Clarification / Confirmation needed re: FreeRadius against Active Directory

Gary Gatten Ggatten at waddell.com
Tue Mar 1 01:14:33 CET 2011 

Read the doc on ntlm_auth. There's an option like "require membership of."

I'll leave the other question to someone more knowledgable as I was/am in a similar position.

----- Original Message -----
From: Moe, John [mailto:jmoe at hatch.com.au]
Sent: Monday, February 28, 2011 06:00 PM
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Clarification / Confirmation needed re: FreeRadius against Active	Directory

I'm setting up an Ubuntu server (10.04LTS amd64) with FreeRadius (v2.1.8
from apt-get) to use as an authenticator against Active Directory for
our HP ProCurve switches.  I've gotten the server on to our Active
Directory domain, and have begun the setup of the FreeRadius server.
I've even managed to allow login to a test ProCurve switch using my AD
username.

Now, I've read a lot of configuration pages (for Ubuntu, Samba, Winbind,
and FreeRadius, to name a few) in the last few days, and my head's
spinning a bit, and I'd like to make sure I'm doing this right, and I've
managed to grasp a few things...

Should I be using ntlm_auth, or mschap as my Auth-Type for the ProCurve
switches?  Currently, I'm using:

# HP ProCurve Switch
DEFAULT Auth-Type = ntlm_auth, NAS-Port-Type == Virtual, Service-Type ==
NAS-Prompt-User
        Service-Type = 6

as my line in the "users" file, and it works, but I want to make sure
it's a) doing what I think it's doing, and b) the right way to do it.

>From some of my reading, it seemed to indicate that Auth-Type shouldn't
need to be set, that FreeRadius should be able to figure it out, but if
I leave it out, it appears to match the rest of the rule (NAS-Port-Type
and Service-Type), but I get a message saying:

Tue Mar  1 09:54:03 2011 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue Mar  1 09:54:03 2011 : Info: Failed to authenticate the user.

I've put a single "=" in for the Auth-Type, because the documentation
seems to say that with "=", it'll only add that to the request if no
other Auth-Type was previously set, so that seems to say that the
ProCurve switch isn't requesting ntlm_auth.  How is FreeRadius supposed
to figure it out, then?

Also, I'd like to match the rule (or are they called policies?) against
an Active Directory group name, so that only members of a specific group
can get access into the switch.  I can't seem to find any way match for
that; is it possible?

Any help or pointers would be appreciated.  Thanks.

John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4011
*****************************
NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. 
Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks.? When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements.? Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent.? Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail.? If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer.






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

More information about the Freeradius-Users mailing list