Thread McNutt, Justin M.
.org] On Behalf Of Gary Gatten > Sent: Monday, February 28, 2011 5:34 PM > To: 'freeradius-users@lists.freeradius.org' > Subject: Re: New User and AD Question: OT hijack > > First, is your last name really "McNutt"? And, have you ever > been by the house

RE: New User and AD Question

2011-02-28 Thread McNutt, Justin M.
t; From: > freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius > .org > [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr > eeradius.org] On Behalf Of Alan Buxey > Sent: Monday, February 28, 2011 4:42 PM > To: FreeRadius users mailing list > Subject: Re

Re: New User and AD Question: OT hijack

2011-02-28 Thread Gary Gatten
iling list Subject: RE: New User and AD Question I'll try it, but I've read it, and I don't see how this (from realm module): # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" } Is going to apply to this: User-Nam

RE: New User and AD Question

2011-02-28 Thread McNutt, Justin M.
ot; --J > -Original Message- > From: > freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius > .org > [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr > eeradius.org] On Behalf Of Alan Buxey > Sent: Monday, February 28, 2011 4:42 PM > To:

Re: New User and AD Question

2011-02-28 Thread Alan Buxey
Hi, > I don't have a modules/prefix file. I have a preprocess file, which is > called at the top of the "authorize" section of the campus-eap virtual server > (this is the default, I believe). > just add ntdomain as i said read the realm module for description about fall through alan - Li

RE: New User and AD Question

2011-02-28 Thread McNutt, Justin M.
e? --J > -Original Message- > From: > freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius > .org > [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr > eeradius.org] On Behalf Of Alan Buxey > Sent: Monday, February 28, 2011 3:16 PM > To: FreeRadius us

Re: New User and AD Question

2011-02-28 Thread Alan Buxey
hi, in your campus-eap virtual server you are not making a call to eg the prefix module (put straight after the preprocess module) ie preprocess suffix ntdomain do this in the authorization and preacct sections to handle these better alan - List info/subscribe/unsubscribe? See http://www.fr

Re: New User and AD Question

2011-02-28 Thread Alan Buxey
Hi, > Removing the shared secrets, LDAP user passwords, etc. was the redacting I > was talking about. That, and removing the thousands of messages related to > other users' auth attempts, if I had had to do this on a production server. you can use radmin do get a full debug of a single client/N

Re: New User and AD Question

2011-02-28 Thread Alan Buxey
Hi, > Should I post the debug log here, or a pastebin, or...? quick answer? post it here want to wait until someone can be bothered to go to some random web page? pastebin alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: New User and AD Question

2011-02-28 Thread McNutt, Justin M.
nt: Sunday, February 27, 2011 4:05 PM > To: FreeRadius users mailing list > Subject: RE: New User and AD Question > > Two comments about posting logs ... > > #1 Post the entire log of radiusd -X (NOT -XX, that has a > bunch of timestamps we don't need) and don't reda

RE: New User and AD Question

2011-02-28 Thread McNutt, Justin M.
Kok > Sent: Sunday, February 27, 2011 1:51 PM > To: FreeRadius users mailing list > Subject: Re: New User and AD Question > > McNutt, Justin M. wrote: > > New member to the list, here. I have a question about AD > computer-based > > authentication. Basically, how is

RE: New User and AD Question

2011-02-27 Thread Sallee, Stephen (Jake)
om: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of McNutt, Justin M. Sent: Sunday, February 27, 2011 2:05 PM To: FreeRadius users mailing list Subject: RE: New User and AD Question >

RE: New User and AD Question

2011-02-27 Thread McNutt, Justin M.
> McNutt, Justin M. wrote: > > New member to the list, here. I have a question about AD > computer-based > > authentication. Basically, how is it accomplished? > > http://deployingradius.com/documents/configuration/active_directory.html > > It's pretty much the same as normal user authentica

Re: New User and AD Question

2011-02-27 Thread Alan DeKok
McNutt, Justin M. wrote: > New member to the list, here. I have a question about AD computer-based > authentication. Basically, how is it accomplished? http://deployingradius.com/documents/configuration/active_directory.html It's pretty much the same as normal user authentication. PEAP goes

New User and AD Question

2011-02-27 Thread McNutt, Justin M.
New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but little reference on HOW to do it, other t

