Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2011
- 110 participants
- 148 discussions
It is my first time to setup Juniper ERX-1440 with freeradius. All my
other NAS's are cisco.
I was trying to setup checkrad to check for simultaneous connections and
realized that juniper is not listed in nas type list.
Can someone help me with getting chekrad to work with Juniper ERX?
Thank you
2
1
Hi
Arran, I did read the debug messages, I just didn't understand what they
were telling me, I couldn't understand why it had failed to execute as the
file was there, I was root and I even tried using an admin account - just in
case..
Gary has given me a clue so off I go hunting..
Thanks Guys and have a good weekend
-----Original Message-----
From: freeradius-users-bounces+edgedemon=hotmail.com(a)lists.freeradius.org
[mailto:freeradius-users-bounces+edgedemon=hotmail.com@lists.freeradius.org]
On Behalf Of freeradius-users-request(a)lists.freeradius.org
Sent: 15 July 2011 16:17
To: freeradius-users(a)lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 75, Issue 58
Send Freeradius-Users mailing list submissions to
freeradius-users(a)lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request(a)lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner(a)lists.freeradius.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Error with AD/freeradius config (Arran Cudbard-Bell)
2. Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name) (Alexander Clouter)
3. RE: Error with AD/freeradius config (Gary Gatten)
----------------------------------------------------------------------
Message: 1
Date: Fri, 15 Jul 2011 16:31:34 +0200
From: Arran Cudbard-Bell <a.cudbardb(a)freeradius.org>
Subject: Re: Error with AD/freeradius config
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Message-ID: <7DF14EEA-3164-48BD-996B-8EDC42C5981C(a)freeradius.org>
Content-Type: text/plain; charset=us-ascii
On Jul 15, 2011, at 4:26 PM, Edge wrote:
> Exec-Program output: Exec-Program: FAILED to execute
> /usr/local/etc/raddb/modules/ntlm_auth: Permission denied
> Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
> /usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Helps to actually read the debug output you're posting ;)
Arran Cudbard-Bell
a.cudbardb(a)freeradius.org
RADIUS - Half the complexity of Diameter
------------------------------
Message: 2
Date: Fri, 15 Jul 2011 15:49:34 +0100
From: Alexander Clouter <alex(a)digriz.org.uk>
Subject: Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name)
To: freeradius-users(a)lists.freeradius.org
Message-ID: <uk06f8-ku7.ln1(a)chipmunk.wormnet.eu>
Phil Mayers <p.mayers(a)imperial.ac.uk> wrote:
>
>>Unfortunately, when you set nostrip in the config, it doesn't add a
>>Stripped-User-Name attribute to the request, but when you unset it,
>>rlm_realms adds a Stripped-User-Name attribute and also updates the
>>User-Name attribute to the same value.
>
> I am 90% sure that's not what rlm_realm does. We use unlang to process
> realms now, but I am certain we used it with nostrip and it left the
> original User-Name intact and populated Stripped-User-Name.
>
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and
making it's way out into outer.reply. When you use 'User-Name' in
post-auth{} you will get reply:User-Name rather than request:User-Name
if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
------------------------------
Message: 3
Date: Fri, 15 Jul 2011 10:16:48 -0500
From: Gary Gatten <Ggatten(a)waddell.com>
Subject: RE: Error with AD/freeradius config
To: "'FreeRadius users mailing list'"
<freeradius-users(a)lists.freeradius.org>
Message-ID:
<30615_1310743009_4E2059E1_30615_115_1_D9B37353831173459FDAA836D3B43499C5218
61F(a)WADPMBXV0.waddell.com>
Content-Type: text/plain; charset="us-ascii"
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Your path to ntlm auth is wrong. You need to specify the path to the ntlm
auth bin/exe that comes with samba.
G
-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com(a)lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org]
On Behalf Of Edge
Sent: Friday, July 15, 2011 9:27 AM
To: freeradius-users(a)lists.freeradius.org
Subject: Error with AD/freeradius config
OK, sorry as this is a long mail because Im going to include as much config
as possible.
