<div>Hi, </div>
<div> </div>
<div>I checked around and see this <br>
<p>The <b>MS-CHAP-Use-NTLM-Auth := 0</b>, will tell that freeradius with aduser1 will not be preprocessed by the ntlm_auth auxiliary program, this is, will not request the key to compare credentials against the Active Directory, instead, will compare against the users file of the freeradius configuration directory. </p>
<p>I also read that It is important to verify that the line on radiusd.conf:</p>
<p>authorize { <br>...<br>files <br>... <br>} </p>
<p>It was not on my radiusd.conf so I add it and restart radiusd but now it's has errors </p>
<p>Wed Apr 30 15:15:52 2008 : Info: rlm_eap_tls: Loading the certificate file as a chain<br>Wed Apr 30 15:15:52 2008 : Error: ERROR: Cannot find a configuration entry for module "files".<br>Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[111] Unknown module "files".<br>
Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[108] Failed to parse authorize section.</p>
<p>Is there something else that should be configured? </p>
<p>Here's the complete radiusd.conf</p>
<p>##<br>## radiusd.conf -- FreeRADIUS server configuration file.<br>##</p>
<p>prefix = /usr<br>exec_prefix = ${prefix}<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = ${exec_prefix}/sbin<br>logdir = ${localstatedir}/log/radius<br>raddbdir = ${sysconfdir}/raddb<br>radacctdir = ${logdir}/radacct<br>
confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/radiusd<br>log_file = ${logdir}/radius.log<br>libdir = /usr/lib/freeradius<br>pidfile = ${run_dir}/radiusd.pid<br>user = radiusd<br>group = radiusd<br>max_request_time = 30<br>
delete_blocked_requests = no<br>cleanup_delay = 5<br>max_requests = 1024<br>bind_address = *<br>port = 0<br>hostname_lookups = no<br>allow_core_dumps = no<br>regular_expressions = yes<br>extended_expressions = yes<br>
log_stripped_names = no<br>log_auth = yes<br>log_auth_badpass = no<br>log_auth_goodpass = no<br>usercollide = no<br>lower_user = no<br>lower_pass = no<br>nospace_user = no<br>nospace_pass = no<br>checkrad = ${sbindir}/checkrad</p>
<p><br>security {<br> max_attributes = 200<br> reject_delay = 1<br> status_server = no<br>}</p>
<p>proxy_requests = yes<br>$INCLUDE ${confdir}/proxy.conf</p>
<p># Client configuration is defined in "clients.conf".<br>$INCLUDE ${confdir}/clients.conf</p>
<p># To enable SNMP querying of the server, set the value of the<br># 'snmp' attribute to 'yes'<br>snmp = no<br>$INCLUDE ${confdir}/snmp.conf</p>
<p>thread pool {<br> start_servers = 5<br> max_servers = 32<br> min_spare_servers = 3<br> max_spare_servers = 10<br> max_requests_per_server = 0<br>}</p>
<p>modules {<br> detail {<br> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d<br> detailperm = 0600<br> }</p>
<p> mschap {<br> authtype = MS-CHAP<br> use_mppe = yes<br> require_encryption = yes<br> require_strong = yes<br> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"<br>
}</p>
<p> eap {<br> default_eap_type = ttls<br> timer_expire = 60<br> ignore_unknown_eap_types = no<br> cisco_accounting_username_bug = no</p>
<p> tls {<br> private_key_file = ${raddbdir}/certs/ttls-server-echowlan.key<br> certificate_file = ${raddbdir}/certs/ttls-server-echowlan.crt<br> CA_file = ${raddbdir}/certs/ca.crt<br>
dh_file = ${raddbdir}/certs/dh2048.pem<br> random_file = /dev/urandom<br> }</p>
<p> ttls {<br> default_eap_type = mschapv2<br> copy_request_to_tunnel = no<br> use_tunneled_reply = no<br> }<br> peap {<br>
default_eap_type = mschapv2<br> }<br> mschapv2 {<br> }<br> }<br>}</p>
