Freeradius-Users Digest, Vol 7, Issue 115

Varun Marwah vmarwah at quark.com
Wed Nov 30 05:52:44 CET 2005 

Thanks charles schwartz

Your documentation and responses really helped. The radius Server is
working now properly for all users in LDAP.

I need to give access to specific users in a group call RadiusUsers in
Windows 2003 LDAP. How can I go about it.

The Group is at location:

cn=RadiusUsers,ou=Groups,dc=ABC,dc=DEF,dc=com

Thanks & Regards
Varun Marwah
CONFIDENTIALITY NOTICE
This e-mail transmission and any documents, files, or previous e-mail
messages appended or attached to it, may contain information that is
confidential or legally privileged. If you are not the intended
recipient, or a person responsible for delivering it to the intended
recipient, you are hereby notified that any disclosure, copying,
printing, distribution, or use of the information contained or attached
to this transmission is STRICTLY PROHIBITED. If you have received this
transmission in error, please immediately notify the sender by telephone
(+91-172-2299137) or return e-mail message (vmarwah at quark.com) and
delete the original transmission, its attachments, and any copies
without reading or saving in any manner. Thank you.
-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
freeradius-users-request at lists.freeradius.org
Sent: Wednesday, November 30, 2005 4:37 AM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 7, Issue 115

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: WLAN 802.1x FreeRadius with LDAP (Zoltan Ori)
   2. RE: WLAN 802.1x FreeRadius with LDAP (Christian Poessinger)
   3. RE: WLAN 802.1x FreeRadius with LDAP (King, Michael)
   4. Re: WLAN 802.1x FreeRadius with LDAP (Zoltan Ori)
   5. RE: WLAN 802.1x FreeRadius with LDAP (Christian Poessinger)
   6. Re: Configuring RADIUS Users (Radius)
   7. LDAP, FreeRadius, and Schema (Matt Juszczak)
   8. Re: AD authentication (charles schwartz)


----------------------------------------------------------------------

Message: 1
Date: Tue, 29 Nov 2005 13:19:40 -0500
From: Zoltan Ori <z.ori at morehead-st.edu>
Subject: Re: WLAN 802.1x FreeRadius with LDAP
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <200511291319.40875.z.ori at morehead-st.edu>
Content-Type: text/plain;  charset="iso-8859-1"

On Tuesday 29 November 2005 11:07, Christian Poessinger wrote:

> > You didn't configure a password for the user.
>
> Yes, I did. I have a userPassword atribute in my LDAP backend, also
> it contains a clear text password. I can fully use this account in
> the backend for ftp/ssh/http but not with peap/mschapv2 over radius.
>

You have ntlm_auth in your mschap configuration. You don't want that for
LDAP. 
You don't need anything NT in that module. The default configuration had

everything commented out but authtype = MS-CHAP. Start with that and
then add 
what you need.





------------------------------

Message: 2
Date: Tue, 29 Nov 2005 19:56:29 +0100
From: "Christian Poessinger" <christian at poessinger.com>
Subject: RE: WLAN 802.1x FreeRadius with LDAP
To: "'FreeRadius users mailing list'"
	<freeradius-users at lists.freeradius.org>
Message-ID: <000f01c5f516$9c2c4600$370110ac at wueI.poessinger.org>

Zoltan Ori wrote:
> You have ntlm_auth in your mschap configuration. You don't want that
> for LDAP.
> You don't need anything NT in that module. The default configuration
> had everything commented out but authtype = MS-CHAP. Start with that
> and then add what you need.

Nope, there is everything uncommented. I also tried to add this to the
ldap.attrmap file:

checkItem       LM-Password                     userPassword
checkItem       NT-Password                     userPassword

But this hadn't any effect either.