I have been playing around trying to get this to work with little success
though the debug error messages have changed since yesterday
Im having trouble getting freeradius to use ntlm_auth - the error massage is
now stating a permission error..
Just to confirm, Im following the steps on deployingradius.com ..
PAP has been tested and is working
Samba configured and working
wbinfo -a = works, having tested multiple logins
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user
--password=password = working, again tested with multiple logins
radtest user password localhost 0 testing123 = does not work, see debug info
at end of email..
Contents of/raddb/modules/ntlm_auth file
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
exec ntlm_auth {
wait = yes
program = "/usr/local/etc/raddb/modules/ntlm_auth --request-nt-key
--domain=xxxxxxxxxx --username=%{mschap:User-Name}
--password=%{User-Password}"
}
I have modified the authenticate sections of the raddb/sites-enabled/default
file, and of the raddb/sites-enabled/inner-tunnel file
Listed below are the authenticate sections only as that is all I have
changed....
sites-enabled/default
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
ntlm_auth
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# For normal "crypt" authentication, the "pap" module should
# be used instead of the "unix" module. The "unix" module should
# be used for authentication ONLY for compatibility with legacy
# FreeRADIUS configurations.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from
attr_filter
# }
# }
}
#
raddb/sites-enabled/inner-tunnel file - again just showing the bit
modified..
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# NTLM authentication.
ntlm_auth
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
DEFAULT Auth-Type = ntlm_auth has been added to the top of the users
file...
Full debug below...
root@istdevlamp10:~# radiusd -X
FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on Jun
20 2011 at 14:50:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Instantiating module "ntlm_auth" from file
/usr/local/etc/raddb/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/local/etc/raddb/modules/ntlm_auth --request-nt-key
--domain=london.edu --username=%{mschap:User-Name}
--password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 50743
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 43257, id=140,
length=60
User-Name = "xxxxxxx"
User-Password = "xxxxxx"
NAS-IP-Address = 163.119.77.150
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=xxxxxxx
[ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxx
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> xxxxxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 140 to 127.0.0.1 port 43257
Waking up in 4.9 seconds.
Cleaning up request 8 ID 140 with timestamp +16484
Ready to process requests.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in
0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 75, Issue 58
************************************************
3
2
OK, sorry as this is a long mail because Im going to include as much config
as possible.
I have been playing around trying to get this to work with little success
though the debug error messages have changed since yesterday
Im having trouble getting freeradius to use ntlm_auth - the error massage is
now stating a permission error..
Just to confirm, Im following the steps on deployingradius.com ..
PAP has been tested and is working
Samba configured and working
wbinfo -a = works, having tested multiple logins
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user
--password=password = working, again tested with multiple logins
radtest user password localhost 0 testing123 = does not work, see debug info
at end of email..
Contents of/raddb/modules/ntlm_auth file
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
exec ntlm_auth {
wait = yes
program = "/usr/local/etc/raddb/modules/ntlm_auth --request-nt-key
--domain=xxxxxxxxxx --username=%{mschap:User-Name}
--password=%{User-Password}"
}
I have modified the authenticate sections of the raddb/sites-enabled/default
file, and of the raddb/sites-enabled/inner-tunnel file
Listed below are the authenticate sections only as that is all I have
changed....
sites-enabled/default
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
ntlm_auth
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# For normal "crypt" authentication, the "pap" module should
# be used instead of the "unix" module. The "unix" module should
# be used for authentication ONLY for compatibility with legacy
# FreeRADIUS configurations.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from
attr_filter
# }
# }
}
#
raddb/sites-enabled/inner-tunnel file - again just showing the bit
modified..
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# NTLM authentication.
ntlm_auth
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
DEFAULT Auth-Type = ntlm_auth has been added to the top of the users
file...
