Does this help?
http://deployingradius.com/documents/configuration/active_directory.html
--
Blake Covarrubias
On Nov 8, 2012, at 3:09 PM, Maiquel Consalter maiquelconsal...@gmail.com
wrote:
Hi,
Someone can tell me where I can find a step-by-step instructions on
freeradius + Active
On 8 Nov 2012, at 22:09, Maiquel Consalter maiquelconsal...@gmail.com wrote:
Hi,
Someone can tell me where I can find a step-by-step instructions on
freeradius + Active Directory ?
http://lmgtfy.com/?q=deploying+freeradius+with+activedirectory
-Arran
-
List info/subscribe/unsubscribe?
Kleber Larroyd wrote:
If you can't be bothered to explain *why* you're doing this, and
*what* is going wrong, then we can't be bothered to read the reams of
data you posted.
It also helps to *read* the debug output. Really.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
On 09/13/2010 10:35 AM, Kleber Larroyd wrote:
Have any idea ? Where can i find the solution ?
When i trying connect (windows vista) freeradius server *with wireless over
access point* i get this error:
In the future please follow the instructions to send the *complete*
output of radiusd -X
Hi,
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
personally, I'd advise that you set those to yes rather than no.
File /etc/raddb/users
DEFAULT Auth-Type = ntlm_auth
you dont need to do this. ever. we
$ man unlang
This says put the string %{1} as the value of Stripped-User-Name.
See the data types' section of the manual page, and the strings section.
Got it ;)
Thanks for your help, fixed now.
btw. the unlang-way is quite more flexible than the legacy-module-way
Was this problem even
Matthew P wrote:
btw. the unlang-way is quite more flexible than the legacy-module-way
Yes. That's why it was written. But there is still a need for the
modules.
Was this problem even possible to solve without using unlang? (using
freeradius 1.x for an example)
Likely not.
Alan
In a general regexp language, I guess that could be done with
([\w.-]+)(?...@.*).
Most regexes don't support \w, or (?... constructs.
Keep it simple:
if (User-Name =~ /^(.*)@(.*)$/) {
# name = %{1}
# realm = %{2}
}
Makes sense now :) Thanks.
man regex is written mostly
Matthew P wrote:
But I guess I missed to point with doing it this way, because:
if (User-Name =~ /@mydomain.com/) {
if (User-Name =~ /^(.*)@(.*)$/) {
update request {
Stripped-User-Name = %{1}
$ man unlang
This says put the string %{1} as the value of
Matthew P wrote:
Although, now a new problem arrised - I can't seem to get the (stripped)
username in the inner-tunnel with preprocess.
So the username stays in the form - u...@mydomain.com, but that isn't
usable for a LDAP search (on the AD).
So... decode the user-name using a regex.
Jevos, Peter wrote:
How should look like the ntlm_auth file ? How should look like mschap
module ?
How should look like parameter --require-membership-of in these files
?
How should look like users file ?
These answers I was not able to find in any documentation
Read the URLs from the
Jevos, Peter wrote:
However I was not able to find in these links anything about the
--require-membership-of
See the man page for ntlm_auth. It is just a Unix command that can
be run, like anything else.
and the vpn cisco client example
(also find on these pages found nothing :)
Jevos, Peter wrote:
However I was not able to find in these links anything about the
--require-membership-of
See the man page for ntlm_auth. It is just a Unix command that can
be run, like anything else.
and the vpn cisco client example
(also find on these pages found nothing :)
That's
Thanks for your help Alan, it really makes a difference when learning about
Freeradius configuration.
So... decode the user-name using a regex. You can then use that in
the LDAP configuration. The LDAP user search is configurable for a
*reason*.
I forgot to mention that I need the user
Matthew P wrote:
I forgot to mention that I need the user portion of u...@mydomain.com for
sql too.
u...@mydomain.com only needs to be sent to the home server (in case the
user doesn't have @mydomain.com or @mydomain2.com). In another words,
both AD and DB contain usernames, without any
Jevos, Peter wrote:
Thank you alan,
yes i can check the man page ( to be honest, that was i afraid of : ),but i
was looking for the examples
Please also edit your replies. There is no need to leave the original
message at the top of your reply.
