<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style id="owaParaStyle">
<!--
p
{margin-top:0px;
margin-bottom:0px}
-->
</style>
</head>
<body>
<div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">
<p>First, I'd like to thank Alan for his beyond countless hours of dedication to all the blogs, forum posting, and general support within the community. Your write-ups are thorough and well thought out. I wish more people were like you. I'm pretty new to
RADIUS and as consequently, Linux in general. So I might ask questions that seem noobish or lame, but it doesn't mean I'm not willing to learn, research etc. <strong><em><u> Just bare with me.
</u></em></strong></p>
<p> </p>
<p>Now, the problem is this. Following Alan DeKok's guide at <a href="http://deployingradius.com/documents/configuration/active_directory.html">
http://deployingradius.com/documents/configuration/active_directory.html</a>, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS
setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this.
It's authenticating...a little too well. </p>
<p> </p>
<p>I've added the following entry into "/etc/raddb/clients.conf" to allow AAA on one of my cisco routers.
</p>
<p> </p>
<p>*************************************</p>
<p><strong><font color="#0000ff">client 10.10.0.5 {<br>
secret = REALSECRETOMMITTED</font></strong></p>
<p><strong><font color="#0000ff"> shortname = Cisco-2911-VPCRTR<br>
nastype = cisco<br>
}</font></strong><br>
*************************************</p>
<p> </p>
<p>Now, I then setup my Cisco router accordingly, and then did an SSH test to it using my AD Account. Voila! It worked great.
<u><strong><em>However, so did every other "Domain User" account in the environment. </em></strong></u> This goes back to me being so new to RADIUS and Linux where I don't feel like I'm fully grasping all of the directives within the configuration files, and
exactly how they all tie together. I'm getting there, but just not fast enough.
</p>
<p> </p>
<p><strong><font color="#ff0000">So, how do I lock down the SSH Authentication to an Active Directory Group of users, or individual users? </font></strong> Remember, go easy on me. I'll provide whatever you need to help. I'm assuming you will ask for my RADIUSD
-X output, so I've attached that as well. </p>
<p> </p>
<p>NOTE: One thing I don't understand is how in Alan DeKok's write up from the link above, he says don't use the "DEFAULT Auth-Type = ntlm_auth" in the "/etc/raddb/users" file, but yet that's one of the final steps to test in the write-up. Maybe it's because
I am so new, but I've been through that document probably 30 times line by line, and yet every time I remove that entry, it breaks the Authentication.
</p>
<p> </p>
<p> </p>
<p><strong><font color="#ff0000">BEGIN RADIUSD -X DEBUG OUTPUT</font></strong></p>
<p><strong><font color="#ff0000">**************************************************************************************************</font></strong></p>
<p><strong><font color="#ff0000">**************************************************************************************************</font></strong></p>
<p><strong><font color="#ff0000">**************************************************************************************************</font></strong></p>
<p> </p>
<p> </p>
<p>FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Jul 19 2011 at 10:21:08<br>
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.<br>
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A<br>
PARTICULAR PURPOSE.<br>
You may redistribute copies of FreeRADIUS under the terms of the<br>
GNU General Public License v2.<br>
Starting - reading configuration files ...<br>
including configuration file /etc/raddb/radiusd.conf<br>
including configuration file /etc/raddb/proxy.conf<br>
including configuration file /etc/raddb/clients.conf<br>
including files in directory /etc/raddb/modules/<br>
including configuration file /etc/raddb/modules/exec<br>
including configuration file /etc/raddb/modules/attr_rewrite<br>
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login<br>
including configuration file /etc/raddb/modules/ippool<br>
including configuration file /etc/raddb/modules/policy<br>
including configuration file /etc/raddb/modules/inner-eap<br>
including configuration file /etc/raddb/modules/krb5<br>
including configuration file /etc/raddb/modules/ntlm_auth<br>
including configuration file /etc/raddb/modules/radutmp<br>
including configuration file /etc/raddb/modules/digest<br>
including configuration file /etc/raddb/modules/ldap<br>
including configuration file /etc/raddb/modules/sql_log<br>
including configuration file /etc/raddb/modules/otp<br>
