<html><div style='background-color:'><P><FONT size=2>Hi all,</FONT></P>
<P><FONT size=2>Could you please send the steps you followed to integrate Freeradius+Authentication.</FONT></P>
<P><FONT size=2> thanks very much.</FONT></P>
<DIV class=RTE>
<P><BR><BR></P></DIV>
<DIV></DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #a0c6e5 2px solid; MARGIN-RIGHT: 0px"><FONT style="FONT-SIZE: 11px; FONT-FAMILY: tahoma,sans-serif">
<HR color=#a0c6e5 SIZE=1>
<DIV></DIV>From: <I>freeradius-users-request@lists.freeradius.org</I><BR>Reply-To: <I>freeradius-users@lists.freeradius.org</I><BR>To: <I>freeradius-users@lists.freeradius.org</I><BR>Subject: <I>Freeradius-Users Digest, Vol 25, Issue 2</I><BR>Date: <I>Tue, 01 May 2007 12:00:12 +0200</I><BR>>Send Freeradius-Users mailing list submissions to<BR>> freeradius-users@lists.freeradius.org<BR>><BR>>To subscribe or unsubscribe via the World Wide Web, visit<BR>> http://lists.freeradius.org/mailman/listinfo/freeradius-users<BR>>or, via email, send a message with subject or body 'help' to<BR>> freeradius-users-request@lists.freeradius.org<BR>><BR>>You can reach the person managing the list at<BR>> freeradius-users-owner@lists.freeradius.org<BR>><BR>>When replying, please edit your Subject line so it is more
specific<BR>>than "Re: Contents of Freeradius-Users digest..."<BR>><BR>><BR>>Today's Topics:<BR>><BR>> 1. Re: FreeRadius+AD integration (shrikant Bhat)<BR>> 2. Re: Freeradius Auth via LDAP against Active Directory Server<BR>> 2003 (shrikant Bhat)<BR>> 3. Re: Freeradius Auth via LDAP against Active Directory Server<BR>> 2003 (Peter Nixon)<BR>> 4. Help stuck on error: rlm_ldap: LDAP login failed: check<BR>> identity, password settings in ldap section of radiusd.conf<BR>> (shrikant Bhat)<BR>><BR>><BR>>----------------------------------------------------------------------<BR>><BR>>Message: 1<BR>>Date:
Tue, 1 May 2007 09:07:06 +0530<BR>>From: "shrikant Bhat" <shrikabhat@gmail.com><BR>>Subject: Re: FreeRadius+AD integration<BR>>To: "FreeRadius users mailing list"<BR>> <freeradius-users@lists.freeradius.org><BR>>Message-ID:<BR>> <4f1ebcc0704302037v16166b38ib5f41f4572388b03@mail.gmail.com><BR>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<BR>><BR>>Alan,<BR>>My intention is not argue, since I coudnt understand the debug I<BR>>posted the messege.<BR>><BR>>On 4/30/07, Alan DeKok <aland@deployingradius.com> wrote:<BR>> > shrikant Bhat wrote:<BR>> > > I dont have the user in Active directory, yet free radius sends a<BR>> > > accept packet.<BR>> ><BR>> > I did read the debug output, unlike you. It shows why. I told you<BR>> >
why. Stop arguing and read the debug output again, and my responses.<BR>> ><BR>> > It's not FreeRADIUS. You have configured FreeRADIUS to reply with an<BR>> > Access-Accept if the ntlm_auth module returns OK. For some reason, the<BR>> > ntlm_auth is returning OK. Go find out why that's happening, and fix it.<BR>> ><BR>> > Do NOT reply with "but freeradius sends an access accept". That reply<BR>> > indicates that you're not reading the messages here. If you're not<BR>> > going to read the answers to your questions, I suggest you stop asking<BR>> > the questions. You're wasting your time, and ours.<BR>> ><BR>> > Alan DeKok.<BR>> > --<BR>> >