<p>authorize {<br> mschap<br> eap<br>}</p>
<p>authenticate {<br> Auth-Type MS-CHAP {<br> mschap<br> }<br> eap<br>}</p>
<p>accounting {<br> detail}</p>
<p>post-auth {<br>}</p>
<p> </p>
<p> </p>
<p><br>Here's the</p></div>
<div class="gmail_quote">On Wed, Apr 30, 2008 at 12:52 PM, rmp dmd <<a href="mailto:rmp.dmd1229@gmail.com">rmp.dmd1229@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>Thanks.</div>
<div> </div>
<div>I put it on users </div>
<div> aduser1 MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject</div>
<div>restart radius: /etc/init.d/radiusd restart </div>
<div>test but user aduser1 can still log to our VPN. <br><br></div>
<div>
<div></div>
<div class="Wj3C7c">
<div class="gmail_quote">On Wed, Apr 30, 2008 at 12:47 PM, Nicolas Goutte <<a href="mailto:nicolas.goutte@extragroup.de" target="_blank">nicolas.goutte@extragroup.de</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div style="WORD-WRAP: break-word"><br>
<div>
<div>Am 30.04.2008 um 18:41 schrieb rmp dmd:</div>
<div><br>
<blockquote type="cite">
<div>thanks for the reply. </div>
<div> </div>
<div>Just to confirm. </div>
<div><br>I add that line also on ~/raddb/users? </div>
<div> </div>
<div>Sorry to not have mentioned. I'm new on radius.</div></blockquote>
<div><br></div></div>
<div>As far as I understand: yes.</div>
<div><br></div>
<div>The line looks like an user entry.</div>
<div><br></div>
<div>Have a nice day!</div>
<div><br>
<blockquote type="cite">
<div> </div>
<div> </div>
<div>Thanks again!</div>
<div>Roehl<br><br></div>
<div class="gmail_quote">2008/4/30 Ivan Kalik <<a href="mailto:tnt@kalik.net" target="_blank">tnt@kalik.net</a>>:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">To stop a valid AD account from being authenticated you need to avoid<br>ntlm_auth:<br><br>testuser MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject<br>
<br>Ivan Kalik<br>Kalik Informatika ISP<br><br><br>Dana 30/4/2008, "rmp dmd" <<a href="mailto:rmp.dmd1229@gmail.com" target="_blank">rmp.dmd1229@gmail.com</a>> piše:<br>
<div>
<div></div>
<div><br>>Hi,<br>><br>>We have a wireless network that uses freeRadius integrated with AD for<br>>authentication. There are some test user accounts on AD that I would like<br>>to deny access on our Wireless and VPN.<br>
><br>>I have tried "How do I deny access to a specific user, or group of users" on<br>>FAQ but it is not working. I'm guessing that this is not the correct<br>>method.<br>><br>>Please help me on how to set-up correctly.<br>
><br>>Thanks!<br>>Roehl<br>><br>><br><br></div></div>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div><br>
<div style="MARGIN: 0px">-</div>
<div style="MARGIN: 0px">List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></div></blockquote></div></div><br>
<div><span style="WORD-SPACING: 0px; FONT: 12px Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; border-spacing: 0px 0px">
<div>Nicolas Goutte</div>
<div><br></div>
<div> </div>
<div style="MARGIN: 0px">extragroup GmbH - Karlsruhe</div>
<div style="MARGIN: 0px">Waldstr. 49</div>
<div style="MARGIN: 0px">76133 Karlsruhe</div>
<div style="MARGIN: 0px">Germany</div>
<div> </div>
<div style="MARGIN: 0px">Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle</div>
<div style="MARGIN: 0px">Registergericht: Amtsgericht Münster / HRB: 5624</div>
<div style="MARGIN: 0px">Steuer Nr.: 337/5903/0421 / UstID: DE 204607841</div>
<div style="MARGIN: 0px"><br></div><br></span></div><br></div><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div><br></div></div></blockquote></div><br>