including configuration file /etc/raddb/modules/pam<br>
including configuration file /etc/raddb/modules/opendirectory<br>
including configuration file /etc/raddb/modules/expiration<br>
including configuration file /etc/raddb/modules/perl<br>
including configuration file /etc/raddb/modules/etc_group<br>
including configuration file /etc/raddb/modules/attr_filter<br>
including configuration file /etc/raddb/modules/echo<br>
including configuration file /etc/raddb/modules/mschap<br>
including configuration file /etc/raddb/modules/logintime<br>
including configuration file /etc/raddb/modules/detail<br>
including configuration file /etc/raddb/modules/smsotp<br>
including configuration file /etc/raddb/modules/smbpasswd<br>
including configuration file /etc/raddb/modules/wimax<br>
including configuration file /etc/raddb/modules/linelog<br>
including configuration file /etc/raddb/modules/sradutmp<br>
including configuration file /etc/raddb/modules/detail.log<br>
including configuration file /etc/raddb/modules/dynamic_clients<br>
including configuration file /etc/raddb/modules/pap<br>
including configuration file /etc/raddb/modules/unix<br>
including configuration file /etc/raddb/modules/files<br>
including configuration file /etc/raddb/modules/detail.example.com<br>
including configuration file /etc/raddb/modules/counter<br>
including configuration file /etc/raddb/modules/passwd<br>
including configuration file /etc/raddb/modules/mac2vlan<br>
including configuration file /etc/raddb/modules/mac2ip<br>
including configuration file /etc/raddb/modules/preprocess<br>
including configuration file /etc/raddb/modules/acct_unique<br>
including configuration file /etc/raddb/modules/cui<br>
including configuration file /etc/raddb/modules/realm<br>
including configuration file /etc/raddb/modules/checkval<br>
including configuration file /etc/raddb/modules/always<br>
including configuration file /etc/raddb/modules/expr<br>
including configuration file /etc/raddb/modules/chap<br>
including configuration file /etc/raddb/eap.conf<br>
including configuration file /etc/raddb/policy.conf<br>
including files in directory /etc/raddb/sites-enabled/<br>
including configuration file /etc/raddb/sites-enabled/inner-tunnel<br>
including configuration file /etc/raddb/sites-enabled/default<br>
including configuration file /etc/raddb/sites-enabled/control-socket<br>
main {<br>
user = "radiusd"<br>
group = "radiusd"<br>
allow_core_dumps = no<br>
}<br>
including dictionary file /etc/raddb/dictionary<br>
main {<br>
prefix = "/usr"<br>
localstatedir = "/var"<br>
logdir = "/var/log/radius"<br>
libdir = "/usr/lib64/freeradius"<br>
radacctdir = "/var/log/radius/radacct"<br>
hostname_lookups = no<br>
max_request_time = 30<br>
cleanup_delay = 5<br>
max_requests = 1024<br>
pidfile = "/var/run/radiusd/radiusd.pid"<br>
checkrad = "/usr/sbin/checkrad"<br>
debug_level = 0<br>
proxy_requests = yes<br>
log {<br>
stripped_names = no<br>
auth = no<br>
auth_badpass = no<br>
auth_goodpass = no<br>
}<br>
security {<br>
max_attributes = 200<br>
reject_delay = 1<br>
status_server = yes<br>
}<br>
}<br>
radiusd: #### Loading Realms and Home Servers ####<br>
proxy server {<br>
retry_delay = 5<br>
retry_count = 3<br>
default_fallback = no<br>
dead_time = 120<br>
wake_all_if_all_dead = no<br>
}<br>
home_server localhost {<br>
ipaddr = 127.0.0.1<br>
port = 1812<br>
type = "auth"<br>
secret = "testing123"<br>
response_window = 20<br>
max_outstanding = 65536<br>
require_message_authenticator = yes<br>
zombie_period = 40<br>
status_check = "status-server"<br>
ping_interval = 30<br>
check_interval = 30<br>
num_answers_to_alive = 3<br>
num_pings_to_alive = 3<br>
revive_interval = 120<br>
status_check_timeout = 4<br>
irt = 2<br>
mrt = 16<br>
mrc = 5<br>
mrd = 30<br>
}<br>
home_server_pool my_auth_failover {<br>
type = fail-over<br>
home_server = localhost<br>
}<br>
realm example.com {<br>
auth_pool = my_auth_failover<br>
}<br>
realm LOCAL {<br>
}<br>
<font color="#0000ff"><strong>radiusd: #### Loading Clients ####<br>
client 172.16.1.1 {<br>
require_message_authenticator = no<br>
secret = "REALSECRETOMMITTED"<br>
shortname = "Cisco-4507-1"<br>
nastype = "cisco"<br>
}<br>
client 172.16.1.3 {<br>
require_message_authenticator = no<br>
secret = "REALSECRETOMMITTED"<br>
shortname = "Cisco-4507-2"<br>
nastype = "cisco"<br>
}<br>
client 172.16.1.2 {<br>
require_message_authenticator = no<br>
secret = "REALSECRETOMMITTED"<br>
shortname = "Cisco-ASA-5520-01"<br>
nastype = "cisco"<br>
}<br>
client 10.10.0.5 {<br>
require_message_authenticator = no<br>
secret = "REALSECRETOMMITTED"<br>
shortname = "Cisco-2911-VPCRTR"<br>
nastype = "cisco"<br>