http://deployingradius.com - The web site of the book<BR>> > http://deployingradius.com/blog/ - The blog<BR>> > -<BR>> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR>> ><BR>><BR>><BR>>------------------------------<BR>><BR>>Message: 2<BR>>Date: Tue, 1 May 2007 09:33:20 +0530<BR>>From: "shrikant Bhat" <shrikabhat@gmail.com><BR>>Subject: Re: Freeradius Auth via LDAP against Active Directory Server<BR>> 2003<BR>>To: "FreeRadius users mailing list"<BR>> <freeradius-users@lists.freeradius.org><BR>>Message-ID:<BR>> <4f1ebcc0704302103j56d2cbc3sb69139756b6de49@mail.gmail.com><BR>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<BR>><BR>>Jacob,<BR>>Could you please send the steps you followed to integrate ad
with FR?.<BR>>I am completely lost and confused with the information available on<BR>>this .<BR>>thanks,<BR>>SB<BR>><BR>>On 5/1/07, Jacob Jarick <mem.namefix@gmail.com> wrote:<BR>> > Thanks for the Tip ryan but I have been down that road and 2 reasons stopped me:<BR>> ><BR>> > 1 - no way of retrieving ldap groups<BR>> > 2 - Been requested not to have samba on the machine.<BR>> ><BR>> > ntlm_auth was very straight forward for me because it supports all the<BR>> > encryption methods.<BR>> ><BR>> > On 5/1/07, Ryan Kramer <rkramer@gmail.com> wrote:<BR>> > > depending on the wifi auth method, you may want to also investigate a<BR>> > > NTLM_AUTH method instead of straight ldap. This requires the freeradius<BR>> > > machine to be a member of the domain, but once you do that
it works great.<BR>> > ><BR>> > ><BR>> > ><BR>> > ><BR>> > > On 4/29/07, Jacob Jarick <mem.namefix@gmail.com> wrote:<BR>> > > > OK tried with 1.1.4 and yerp works great.<BR>> > > ><BR>> > > > radiusd -X output: http://pastebin.ca/464153<BR>> > > > radiusd.conf: http://pastebin.ca/464156<BR>> > > ><BR>> > > > I also realised a mistake I have been making, see I want to search the<BR>> > > > whole active directory, hence I kept setting my basedn without an ou.<BR>> > > > After seeing your excellent example and auth'ing had failed I stuck in<BR>> > > > an OU and tried a user from the OU and worked fine.<BR>> > > ><BR>> > > > So my questions is this, to auth people from multiple OU's do I create<BR>> > >
> a new ldap module for each OU or is their a simpler way.<BR>> > > ><BR>> > > > Thanks Very much for your help Phil, its been a very productive<BR>> > > > weekend thanks to the info you provided.<BR>> > > ><BR>> > > > My challenge for monday will be setting up the cisco and wireless clients<BR>> > > now :)<BR>> > > ><BR>> > > > On 4/29/07, Jacob Jarick <mem.namefix@gmail.com > wrote:<BR>> > > > > radiusd.conf: http://pastebin.ca/464133<BR>> > > > > radius -X ouput: http://pastebin.ca/464138<BR>> > > > ><BR>> > > > > Tried with 1.1.6 and fails with this error:<BR>> > > > ><BR>> > > > > rlm_ldap: reading ldap<->radius mappings from file<BR>> > > /etc/raddb/ldap.attrmap<BR>> >
> > > rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed<BR>> > > > > rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap<BR>> > > failed<BR>> > > > > radiusd.conf[540]: ldap: Module instantiation failed.<BR>> > > > > radiusd.conf[586] Unknown module "ldap".<BR>> > > > > radiusd.conf[586] Failed to parse "ldap" entry.<BR>> > > > > -----------------------------<BR>> > > > > /etc/raddb/ldap.attrmap does exist as provided by the rpm.<BR>> > > > ><BR>> > > > > [root@localhost src]# ls -l /etc/raddb/ldap.attrmap<BR>> > > > > -rw-r----- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap<BR>> > > > ><BR>> > > > > I assume the permissions are correct, as it was installed by rpm. Im<BR>>
> > > > building the 1.1.4 rpm now, will report back once done.<BR>> > > > ><BR>> > > > > On 4/29/07, Jacob Jarick <mem.namefix@gmail.com> wrote:<BR>> > > > > > Thanks for the very detailed instructions.<BR>> > > > > ><BR>> > > > > > I will attempt this shortly (bought rad & ad servers home for weekend<BR>> > > study).<BR>> > > > > ><BR>> > > > > > Quite possible the biggest learning curve for me is the ldap fields<BR>> > > > > > but I am finally starting to get familar with them.<BR>> > > > > ><BR>> > > > > > Cheers again, will post back once Ive run the radtest.<BR>> > > > > ><BR>> > > > > > On 4/28/07, Phil Mayers <p.mayers@imperial.ac.uk>