Re: Re: Restart radiusd after new user added

2009-08-03 Thread Alexandre Chapellon
Yes uncomment thoose lines, then restart freeradius. Re run radmin and pass it the "hup files" command. regards Don't forget to reply to the list it may help some else. Le lundi 03 août 2009 à 14:14 +, paul.blal...@gmail.com a écrit : > It looks like the control socket file > in /etc/freer

Re: Restart radiusd after new user added

2009-07-31 Thread Alexandre Chapellon
Please reply to the list. Le vendredi 31 juillet 2009 à 16:17 -0500, Paul Blalock a écrit : > I tried the radmin> hup files, command, with no luck. The command was > accepted, but it did nothing. > > What version of freeradius are you runing? If you have 2.1.1 or greater, just activate the co

Re: Restart radiusd after new user added

2009-07-31 Thread Alexandre Chapellon
Le vendredi 31 juillet 2009 à 14:45 -0500, Blalock, Paul (NCC) a écrit : > I am setting up freeradius, and am having issues with adding users and > having to restart radiusd to pick up the new users. Is sql the only > other way to go, or is there a way to point the users file to another > director

Restart radiusd after new user added

2009-07-31 Thread Blalock, Paul (NCC)
I am setting up freeradius, and am having issues with adding users and having to restart radiusd to pick up the new users. Is sql the only other way to go, or is there a way to point the users file to another directory? Also, is there a way to have username passwords formatted as (user pass) or (us

Re: Dialup_admin "New user" page is empty

2009-02-10 Thread Michael Schwartzkopff
Am Dienstag, 10. Februar 2009 13:02:11 schrieb Michael Schwartzkopff: > Hi, > > I am trying to get dialup_admin running. I have ldap directory and FR+LDAP > works. > > I have the webserver running, see the start page and "Check Server" works. > > When I click &quo

Dialup_admin "New user" page is empty

2009-02-10 Thread Michael Schwartzkopff
Hi, I am trying to get dialup_admin running. I have ldap directory and FR+LDAP works. I have the webserver running, see the start page and "Check Server" works. When I click "New User" I see a blank page. Nothing in the /var/log/apache2 files. Any help or hints? Than

RE: new user - configuration question

2004-10-11 Thread Berry, William
Title: RE: new user - configuration question Sorry I though I was sending in plain text .. Ok .. I can go back and install MySQL and rebuild. I will also go ahead and install Apache before rebuilding. It does look as though dialup_admin and SQL will provide a more secure and easier method

Re: new user - configuration question

2004-10-11 Thread Thor Spruyt
st' are deprecated in favor of 'clients.conf'. You should store your NASes in clients.conf -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - Original Message - From: Berry, William To: [EMAIL PROTECTED] Sent: Monday, O

RE: new user - configuration question

2004-10-11 Thread Berry, William
PROTECTED] On Behalf Of Anson Rinesmith Sent: Monday, October 11, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: new user - configuration question   It depends on what features you want to use, your “next phase” doesn’t tell us much. There is no “NEED” to install MySQL or Apache, unless you want a

RE: new user - configuration question

2004-10-11 Thread Anson Rinesmith
, before installing freeradius.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berry, William Sent: Monday, October 11, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: new user - configuration question   This is my first attempt at setting up a RADIUS server. I have

new user - configuration question

2004-10-11 Thread Berry, William
This is my first attempt at setting up a RADIUS server. I have downloaded and successfully installed FreeRadius version 1.0.1 on a Red Hat 8.0 Linux server. It seems to work fine based upon the testing included in the installation instructions. I am now starting to read through the document

dialup_admin add new user error

2004-06-19 Thread apellido jr., wilfredo p.
Hello guys i got this error using dialup_admin in postgresql but before im using  mysql and its workin. im just edited radius.conf   sql_type: pgsql_server: localhostsql_port: 5432sql_command: /usr/local/bin/psql     Unable to add user test: ERROR: duplicate key violates unique constraint "

RES: New user

2004-01-29 Thread Sérgio José Ferreira
: quinta-feira, 29 de janeiro de 2004 14:52 Para: '[EMAIL PROTECTED]' Assunto: New user Hi all... My name is Fabio Brazilian and new in the list. I started to work with freeradius in this week and like very. I hope can contribir and to solve alguns of my problems Greetings, Fábio Oliveira

New user

2004-01-29 Thread Fabio Oliveira dos Santos - Claro RJ -
Hi all... My name is Fabio Brazilian and new in the list. I started to work with freeradius in this week and like very. I hope can contribir and to solve alguns of my problems Greetings, Fábio Oliveira dos Santos __