As i wrote in my first email, cisco is
On Fri, Jul 2, 2010 at 6:43 PM, Jevos, Peter peter.je...@oriflame.com wrote:
Actually I’m not really clever, because main tutorial on the main pages is
connected with the older version , and there are more version of the
Freradius 2.0, a bit different:
Hi thank you for your email.
So as I said before , I have working ntlm_auth in the form of:
Linux#/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=MYNAME
--require-membership-of='DOMAIN+DOMAIN_GROUP'
That works from the command line.It returns OK status
So now, I have about 60
Jevos, Peter wrote:
How should look like the ntlm_auth file ? How should look like mschap module
?
How should look like parameter --require-membership-of in these files ?
How should look like users file ?
These answers I was not able to find in any documentation
Read the URLs from the
realm mydomain.com {
auth_pool = active_directory
You'll need a line:
nostrip
To avoid EAP identity issues.
This worked, thanks. Preprocess doesn't strip the username in the default
server and EAP works.
Although, now a new problem arrised - I can't seem to get the
Matthew P wrote:
I'm new to FreeRadius, so please bear with me. :)
Good questions are a very good start.
Goal: Make FreeRadius look-up a user in ActiveDirectory if he has
mydomain.com domain.
Used method: EAP/TTLS (PAP in the tunnel)
This is how I've done it, but it doesn't give the
Hi,
I have taken 1.1.6 version.
why? oh dear why?!? 1.1.7 is the latest 1.1.x release and its
there for many many reasons. i dont grab Linux 0.9 kernel if
i want to run a Linux server.
I am not very clear on configuring the files.
First we are going to do dummy testing.
for very very
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, August 31, 2007 1:49 PM
To: FreeRadius users mailing list
Subject: Re: freeradius + ad
Hi,
I have taken 1.1.6 version.
why? oh dear why?!? 1.1.7 is the latest 1.1.x release and its
there for many many
Whether the password given in Users file is a Encrypted password or
normal?
Clertext-Password is normal.
Whether the secret which I am configuring in clients.conf should be
configured anywhere else?
On a client which is sending radius packets. With servers IP address.
All these files should be
.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, August 31, 2007 2:39 PM
To: FreeRadius users mailing list
Subject: RE: freeradius + ad
Whether the password given in Users file is a Encrypted password or
normal?
Clertext
Hi,
Whether the password given in Users file is a Encrypted password or
normal?
your choice!
Whether the secret which I am configuring in clients.conf should be
configured anywhere else?
yes - on the NAS itself. but if you're using radtest or radclient
then that software is a virtual NAS
Hi,
I did not get clearly where to configure the secret other than
/usr/local/etc/raddb/clients.conf file.
unless (UNLESS) you are using some other NAS authentication method
- eg sticking them into an SQL table for checking, clients.conf
is the ONLY place where the NAS secret needs to be
Alexsander wrote:
alan, do you already saw freeradius work with active directory??
do you have some example file?
http://deployingradius.com/documents/configuration/active_directory.html
BUT if you have ntlm_auth working from the command line, 99% of the
work is done.
Again, If ntlm_auth
alan, do you already saw freeradius work with active directory??
do you have some example file?
tkx
On 8/31/07, Alan DeKok [EMAIL PROTECTED] wrote:
Alexsander wrote:
yes, i took it from the site freeradius.org, version 1.1.7, is correct?
Yes... the changes in 1.1.2 (or so) mean that the
: freeradius + ad
Whether the password given in Users file is a Encrypted password or
normal?
Clertext-Password is normal.
Whether the secret which I am configuring in clients.conf should be
configured anywhere else?
On a client which is sending radius packets. With servers IP address.
All
?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Friday, August 31, 2007 10:39 AM
To: FreeRadius users mailing list
Subject: Re: freeradius + ad
Alexsander wrote:
yes, i took it from the site freeradius.org, version 1.1.7, is
correct?
Yes
yes, i took it from the site freeradius.org, version 1.1.7, is correct?
On 8/30/07, Alan DeKok [EMAIL PROTECTED] wrote:
Alexsander wrote:
1 - but freeradius don't prints out any message using ntlm_auth
(except this one: mschap: ntlm_auth =
/usr/bin/ntlm_auth...%{ntdomain} ...)
Are
Alexsander wrote:
yes, i took it from the site freeradius.org, version 1.1.7, is correct?
Yes... the changes in 1.1.2 (or so) mean that the entire command line
isn't being printed out. That should be fixed.