}<br>
client 172.16.1.10 {<br>
require_message_authenticator = no<br>
secret = "REALSECRETOMMITTED"<br>
shortname = "Cisco-ASA-5510-GDM"<br>
nastype = "cisco"<br>
}<br>
client localhost {<br>
ipaddr = 127.0.0.1<br>
require_message_authenticator = no<br>
secret = "testing123"<br>
nastype = "other"<br>
}<br>
</strong></font>radiusd: #### Instantiating modules ####<br>
instantiate {<br>
Module: Linked to module rlm_exec<br>
Module: Instantiating module "exec" from file /etc/raddb/modules/exec<br>
exec {<br>
wait = no<br>
input_pairs = "request"<br>
shell_escape = yes<br>
}<br>
Module: Linked to module rlm_expr<br>
Module: Instantiating module "expr" from file /etc/raddb/modules/expr<br>
Module: Linked to module rlm_expiration<br>
Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration<br>
expiration {<br>
reply-message = "Password Has Expired "<br>
}<br>
Module: Linked to module rlm_logintime<br>
Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime<br>
logintime {<br>
reply-message = "You are calling outside your allowed timespan "<br>
minimum-timeout = 60<br>
}<br>
}<br>
radiusd: #### Loading Virtual Servers ####<br>
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel<br>
modules {<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Linked to module rlm_pap<br>
Module: Instantiating module "pap" from file /etc/raddb/modules/pap<br>
pap {<br>
encryption_scheme = "auto"<br>
auto_header = no<br>
}<br>
Module: Linked to module rlm_chap<br>
Module: Instantiating module "chap" from file /etc/raddb/modules/chap<br>
Module: Linked to module rlm_mschap<br>
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap<br>
mschap {<br>
use_mppe = yes<br>
require_encryption = no<br>
require_strong = no<br>
with_ntdomain_hack = no<br>
}<br>
<font color="#0000ff" style="background-color:#ffffff"><strong> Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth<br>
exec ntlm_auth {<br>
wait = yes<br>
program = "/usr/bin/ntlm_auth --request-nt-key --domain=<font style="">MYREALDOMAIN-OMMITTED</font> --username=%{mschap:User-Name} --password=%{User-Password}"<br>
input_pairs = "request"<br>
shell_escape = yes<br>
}</strong></font><br>
Module: Linked to module rlm_unix<br>
Module: Instantiating module "unix" from file /etc/raddb/modules/unix<br>
unix {<br>
radwtmp = "/var/log/radius/radwtmp"<br>
}<br>
Module: Linked to module rlm_eap<br>
Module: Instantiating module "eap" from file /etc/raddb/eap.conf<br>
eap {<br>
default_eap_type = "md5"<br>
timer_expire = 60<br>
ignore_unknown_eap_types = no<br>
cisco_accounting_username_bug = no<br>
max_sessions = 4096<br>
}<br>
Module: Linked to sub-module rlm_eap_md5<br>
Module: Instantiating eap-md5<br>
Module: Linked to sub-module rlm_eap_leap<br>
Module: Instantiating eap-leap<br>
Module: Linked to sub-module rlm_eap_gtc<br>
Module: Instantiating eap-gtc<br>
gtc {<br>
challenge = "Password: "<br>
auth_type = "PAP"<br>
}<br>
Module: Linked to sub-module rlm_eap_tls<br>
Module: Instantiating eap-tls<br>
tls {<br>
rsa_key_exchange = no<br>
dh_key_exchange = yes<br>
rsa_key_length = 512<br>
dh_key_length = 512<br>
verify_depth = 0<br>
CA_path = "/etc/raddb/certs"<br>
pem_file_type = yes<br>
private_key_file = "/etc/raddb/certs/server.pem"<br>
certificate_file = "/etc/raddb/certs/server.pem"<br>
CA_file = "/etc/raddb/certs/ca.pem"<br>
private_key_password = "whatever"<br>
dh_file = "/etc/raddb/certs/dh"<br>
random_file = "/etc/raddb/certs/random"<br>
fragment_size = 1024<br>
include_length = yes<br>
check_crl = no<br>
cipher_list = "DEFAULT"<br>
cache {<br>
enable = no<br>
lifetime = 24<br>
max_entries = 255<br>
}<br>
verify {<br>
}<br>
}<br>
Module: Linked to sub-module rlm_eap_ttls<br>
Module: Instantiating eap-ttls<br>
ttls {<br>
default_eap_type = "md5"<br>
copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br>
virtual_server = "inner-tunnel"<br>
include_length = yes<br>
}<br>
Module: Linked to sub-module rlm_eap_peap<br>
Module: Instantiating eap-peap<br>
peap {<br>
default_eap_type = "mschapv2"<br>
copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br>
proxy_tunneled_request_as_eap = yes<br>
virtual_server = "inner-tunnel"<br>
}<br>
Module: Linked to sub-module rlm_eap_mschapv2<br>
Module: Instantiating eap-mschapv2<br>
mschapv2 {<br>
with_ntdomain_hack = no<br>
}<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Linked to module rlm_realm<br>
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm<br>
realm suffix {<br>
format = "suffix"<br>
delimiter = "@"<br>
ignore_default = no<br>
ignore_null = no<br>
}<br>
Module: Linked to module rlm_files<br>
Module: Instantiating module "files" from file /etc/raddb/modules/files<br>