wrote:<BR>> > > > > > > I haven't been following your (quite extensive) queries, so<BR>> > > apologies if<BR>> > > > > > > I've missed something fundamental.<BR>> > > > > > ><BR>> > > > > > > I honestly don't know why this is proving so difficult. I've just<BR>> > > tested<BR>> > > > > > > this against our own 2k3 AD service, and although I'm pretty<BR>> > > familiar<BR>> > > > > > > with FR it took under 5 minutes. Try following the instructions<BR>> > > below.<BR>> > > > > > > These were tested with FreeRadius 1.1.4<BR>> > > > > > ><BR>> > > > > > > 1. First, create or locate an existing account which FreeRadius can<BR>> > > bind<BR>> > > >
> > > and do it's searches as. Record the following variables:<BR>> > > > > > ><BR>> > > > > > > SEARCHDN=<the DN of the account><BR>> > > > > > > SEARCHPW=<the password><BR>> > > > > > > BASEDN=<the DN below which all your accounts live in AD><BR>> > > > > > > ADHOST=<hostname of the AD controller you'll search against><BR>> > > > > > ><BR>> > > > > > > For example, these might be:<BR>> > > > > > ><BR>> > > > > > > SEARCHDN=CN=freeradius,OU=Users,OU=My<BR>> > > Site,DC=mysite,DC=com<BR>> > > > > > > SEARCHPW=blahblah<BR>> > > > > > > BASEDN=OU=My Site,DC=mysite,DC=com<BR>> > > > > > ><BR>> >
> > > > > 2. Next, take the default "radiusd.conf"<BR>> > > > > > ><BR>> > > > > > > 3. Find the start of the modules section:<BR>> > > > > > ><BR>> > > > > > > modules {<BR>> > > > > > > ...<BR>> > > > > > ><BR>> > > > > > > Delete this line and all the following lines<BR>> > > > > > ><BR>> > > > > > > 4. Insert the following config:<BR>> > > > > > ><BR>> > > > > > > modules {<BR>> > > > > > > ldap {<BR>> > > > > > > server = "$ADHOST"<BR>> > > > > > > identity =
"$SEARCHDN"<BR>> > > > > > > password = "$SEARCHPW"<BR>> > > > > > ><BR>> > > > > > > basedn = "$BASEDN"<BR>> > > > > > > filter =<BR>> > > "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"<BR>> > > > > > ><BR>> > > > > > > dictionary_mapping = ${raddbdir}/ldap.attrmap<BR>> > > > > > ><BR>> > > > > > > ldap_connections_number = 5<BR>> > > > > > > timeout = 4<BR>> > > > > > > timelimit = 3<BR>> > > > > >
> net_timeout = 1<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > > preprocess {<BR>> > > > > > > huntgroups = ${confdir}/huntgroups<BR>> > > > > > > hints = ${confdir}/hints<BR>> > > > > > ><BR>> > > > > > > with_ascend_hack = no<BR>> > > > > > > ascend_channels_per_line = 23<BR>> > > > > > ><BR>> > > > > > > with_ntdomain_hack = no<BR>> > > > > >
> with_specialix_jetstream_hack = no<BR>> > > > > > > with_cisco_vsa_hack = no<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > > detail {<BR>> > > > > > > detailfile =<BR>> > > ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d<BR>> > > > > > > detailperm = 0644<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > > instantiate {<BR>> > > > > > > }<BR>> > > > > >
><BR>> > > > > > > authorize {<BR>> > > > > > > preprocess<BR>> > > > > > ><BR>> > > > > > > ldap<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > > authenticate {<BR>> > > > > > > Auth-Type LDAP {<BR>> > > > > > > ldap<BR>> > > > > > > }<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > ><BR>> > > > > > > preacct {<BR>> > > > > > > preprocess<BR>> > > > > > > }<BR>> > > > > >
