Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time
Pizu
pizpower at gmail.com
Tue Apr 6 14:34:49 CEST 2021
Hi Alan,
Thanks for your reply.
If I don't manage, Which version do you suggest I should go?
Am going to test 802.1x with Cisco Switches.
Config am planning to use:
FreeRADIUS configuration
MSCHAP configuration
mschap {
with_ntdomain_hack = yes
use_mppe = yes
require_encryption = no
require_strong = no
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
passchange {
}
winbind_username = "%{mschap:User-Name}"
winbind_domain = "%{mschap:NT-Domain}"
}
LDAP configuration
ldap {
server = 'corporatedomain.internal'
port = 389
identity = user at corporatedomain.internal
password = AD_PASSWORD
base_dn = AD_BASE_DN
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
reply:Reply-Message := 'radiusReplyMessage'
reply:Tunnel-Type := 'radiusTunnelType'
reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
edir = no
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = "${..base_dn}"
name_attribute = "CN"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
Unlang logic, sites-enabled/default
default
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
# updated = return
}
files
-sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
ldap
eap
}
post-auth {
if ((LDAP-Group == "RSSO - GroupA") || (LDAP-Group == "RSSO - GroupB"))
{
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "6"
Tunnel-Private-Group-Id := "963"
}
}
elsif (LDAP-Group == "RSSO - GroupH") {
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "6"
Tunnel-Private-Group-Id := "964"
}
}
else {
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "6"
Tunnel-Private-Group-Id := "200"
}
}
}
Regards,
Pizu
On Tue, 6 Apr 2021 at 14:17, Alan DeKok <aland at deployingradius.com> wrote:
> On Apr 6, 2021, at 7:55 AM, Pizu <pizpower at gmail.com> wrote:
> >
> > I am trying to use winbind and having the below error, can someone help?
> >
> > Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at
> > compiled time
>
> The server hasn't been built with winbind support. Which means that you
> can't use it.
>
> > Centos Version 7.9
> > FreeRADIUS Version 3.0.13
>
> That's very old. Use the updated builds at
> http://packages.networkradius.com
>
> I don't recall if they are built with winbind. But it's easy enough to
> check. Download them and try to use them. If you get the same error, it's
> not supported.
>
> Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list