FW: mpd+freeradius+AD

Nikos Vassiliadis nvass at teledomenet.gr
Fri Jun 30 14:57:09 CEST 2006 

On Friday 30 June 2006 11:57, Егоров Сергей wrote:
> Ok, this is my users file
>
>
> test    Auth-Type := MS-CHAP
>         Framed-IP-Address = 192.168.10.65
> DEFAULT Auth-Type := MS-CHAP
>
> And this is freeradius log, then I connect to mpd via test account:
>
> Login OK: [test/<no User-Password attribute>] (from client localhost port 0
> cli 192.168.12.126) Sending Access-Accept of id 121 to 127.0.0.1 port 49791
>         Framed-IP-Address = 192.168.10.65
>         MS-CHAP2-Success =
> 0x01533d4245433430393843434139344338323441384444443146393830364138413345323
>6394441413430 MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808
>         MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251
>         MS-MPPE-Encryption-Policy = 0x00000002
>         MS-MPPE-Encryption-Types = 0x00000004
> rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119,
> length=139 NAS-Identifier = "testradius.ion.ru"
>         NAS-Port = 0
>         NAS-Port-Type = Virtual
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Calling-Station-Id = "192.168.12.126"
>         User-Name = "test"
>         Framed-IP-Address = 192.168.10.12
>         Acct-Status-Type = Start
>         Acct-Session-Id = "1652038-pptp0"
>         Acct-Multi-Session-Id = "1652038-pptp0"
>         Acct-Link-Count = 1
>         Acct-Authentic = RADIUS
> Sending Accounting-Response of id 119 to 127.0.0.1 port 54511
>
> In this log freeradius said that account test OK, and his address
> 192.168.10.65. But mpd replace it this his own. How could I improve it?
>

use radius-ip
read more here /usr/local/share/doc/mpd/mpd22.html

>
>
> -----Original Message-----
> From: Nikos Vassiliadis [mailto:nvass at teledomenet.gr]
> Sent: Thursday, June 29, 2006 7:05 PM
> To: Undisclosed.Recipients :
> Cc: Егоров Сергей
> Subject: Re: FW: mpd+freeradius+AD
>
> On Thursday 29 June 2006 15:28, Егоров Сергей wrote:
> > >This is Framed-IP-Address in radius dialect.
> >
> > Thanks for explaining freeradius basic concepts. I understood, that to
> > assign IP to user I should use users freeradius file. But I couldn't
> > configure it correctly. Now I have only one line in this file
> >
> > DEFAULT Auth-Type := MS-CHAP
> >
> > I've add another string (for user test), but it doesn't correct
> >
> > test   Auth-Type := MS-CHAP,
>
> Try without the comma
>
> run the server in debug mode(radiusd -X)
> and use radclient
>
> >        Framed-IP-Address = 192.168.10.65,
>
> I think you can put this in AD. Don't know...
>
> > That should I fix?
> >
> >
> > -----Original Message-----
> > From: Nikos Vassiliadis [mailto:nvass at teledomenet.gr]
> > Sent: Monday, June 26, 2006 5:09 PM
> > To: freeradius-users at lists.freeradius.org
> > Cc: Егоров Сергей
> > Subject: Re: mpd+freeradius+AD
> >
> > On Monday 26 June 2006 14:04, Егоров Сергей wrote:
> > > Thanks for reply.
> > >
> > > >You can use one of the three firewalls avaliable in the base
> > > > system(ipfw,
> > > >
> > > > >ipf and pf), however mpd comes with a small dictionary  that uses
> > > >
> > > > ipfw(8) >and you can easily define some filter bound to an interface
> > > > (bound to a >username) via a radius reply attribute, let filter be a
> > > > pipe(for bandwidth >control) or a packet filtering expression.
> > >
> > > That's fine for filtering vpn users access to local net. But how could
> > > I assign specific IP for specific user in AD?
> > >
> > > > Your questions don't clearly tell where your problem is.
> > > >Active Directory? mpd? or FreeRADIUS? You should define
> > > >them better in order to get help from the list.
> > >
> > > My goal is to replace VPN server, based on win2003, with FreeBSD one.
> > > WIN 2003 can do 1 and 2 in my questions, so I have to realize how to
> > > setup this in mpd + freeradius. I already authenticate users from AD
> > > group:
> > >
> > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > >                   --username=%{Stripped-User-Name:-%{User-Name:-None}}
> > >                   --challenge=%{mschap:Challenge:-00}
> > >                   --nt-response=%{mschap:NT-Response:-00}
> > >                   --require-membership-of=EXAMPLE+VPN_Allowed".
> > >
> > > But I have several vpn groups and need to setup timeouts on each one.
> >
> > setup timeout? This looks like Session-Timeout in radius dialect.
> >
> > > Also
> > > I need to I assign specific IP for specific user in AD.
> >
> > This is Framed-IP-Address in radius dialect.
> >
> > > Looks like
> > > FreeRadius should respond for this.
> >
> > Yes, you have to have basic understanding of what radius is. All of these
> > are very basic setup. I don't know how FreeRADIUS interacts with AD and
> > what info it should get from AD. So, try searching (or asking) for active
> > directory and FreeRADIUS. Keep the mpd part out of it, since it will
> > add unneeded complexity. Or perhaps start from setting up mpd and
> > FreeRADIUS. And then you could add AD.
> >
> > A few suggestions, Nikos
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list