In the mean time, ntlm_auth is telling the server that the MSCHAP
authentication
Alexsander wrote:
how can I could know what kind of error it is?
What part of the error message is unclear?
AD account is ok (I'm using that)
the password works fine when I run ntlm_auth command manually:
ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9
password:
(Success)
1 - but freeradius don't prints out any message using ntlm_auth
(except this one: mschap: ntlm_auth =
/usr/bin/ntlm_auth...%{ntdomain} ...)
2 - the windows machine already on the network and logged on (with my
username), i'm just swap swtch port that this machine is connected -
swapping between
Alexsander wrote:
1 - but freeradius don't prints out any message using ntlm_auth
(except this one: mschap: ntlm_auth =
/usr/bin/ntlm_auth...%{ntdomain} ...)
Are you sure you're running a recent version? It SHOULD be printing
out the entire ntlm_auth command.
2 - the windows machine
Hi Alan,
how can I could know what kind of error it is?
AD account is ok (I'm using that)
the password works fine when I run ntlm_auth command manually:
ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9
password:
(Success)
On 8/24/07, Alan DeKok [EMAIL PROTECTED] wrote:
Alexsander
Alexsander wrote:
Hi Alan, this is complete log captured using:
...
radius_xlat: '--nt-response=b5064e14567ab057f0757ee512947c1a900138564585ef02'
Exec-Program output: Logon failure (0xc06d)
Yes, there's a lot of output in debugging mode.
Read it.
You're running ntlm_auth, and it's
hi joe,
see this:
s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP
--username=dadfh9
password:
[2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory
NT_STATUS_OK: Success (0x0)
s8860ru01:/etc#
Hi,
hi joe,
see this:
s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP
--username=dadfh9
password:
[2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory
NT_STATUS_OK: Success (0x0)
tks alan!
there is some way to force log show me what parameter it has passing
to ntlm_auth bin?
On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hi,
hi joe,
see this:
s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP
--username=dadfh9
password:
[2007/08/17
hi alan,
when I captured log I was using radiusd -X -A -y -z output.log
another thing:
I capture some pieces of output log:
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Domain'
radius_xlat: '--domain=REFAP'
radius_xlat: Running registered xlat function of module
hi alan,
enabling log_goodpass and log_badpass I took this lines:
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
rlm_eap:
Alexsander wrote:
hi alan,
enabling log_goodpass and log_badpass I took this lines:
rlm_mschap: External script failed.
And right before that in the log it shows you WHAT script it's
running, and WHY it failed.
If you want to solve the problem, don't delete every piece of useful
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
those are prolly the lines of interest, your ntlm_auth is failing. try
it via the command line, once you get it working via
Hello All,
Could some one please tell me why ntlm_auth resurning OK with out
looking up the ADS .
I couldnt understand the debug.
On 5/1/07, shrikant Bhat [EMAIL PROTECTED] wrote:
Alan,
My intention is not argue, since I coudnt understand the debug I
posted the messege.
On 4/30/07, Alan
shrikant Bhat wrote:
Hello All,
Could some one please tell me why ntlm_auth resurning OK with out
looking up the ADS .
Ask the people who wrote ntlm_auth?
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List
Sorry I forgot to attach the radiusd.conf and debug results
***
..
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
It must be you. so your are the right person to tell me what is
causing ntlm_auth to send OK.
SB
On 5/2/07, Alan DeKok [EMAIL PROTECTED] wrote:
shrikant Bhat wrote:
Hello All,
Could some one please tell me why ntlm_auth resurning OK with out
looking up the ADS .
Ask the people who
shrikant Bhat wrote:
It must be you. so your are the right person to tell me what is
causing ntlm_auth to send OK.
Umm... no.
10 seconds of reading documentation would lead you to conclude that
ntlm_auth is part of the Samba project. I am not part of the Samba project.
Start reading
Why not try this? Worked for us.
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
Note that the first thing configured is the Samba server. It doesn't
even mention installing the Freeradius server until after the Samba
configuration is completed.
Hi,
It must be you.
The deploying freeradius + AD is an excellent guide for the ntlm_auth method.
Im guessing it is because your ntlm_auth command is commented out in
the mschap part
On 5/2/07, Danner, Mearl [EMAIL PROTECTED] wrote:
Why not try this? Worked for us.