------------------------------

Message: 3
Date: Tue, 29 Nov 2005 14:03:21 -0500
From: "King, Michael" <MKing at bridgew.edu>
Subject: RE: WLAN 802.1x FreeRadius with LDAP
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	
<EFB7B6506E9AB147BCC8EF9417E22091075C4118 at EXCH2.campus.bridgew.edu>
Content-Type: text/plain;	charset="us-ascii"

 

-----Original Message-----
Zoltan Ori wrote:
> You have ntlm_auth in your mschap configuration. You don't want that 
> for LDAP.
> You don't need anything NT in that module. The default configuration 
> had everything commented out but authtype = MS-CHAP. Start with that 
> and then add what you need.

Nope, there is everything uncommented. I also tried to add this to the
ldap.attrmap file:



Christian,  That is what he is saying your problem is, everything is
uncommented........



------------------------------

Message: 4
Date: Tue, 29 Nov 2005 14:08:47 -0500
From: Zoltan Ori <z.ori at morehead-st.edu>
Subject: Re: WLAN 802.1x FreeRadius with LDAP
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <200511291408.47792.z.ori at morehead-st.edu>
Content-Type: text/plain;  charset="iso-8859-1"

On Tuesday 29 November 2005 13:56, Christian Poessinger wrote:

> Nope, there is everything uncommented. I also tried to add this to the
> ldap.attrmap file:
>

That's the problem everything is uncommented. Comment out ntlm_auth and 
with_ntdomain_hack. If you have plain text passwords, you aren't 
authenticating to a Windows domain controller, you don't have windbindd
and 
nmbd running, you don't need want them in your mschap configuration.



------------------------------

Message: 5
Date: Tue, 29 Nov 2005 20:16:56 +0100
From: "Christian Poessinger" <christian at poessinger.com>
Subject: RE: WLAN 802.1x FreeRadius with LDAP
To: "'FreeRadius users mailing list'"
	<freeradius-users at lists.freeradius.org>
Message-ID: <001701c5f519$77c4f070$370110ac at wueI.poessinger.org>

King, Michael wrote:
> Christian,  That is what he is saying your problem is, everything is
> uncommented........

Sorry, with uncommented i ment that all is commented out. Sorry my
fault.




------------------------------

Message: 6
Date: Tue, 29 Nov 2005 13:04:48 -0700
From: "Radius" <radius at kingmanaz.net>
Subject: Re: Configuring RADIUS Users
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID: <00e301c5f520$26e2e610$0501a8c0 at LockKey>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=response


----- Original Message ----- 
From: "Christopher Carver" <ccarver at pennswoods.net>
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Sent: Tuesday, November 29, 2005 11:04 AM
Subject: Re: Configuring RADIUS Users


> Madhuraka Godahewa wrote:
>
>>Hi All, I installed freeRADIUS 1.0.5 recently, and configured the
server 
>>as described in the documentation files. My operating system is SUSE
Linux 
>>9.2. When I run the 'radiusd -X' from the shell, the last four lines
of 
>>the output are as follows. < Listening on authentication 
>>10.128.253.110:1812 Listening on accounting 10.128.253.110:1813
Listening 
>>on proxy 10.128.253.110:1814 Ready to process requests.
>> 10.128.253.110 is the IP Address given to the Radius Server. Then, I 
>> created a test account named 'root' with the password 'root'. Then, I
ran 
>> the radtest (from the RADIUS Server itself) and got the following
output. 
>> < Sending Access-Request of id 195 to 10.128.253.110:1812 User-Name =

>> "root" User-Password = "root" NAS-IP-Address = rajith-office NAS-Port
= 
>> 1812 rad_recv: Access-Accept packet from host 10.128.253.110:1812, 
>> id=195, length=20
>>'rajith-office' is the name given to the RADIUS Server. In the debug 
>>shell, I obtained the following output. < rad_recv: Access-Request
packet 
>>from host 10.128.253.110:1025, id=195, length=56 User-Name = "root" 
>>User-Password = "root" NAS-IP-Address = 255.255.255.255 NAS-Port =
1812 
>>Processing the authorize section of radiusd.conf modcall: entering
group 
>>authorize for request 0 modcall[authorize]: module "preprocess"
returns ok 
>>for request 0 modcall[authorize]: module "chap" returns noop for
request 0 
>>modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: 
>>No '@' in User-Name = "root", looking up realm NULL rlm_realm: No such

