Thanks charles schwartz Your documentation and responses really helped. The radius Server is working now properly for all users in LDAP.
I need to give access to specific users in a group call RadiusUsers in Windows 2003 LDAP. How can I go about it. The Group is at location: cn=RadiusUsers,ou=Groups,dc=ABC,dc=DEF,dc=com Thanks & Regards Varun Marwah CONFIDENTIALITY NOTICE This e-mail transmission and any documents, files, or previous e-mail messages appended or attached to it, may contain information that is confidential or legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, printing, distribution, or use of the information contained or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify the sender by telephone (+91-172-2299137) or return e-mail message ([EMAIL PROTECTED]) and delete the original transmission, its attachments, and any copies without reading or saving in any manner. Thank you. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 4:37 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 7, Issue 115 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: WLAN 802.1x FreeRadius with LDAP (Zoltan Ori) 2. RE: WLAN 802.1x FreeRadius with LDAP (Christian Poessinger) 3. RE: WLAN 802.1x FreeRadius with LDAP (King, Michael) 4. Re: WLAN 802.1x FreeRadius with LDAP (Zoltan Ori) 5. RE: WLAN 802.1x FreeRadius with LDAP (Christian Poessinger) 6. Re: Configuring RADIUS Users (Radius) 7. LDAP, FreeRadius, and Schema (Matt Juszczak) 8. Re: AD authentication (charles schwartz) ---------------------------------------------------------------------- Message: 1 Date: Tue, 29 Nov 2005 13:19:40 -0500 From: Zoltan Ori <[EMAIL PROTECTED]> Subject: Re: WLAN 802.1x FreeRadius with LDAP To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" On Tuesday 29 November 2005 11:07, Christian Poessinger wrote: > > You didn't configure a password for the user. > > Yes, I did. I have a userPassword atribute in my LDAP backend, also > it contains a clear text password. I can fully use this account in > the backend for ftp/ssh/http but not with peap/mschapv2 over radius. > You have ntlm_auth in your mschap configuration. You don't want that for LDAP. You don't need anything NT in that module. The default configuration had everything commented out but authtype = MS-CHAP. Start with that and then add what you need. ------------------------------ Message: 2 Date: Tue, 29 Nov 2005 19:56:29 +0100 From: "Christian Poessinger" <[EMAIL PROTECTED]> Subject: RE: WLAN 802.1x FreeRadius with LDAP To: "'FreeRadius users mailing list'" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Zoltan Ori wrote: > You have ntlm_auth in your mschap configuration. You don't want that > for LDAP. > You don't need anything NT in that module. The default configuration > had everything commented out but authtype = MS-CHAP. Start with that > and then add what you need. Nope, there is everything uncommented. I also tried to add this to the ldap.attrmap file: checkItem LM-Password userPassword checkItem NT-Password userPassword But this hadn't any effect either. ------------------------------ Message: 3 Date: Tue, 29 Nov 2005 14:03:21 -0500 From: "King, Michael" <[EMAIL PROTECTED]> Subject: RE: WLAN 802.1x FreeRadius with LDAP To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" -----Original Message----- Zoltan Ori wrote: > You have ntlm_auth in your mschap configuration. You don't want that > for LDAP. > You don't need anything NT in that module. The default configuration > had everything commented out but authtype = MS-CHAP. Start with that > and then add what you need. Nope, there is everything uncommented. I also tried to add this to the ldap.attrmap file: Christian, That is what he is saying your problem is, everything is uncommented........ ------------------------------ Message: 4 Date: Tue, 29 Nov 2005 14:08:47 -0500 From: Zoltan Ori <[EMAIL PROTECTED]> Subject: Re: WLAN 802.1x FreeRadius with LDAP To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" On Tuesday 29 November 2005 13:56, Christian Poessinger wrote: > Nope, there is everything uncommented. I also tried to add this to the > ldap.attrmap file: > That's the problem everything is uncommented. Comment out ntlm_auth and with_ntdomain_hack. If you have plain text passwords, you aren't authenticating to a Windows domain controller, you don't have windbindd and nmbd running, you don't need want them in your mschap configuration. ------------------------------ Message: 5 Date: Tue, 29 Nov 2005 20:16:56 +0100 From: "Christian Poessinger" <[EMAIL PROTECTED]> Subject: RE: WLAN 802.1x FreeRadius with LDAP To: "'FreeRadius users mailing list'" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> King, Michael wrote: > Christian, That is what he is saying your problem is, everything is > uncommented........ Sorry, with uncommented i ment that all is commented out. Sorry my fault. ------------------------------ Message: 6 Date: Tue, 29 Nov 2005 13:04:48 -0700 From: "Radius" <[EMAIL PROTECTED]> Subject: Re: Configuring RADIUS Users To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response ----- Original Message ----- From: "Christopher Carver" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, November 29, 2005 11:04 AM Subject: Re: Configuring RADIUS Users > Madhuraka Godahewa wrote: > >>Hi All, I installed freeRADIUS 1.0.5 recently, and configured the server >>as described in the documentation files. My operating system is SUSE Linux >>9.2. When I run the 'radiusd -X' from the shell, the last four lines of >>the output are as follows. < Listening on authentication >>10.128.253.110:1812 Listening on accounting 10.128.253.110:1813 Listening >>on proxy 10.128.253.110:1814 Ready to process requests. >> 10.128.253.110 is the IP Address given to the Radius Server. Then, I >> created a test account named 'root' with the password 'root'. Then, I ran >> the radtest (from the RADIUS Server itself) and got the following output. >> < Sending Access-Request of id 195 to 10.128.253.110:1812 User-Name = >> "root" User-Password = "root" NAS-IP-Address = rajith-office NAS-Port = >> 1812 rad_recv: Access-Accept packet from host 10.128.253.110:1812, >> id=195, length=20 >>'rajith-office' is the name given to the RADIUS Server. In the debug >>shell, I obtained the following output. < rad_recv: Access-Request packet >>from host 10.128.253.110:1025, id=195, length=56 User-Name = "root" >>User-Password = "root" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 >>Processing the authorize section of radiusd.conf modcall: entering group >>authorize for request 0 modcall[authorize]: module "preprocess" returns ok >>for request 0 modcall[authorize]: module "chap" returns noop for request 0 >>modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: >>No '@' in User-Name = "root", looking up realm NULL rlm_realm: No such >>realm "NULL" modcall[authorize]: module "suffix" returns noop for request >>0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" >>returns noop for request 0 users: Matched root at 153 users: Matched >>DEFAULT at 157 modcall[authorize]: module "files" returns ok for request 0 >>modcall: group authorize returns ok for request 0 rad_check_password: >>Found Auth-Type Local auth: type Local auth: user supplied User-Password >>matches local User-Password Sending Access-Accept of id 195 to >>10.128.253.110:1025 Finished request 0 Going to the next request --- >>Walking the entire request list --- >>Waking up in 6 seconds... --- Walking the entire request list --- >>Cleaning up request 0 ID 195 with timestamp 438c1bca Nothing to do. >>Sleeping until we see a request. >> Now my problem is, when I try to send an access-request (using the Radius >> Test Utility) from another machine (running Windows XP), which is in the >> same network, the server does not says that it receives an >> access-request. Does anybody know, where the problem is? You should be >> seeing something if the requests is even making it to the > radiusd process. Use tcpdump on the server to ensure you are receiving > the request. 'tcpdump port 1812' should do it. If you see nothing, you > have a firewall/network connectivity issue on the server or client. > > Chris Carver > - But root does not allow logins that way if his system is setup not to and most Linux variants do that automatically. You have to "su" to get root access after you log in with regular user. Maybe create a different user and try it. ------------------------------ Message: 7 Date: Tue, 29 Nov 2005 17:13:41 -0500 From: Matt Juszczak <[EMAIL PROTECTED]> Subject: LDAP, FreeRadius, and Schema To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi all, I was wondering what everyone uses for an account objectClass? Right now I'm using "Person", which makes the dn: cn=<user>,ou=Radius,dc=mydomain,dc=net However, indexing the cn would index the CN of other OU's as well ... . I'm just wondering what people use. I know "Account" could also be used. Regards, Matt ------------------------------ Message: 8 Date: Tue, 29 Nov 2005 23:50:05 +0100 From: charles schwartz <[EMAIL PROTECTED]> Subject: Re: AD authentication To: [EMAIL PROTECTED] Cc: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain Hi, Here is what I found in your log: [...] Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program: returned: 1 [...] Try to troubleshoot winbind. It seems that there may be a permission problem. Regards, Charles > Hi There > > I have configured the Freeradius on Fedora core 3 as per the > documentation > > [EMAIL PROTECTED] raddb]# ntlm_auth --request-nt-key --domain=INDIA > --username=checkad > password: > NT_STATUS_OK: Success (0x0) > [EMAIL PROTECTED] raddb]# > > When I start the the Radius Server using Radius -X command Starts fine. > > When I give the logon credentials through the wireless laptop the user > doesn't get validated. > > Please help me out. If you need the any config files for your reference, > please let me know.Atached is the log file of output generated. > > Also guide me, as I have already given allow permissions to users with > Dialin Permissions in AD domain. > > > Thanks & Regards > Varun Marwah > CONFIDENTIALITY NOTICE > This e-mail transmission and any documents, files, or previous e-mail > messages appended or attached to it, may contain information that is > confidential or legally privileged. If you are not the intended > recipient, or a person responsible for delivering it to the intended > recipient, you are hereby notified that any disclosure, copying, > printing, distribution, or use of the information contained or attached > to this transmission is STRICTLY PROHIBITED. If you have received this > transmission in error, please immediately notify the sender by telephone > (+91-172-2299137) or return e-mail message ([EMAIL PROTECTED]) and > delete the original transmission, its attachments, and any copies > without reading or saving in any manner. Thank you. > > -----Original Message----- > From: charles schwartz [mailto:[EMAIL PROTECTED] > Sent: Monday, November 28, 2005 10:51 PM > To: freeradius-users@lists.freeradius.org > Cc: Varun Marwah > Subject: Re: AD authentication > > Hi, > > If the wbinfo command does not work, ntlm_auth won't work too. > > > > error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) > > > > error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > > This error indicates that something went wrong with the domain access. > Try to troubleshoot by using wbinfo -g or wbinfo -u. > With these commands you should be able to list the users and groups of > your domain. > > There may be a problem with NTLM on your Windows2003 server. > Note thath NTLM was the authentication protocol used by earlier version > of Windows. > It is still supported for backward compatibility, but can be disabled. > By default, Win2k and 2003 use Kerberos for authentication. > > You might have a security policy thats restricts the use of NTLM on your > network. > Check your GPO if NTLM is allowed to be transmitted across the network. > > > Regards, > Charles Schwartz > > > > > > Hi, > > > > > > > > I used the document freeRadius_AD_tutorial.pdf for configuring a linux > > box to get authenticated through users in Windows 2003 AD. > > > > > > > > I used the command net join -U Administrator to add the machine to the > > domain. It gave successful results. Now on typing the command > > > > > > > > wbinfo -a checkad%Quark_123 > > > > > > > > I got the following results:- > > > > > > > > plaintext password authentication failed > > > > error code was NT_STATUS_NO_SUCH_USER (0xc0000064) > > > > error messsage was: No such user > > > > Could not authenticate user checkad%Quark_123 with plaintext password > > > > challenge/response password authentication failed > > > > error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) > > > > error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > > > > Could not authenticate user checkad with challenge/response > > > > > > > > Also, on giving the command > > > > > > > > # ntlm_auth --request-nt-key --domain=india.quark.com --username= > > checkad > > > > password: > > > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > > (0xc00000da) > > > > [EMAIL PROTECTED] etc]# > > > > I get the above stated error. Please help. > > > > Thanks & Regards > > > > Varun Marwah > > > > CONFIDENTIALITY NOTICE > > > > This e-mail transmission and any documents, files, or previous e-mail > > messages appended or attached to it, may contain information that is > > confidential or legally privileged. If you are not the intended > > recipient, or a person responsible for delivering it to the intended > > recipient, you are hereby notified that any disclosure, copying, > > printing, distribution, or use of the information contained or > attached > > to this transmission is STRICTLY PROHIBITED. If you have received this > > transmission in error, please immediately notify the sender by > telephone > > (+91-172-2299137) or return e-mail message ([EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> ) and delete the original transmission, its > > attachments, and any copies without reading or saving in any manner. > > Thank you. > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by Quark Anti Virus, and is > believed to be clean. > ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 7, Issue 115 ************************************************ -- This message has been scanned for viruses and dangerous content by Quark Anti Virus, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html