><BR>> > > > > > > accounting {<BR>> > > > > > > detail<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > ><BR>> > > > > > > session {<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > > post-auth {<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > > pre-proxy {<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > > post-proxy {<BR>> > > > > > > }<BR>> > > > > > ><BR>> > > > > > > 5. Start the server with -X<BR>> > > > > > ><BR>> > > > > > > 6. Run
"radtest" to send a checking PAP request<BR>> > > > > > ><BR>> > > > > > > It should work.<BR>> > > > > > ><BR>> > > > > > > The above config is the ABSOLUTE BARE MINIMUM server config which<BR>> > > will<BR>> > > > > > > check PAP requests ONLY against an AD LDAP server. I do NOT<BR>> > > recommend<BR>> > > > > > > you go into service with this config. Try to look at it, understand<BR>> > > how<BR>> > > > > > > it's doing what it's doing, *then* start again with the default<BR>> > > > > > > FreeRadius config and make the absolute minimum changes to get back<BR>> > > to<BR>> > > > > > > that point.<BR>> > > > > > > -<BR>> > > > >
> > List info/subscribe/unsubscribe? See<BR>> > > http://www.freeradius.org/list/users.html<BR>> > > > > > ><BR>> > > > > ><BR>> > > > ><BR>> > > > -<BR>> > > > List info/subscribe/unsubscribe? See<BR>> > > http://www.freeradius.org/list/users.html<BR>> > > ><BR>> > ><BR>> > ><BR>> > > -<BR>> > > List info/subscribe/unsubscribe? See<BR>> > > http://www.freeradius.org/list/users.html<BR>> > ><BR>> > -<BR>> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR>> ><BR>><BR>><BR>>------------------------------<BR>><BR>>Message: 3<BR>>Date: Tue, 1 May 2007 10:36:10 +0300<BR>>From: Peter Nixon <listuser@peternixon.net><BR>>Subject: Re: Freeradius Auth
via LDAP against Active Directory Server<BR>> 2003<BR>>To: freeradius-users@lists.freeradius.org, Jacob Jarick<BR>> <mem.namefix@gmail.com><BR>>Message-ID: <200705011036.10515.listuser@peternixon.net><BR>>Content-Type: text/plain; charset="iso-8859-1"<BR>><BR>>On Tue 01 May 2007, shrikant Bhat wrote:<BR>> > Jacob,<BR>> > Could you please send the steps you followed to integrate ad with FR?.<BR>> > I am completely lost and confused with the information available on<BR>> > this .<BR>><BR>>Hi Jacob<BR>><BR>>If you plan on documenting the steps that you took, can I respectfully<BR>>request that you do so by either updating one of the existing HOWTOs, or<BR>>creating a new one on our wiki at:<BR>><BR>>http://wiki.freeradius.org/HOWTO<BR>><BR>>Cheers<BR>>--<BR>><BR>>Peter
Nixon<BR>>http://www.peternixon.net/<BR>>PGP Key: http://www.peternixon.net/public.asc<BR>><BR>><BR>>------------------------------<BR>><BR>>Message: 4<BR>>Date: Tue, 1 May 2007 15:04:56 +0530<BR>>From: "shrikant Bhat" <shrikabhat@gmail.com><BR>>Subject: Help stuck on error: rlm_ldap: LDAP login failed: check<BR>> identity, password settings in ldap section of radiusd.conf<BR>>To: "FreeRadius users mailing list"<BR>> <freeradius-users@lists.freeradius.org><BR>>Message-ID:<BR>> <4f1ebcc0705010234o1ddcc687o8bb7d1abb6ab8170@mail.gmail.com><BR>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<BR>><BR>>How did u resolve this issue?<BR>>thanks<BR>>SB<BR>><BR>><BR>>------------------------------<BR>><BR>>-<BR>>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html<BR>><BR>><BR>>End of Freeradius-Users Digest, Vol 25, Issue 2<BR>>***********************************************<BR></FONT></BLOCKQUOTE></div><br clear=all><hr>¿Cuánto vale tu auto? Tips para mantener tu carro. ¡De todo en MSN Latino Autos! <a href="http://g.msn.com/8HMAESUS/2752??PS=47575" target="_top">Clic aquí</a> </html>