>>realm "NULL" modcall[authorize]: module "suffix" returns noop for
request 
>>0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module
"eap" 
>>returns noop for request 0 users: Matched root at 153 users: Matched 
>>DEFAULT at 157 modcall[authorize]: module "files" returns ok for
request 0 
>>modcall: group authorize returns ok for request 0 rad_check_password: 
>>Found Auth-Type Local auth: type Local auth: user supplied
User-Password 
>>matches local User-Password Sending Access-Accept of id 195 to 
>>10.128.253.110:1025 Finished request 0 Going to the next request ---  
>>Walking the entire request list --- 
>>Waking up in 6 seconds... --- Walking the entire request list --- 
>>Cleaning up request 0 ID 195 with timestamp 438c1bca Nothing to do. 
>>Sleeping until we see a request.
>> Now my problem is, when I try to send an access-request (using the
Radius 
>> Test Utility) from another machine (running Windows XP), which is in
the 
>> same network, the server does not says that it receives an 
>> access-request. Does anybody know, where the problem is? You should
be 
>> seeing something if the requests is even making it to the
> radiusd process.  Use tcpdump on the server to ensure you are
receiving 
> the request.  'tcpdump port 1812' should do it.  If you see nothing,
you 
> have a firewall/network connectivity issue on the server or client.
>
> Chris Carver
> -
But root does not allow logins that way if his system is setup not to
and 
most Linux
variants do that automatically. You have to "su" to get root access
after 
you log in
with regular user. Maybe create a different user and try it.




------------------------------

Message: 7
Date: Tue, 29 Nov 2005 17:13:41 -0500
From: Matt Juszczak <matt at atopia.net>
Subject: LDAP, FreeRadius, and Schema
To: freeradius-users at lists.freeradius.org
Message-ID: <438CD295.3030604 at atopia.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi all,

I was wondering what everyone uses for an account objectClass?  Right 
now I'm using "Person", which makes the dn:

cn=<user>,ou=Radius,dc=mydomain,dc=net

However, indexing the cn would index the CN of other OU's as well ...
.
I'm just wondering what people use.  I know "Account" could also be
used.

Regards,

Matt


------------------------------

Message: 8
Date: Tue, 29 Nov 2005 23:50:05 +0100
From: charles schwartz <charles.schwartz at umail.univ-metz.fr>
Subject: Re: AD authentication
To: vmarwah at quark.com
Cc: freeradius-users at lists.freeradius.org
Message-ID: <200511292250.jATMo5OS024332 at umail.univ-metz.fr>
Content-Type: text/plain


Hi,

Here is what I found in your log:
[...]
Exec-Program output: winbind client not authorized to use
winbindd_pam_auth_crap.  Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) 
Exec-Program-Wait: plaintext: winbind client not authorized to use
winbindd_pam_auth_crap.  Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) 
Exec-Program: returned: 1
[...]

Try to troubleshoot winbind. It seems that there may be a permission
problem.