files {<br>
usersfile = "/etc/raddb/users"<br>
acctusersfile = "/etc/raddb/acct_users"<br>
preproxy_usersfile = "/etc/raddb/preproxy_users"<br>
compat = "no"<br>
}<br>
Module: Checking session {...} for more modules to load<br>
Module: Linked to module rlm_radutmp<br>
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp<br>
radutmp {<br>
filename = "/var/log/radius/radutmp"<br>
username = "%{User-Name}"<br>
case_sensitive = yes<br>
check_with_nas = yes<br>
perm = 384<br>
callerid = yes<br>
}<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br>
Module: Linked to module rlm_attr_filter<br>
Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter<br>
attr_filter attr_filter.access_reject {<br>
attrsfile = "/etc/raddb/attrs.access_reject"<br>
key = "%{User-Name}"<br>
}<br>
} # modules<br>
} # server<br>
server { # from file /etc/raddb/radiusd.conf<br>
modules {<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Linked to module rlm_digest<br>
Module: Instantiating module "digest" from file /etc/raddb/modules/digest<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Linked to module rlm_preprocess<br>
Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess<br>
preprocess {<br>
huntgroups = "/etc/raddb/huntgroups"<br>
hints = "/etc/raddb/hints"<br>
with_ascend_hack = no<br>
ascend_channels_per_line = 23<br>
with_ntdomain_hack = no<br>
with_specialix_jetstream_hack = no<br>
with_cisco_vsa_hack = no<br>
with_alvarion_vsa_hack = no<br>
}<br>
Module: Checking preacct {...} for more modules to load<br>
Module: Linked to module rlm_acct_unique<br>
Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique<br>
acct_unique {<br>
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br>
}<br>
Module: Checking accounting {...} for more modules to load<br>
Module: Linked to module rlm_detail<br>
Module: Instantiating module "detail" from file /etc/raddb/modules/detail<br>
detail {<br>
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>
header = "%t"<br>
detailperm = 384<br>
dirperm = 493<br>
locking = no<br>
log_packet_header = no<br>
}<br>
Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter<br>
attr_filter attr_filter.accounting_response {<br>
attrsfile = "/etc/raddb/attrs.accounting_response"<br>
key = "%{User-Name}"<br>
}<br>
Module: Checking session {...} for more modules to load<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br>
} # modules<br>
} # server<br>
radiusd: #### Opening IP addresses and Ports ####<br>
listen {<br>
type = "auth"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "acct"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "control"<br>
listen {<br>
socket = "/var/run/radiusd/radiusd.sock"<br>
}<br>
}<br>
listen {<br>
type = "auth"<br>
ipaddr = 127.0.0.1<br>
port = 18120<br>
}<br>
Listening on authentication address * port 1812<br>
Listening on accounting address * port 1813<br>
Listening on command file /var/run/radiusd/radiusd.sock<br>
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel<br>
Listening on proxy address * port 1814<br>
Ready to process requests.</p>
<p> </p>
<p><strong><font color="#ff0000">**************************************************************************************************</font></strong></p>
<p><strong><font color="#ff0000">**************************************************************************************************</font></strong></p>
<p><strong><font color="#ff0000">**************************************************************************************************</font></strong></p>
<p><strong><font color="#ff0000">END RADIUSD -X DEBUG OUTPUT</font></strong></p>
</div>
<br>
<br>
<p class="MsoNormal"><b><span style="color:#1C3F94">Jim C. Julson</span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#262626">Sr. Network & Systems Administrator</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#262626"></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#262626"></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#262626">C 208.908.1476</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#262626"></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#1C3F94"><a href="mailto:jjulson@marketron.com"><span style="color:#1C3F94">jjulson@marketron.com</a></span>
</p>
<div><a href="http://www.marketron.com"><img alt="www.marketron.com" src="https://mail.marketron.com/owa/auth/emaillogo.png" border="0"></div>
<br>
<div></a><a href="http://www.marketron.com/network-connect.php?email"><img alt="Learn more about Network Connect" src="https://mail.marketron.com/owa/auth/Email-NC-Support.png" border="0"></div>
</a></span>
</body>
</html>
<pre>The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.