Alan,
My intention is not argue, since I coudnt understand the debug I
posted the messege.
On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote:
shrikant Bhat wrote:
I dont have the user in Active directory, yet free radius sends a
accept packet.
I did read the debug output, unlike you. It
Hi,
Any one who can help me with this ?
thanks in advance
SB
On 4/27/07, shrikant Bhat [EMAIL PROTECTED] wrote:
On Line 154 I have default Auth-Type = ntlm_auth. If I comment this
out I get the Access-reject packet.
thanks,
SB
On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Well,
shrikant Bhat wrote:
...
Yes I figured that. thanks for that. But the issues is the user I am
trying to authenticate is not listed in users file or in AD, so I dont
understand how is it authenticating this user.
I have attached debug .
Have you read the debug output?
...
radius_xlat:
I dont have the user in Active directory, yet free radius sends a
accept packet.
thanks
On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote:
shrikant Bhat wrote:
...
Yes I figured that. thanks for that. But the issues is the user I am
trying to authenticate is not listed in users file or in
shrikant Bhat wrote:
I dont have the user in Active directory, yet free radius sends a
accept packet.
I did read the debug output, unlike you. It shows why. I told you
why. Stop arguing and read the debug output again, and my responses.
It's not FreeRADIUS. You have configured
Hello Alan,
I have built and installed 1.1.6 version of FreeRadius. When I test
using radtest it authenticates any user with any pasword, what I mean
by this is it doesnt seem to contact the ADS to lookup the user
information and authenticate. I have attached the debug
And what happens when you get Access-Request?
Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše:
Hello Alan,
I have built and installed 1.1.6 version of FreeRadius. When I test
using radtest it authenticates any user with any pasword, what I mean
by this is it doesnt seem to contact the ADS
Yes I figured that. thanks for that. But the issues is the user I am
trying to authenticate is not listed in users file or in AD, so I dont
understand how is it authenticating this user.
I have attached debug .
thanks for the help.
On Line 154 I have default Auth-Type = ntlm_auth. If I comment this
out I get the Access-reject packet.
thanks,
SB
On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Well, it matched something in the users file:
users: Matched entry DEFAULT at line 154
Dana 27/4/2007, shrikant Bhat
Well, it matched something in the users file:
users: Matched entry DEFAULT at line 154
Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše:
Yes I figured that. thanks for that. But the issues is the user I am
trying to authenticate is not listed in users file or in AD, so I dont
understand
Hi,
radius.conf as per the instructions, but radtest fails with Access-Reject .I
have attached the debug window output for reference.
no you havent. you've attached a tiny snippet of the debug output.
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting
shrikant Bhat wrote:
Hi,
I am trying to integrate freeradius with ADS 2003. I reffred to
http://deployingradius.com/documents/configuration/active_directory.html
http://deployingradius.com/documents/configuration/active_directory.html.
everything works perfectly fine till ( $ ntlm_auth
I tried with the following in the authenticate section
Auth-Type ntlm_auth {
mschap am not sure about the
protocol i need to use here
}
I have attached the debug window output
shrikant Bhat wrote:
I tried with the following in the authenticate section
Auth-Type ntlm_auth {
mschap am not sure about the
protocol i need to use here
The web page says to just put ntlm_auth in the authenticate
section. It doesn't say you need
My apologies for that mistake..
I have the following lines in modules section
exec ntlm_auth {
wait = no
program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM
--username=%{mschap:User-Name} --password=%{User-Password}
and I have ntlm_auth listed
shrikant Bhat wrote:
My apologies for that mistake..
I have the following lines in modules section
exec ntlm_auth {
wait = no
program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM
--username=%{mschap:User-Name} --password=%{User-Password}
On Thu, 7 Oct 2004, Michael Benton wrote:
Hello,
FreeRadius 1.0.1
Linux RHES3.1
Does anyone know how to configure the FreeRadius server to to a LDAP query on a
Win2003 AD server, and to look at the whole AD tree
?
We have for some unknown reason, multiple OU's with users in each, rather
On 6/15/04 7:18 PM, Veerabhushan Hatte at [EMAIL PROTECTED] wrote:
I was going through the mail responses and I am facing some problem for the
same configuration. I have few questions and your help is greatly appreciated.
1. Do I need enable pam authentication to use LDAP?
I don't think so.
70 matches
Mail list logo