Regards,
Charles

> Hi There
> 
> I have configured the Freeradius on Fedora core 3 as per the
> documentation 
> 
> [root at Radius raddb]# ntlm_auth --request-nt-key --domain=INDIA
> --username=checkad
> password:
> NT_STATUS_OK: Success (0x0)
> [root at Radius raddb]#
> 
> When I start the the Radius Server using Radius -X command Starts
fine.
> 
> When I give the logon credentials through the wireless laptop the user
> doesn't get validated.
> 
> Please help me out. If you need the any config files for your
reference,
> please let me know.Atached is the log file of output generated.
> 
> Also guide me, as I have already given allow permissions to users with
> Dialin Permissions in AD domain.
> 
> 
> Thanks & Regards
> Varun Marwah
> CONFIDENTIALITY NOTICE
> This e-mail transmission and any documents, files, or previous e-mail
> messages appended or attached to it, may contain information that is
> confidential or legally privileged. If you are not the intended
> recipient, or a person responsible for delivering it to the intended
> recipient, you are hereby notified that any disclosure, copying,
> printing, distribution, or use of the information contained or
attached
> to this transmission is STRICTLY PROHIBITED. If you have received this
> transmission in error, please immediately notify the sender by
telephone
> (+91-172-2299137) or return e-mail message (vmarwah at quark.com) and
> delete the original transmission, its attachments, and any copies
> without reading or saving in any manner. Thank you.
> 
> -----Original Message-----
> From: charles schwartz [mailto:charles.schwartz at umail.univ-metz.fr] 
> Sent: Monday, November 28, 2005 10:51 PM
> To: freeradius-users at lists.freeradius.org
> Cc: Varun Marwah
> Subject: Re: AD authentication
> 
> Hi,
> 
> If the wbinfo command does not work, ntlm_auth won't work too.
> 
> 
> > error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
> > 
> > error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> 
> This error indicates that something went wrong with the domain access.
> Try to troubleshoot by using wbinfo -g or wbinfo -u.
> With these commands you should be able to list the users and groups of
> your domain.
> 
> There may be a problem with NTLM  on your Windows2003 server.
> Note thath NTLM was the authentication protocol used by earlier
version
> of Windows.
> It is still supported for backward compatibility, but can be disabled.
> By default, Win2k and 2003 use Kerberos for authentication.
> 
> You might have a security policy thats restricts the use of NTLM on
your
> network.
> Check your GPO if NTLM is allowed to be transmitted across the
network.
> 
> 
> Regards,
> Charles Schwartz
> 
> 
> 
> 
> > Hi,
> > 
> >  
> > 
> > I used the document freeRadius_AD_tutorial.pdf for configuring a
linux
> > box to get authenticated through users in Windows 2003 AD.
> > 
> >  
> > 
> > I used the command net join -U Administrator to add the machine to
the
> > domain. It gave successful results. Now on typing the command
> > 
> >  
> > 
> > wbinfo -a checkad%Quark_123
> > 
> >  
> > 
> > I got the following results:-
> > 
> >  
> > 
> > plaintext password authentication failed
> > 
> > error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> > 
> > error messsage was: No such user
> > 
> > Could not authenticate user checkad%Quark_123 with plaintext
password
> > 
> > challenge/response password authentication failed
> > 
> > error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
> > 
> > error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> > 
> > Could not authenticate user checkad with challenge/response
> > 
> >  
> > 
> > Also, on giving the command 
> > 
> >  
> > 
> > # ntlm_auth --request-nt-key --domain=india.quark.com --username=
> > checkad
> > 
> > password:
> > 
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> > (0xc00000da)
> > 
> > [root at Radius etc]#
> > 
> > I get the above stated error. Please help. 
> > 
> > Thanks & Regards
> > 
> > Varun Marwah
> > 
> > CONFIDENTIALITY NOTICE
> > 
> > This e-mail transmission and any documents, files, or previous
e-mail
> > messages appended or attached to it, may contain information that is
> > confidential or legally privileged. If you are not the intended
> > recipient, or a person responsible for delivering it to the intended
> > recipient, you are hereby notified that any disclosure, copying,
> > printing, distribution, or use of the information contained or
> attached
> > to this transmission is STRICTLY PROHIBITED. If you have received
this
> > transmission in error, please immediately notify the sender by
> telephone
> > (+91-172-2299137) or return e-mail message (vmarwah at quark.com
> > <mailto:vmarwah at quark.com> ) and delete the original transmission,
its
> > attachments, and any copies without reading or saving in any manner.
> > Thank you.
> > 
> >  
> > 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by Quark Anti Virus, and is
> believed to be clean.
> 


------------------------------

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 7, Issue 115
************************************************

-- 
This message has been scanned for viruses and
dangerous content by Quark Anti Virus, and is
believed to be clean.

More information about the Freeradius-Users mailing list