Full debug below...
root@istdevlamp10:~# radiusd -X
FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on Jun
20 2011 at 14:50:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Instantiating module "ntlm_auth" from file
/usr/local/etc/raddb/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/local/etc/raddb/modules/ntlm_auth --request-nt-key
--domain=london.edu --username=%{mschap:User-Name}
--password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-
IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 50743
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 43257, id=140,
length=60
User-Name = "xxxxxxx"
User-Password = "xxxxxx"
NAS-IP-Address = 163.119.77.150
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=xxxxxxx
[ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxx
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> xxxxxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 140 to 127.0.0.1 port 43257
Waking up in 4.9 seconds.
Cleaning up request 8 ID 140 with timestamp +16484
Ready to process requests.
3
2
15 Jul '11
So, one of my last things here is making sure I can get at the stripped usernames for my domain users, as they're authorized by their stripped name, not the name w/ which they're authenticating. Forex, if I'm using my AD credentials to log in, User-Name = hokies\dawson, but I'm authorized for WLAN access as 'dawson,' not 'hokies\dawson.'
That's all well and good, as I should just be able to use Stripped-User-Name in my queries and it'll be fine (assuming it exists, using the :- operator and doing a little logic there, which I have working fine). However, I haven't found a way, or maybe just the right way, to get the realms module to create that stripped user name at the right time, and when I use the perl module to create it and add it to the list, it doesn't seem to come out the other side, like so:
rlm_perl: Added pair User-Name = hokies\\dawson
...
rlm_perl: Added pair Stripped-User-Name = dawson
(1) [perl] = updated
(1) ? if ("%{Stripped-User-Name}" == "dawson")
(1) expand: %{Stripped-User-Name} ->
(1) ? Evaluating ("%{Stripped-User-Name}" == "dawson") -> FALSE
(1) ? if ("%{Stripped-User-Name}" == "dawson") -> FALSE
I uncommented the func_authorize = authorize line in modules/perl, and the script to which the perl module points has this for its authorize function:
sub authorize {
# For debugging purposes only
# &log_request_attributes;
# Logic to add stripped user name to request if our realms are recognized
my $fullUserName = $RAD_REQUEST{'User-Name'};
#If we have a prefix-determined domain
if ( $fullUserName =~/^.*\\(\\)?/i){
$RAD_REPLY{'Stripped-User-Name'} = $';
return RLM_MODULE_UPDATED;
}
#If we have a suffix-determined domain
elsif ( $fullUserName =~/\@.*$/){
$RAD_REPLY{'Stripped-User-Name'} = $`;
return RLM_MODULE_UPDATED;
}
return RLM_MODULE_OK;
}
Obviously, the regexps are working and the logic is working, based on the debug output, but since in the very next line, Stripped-User-Name is blank again, something's not working here.
I _tried_ getting this working in unlang, but that got mess pretty fast, and started complaining about unmatched parens:
(1) ? elsif ("%{User-Name}" =~ /^(.*\\)(.*)$/)
(1) expand: %{User-Name} -> hokies\dawson
ERROR: Failed compiling regular expression: Unmatched ( or \(
(1) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
where the relevant part of sites-enabled/default authorize section looks thus:
elsif("%{User-Name}" =~ /^(.*\\)(.*)$/){
update request{
Stripped-User-Name := "%{$`}"
}
}
(I can't tell if the assignment is working or not, since it never gets that far, but I wouldn't be surprised if it shouldn't work in that state)
One of these ought to be writing the Attribute correctly, but not a one of them has worked. Manually writing to the attribute works (Stripped-User-Name:="dawson") but that's hardly the right answer. I'm out of ideas here. I can't tell if I'm getting unexpected behavior out of FreeRADIUS, or I'm just missing something.
Thoughts?
Thanks much,
- Jacob
4
8
Ok heres the deal.
There are three formats we use on the wiki:
1. markdown
2. restructuredtext
3. mediawiki
Mediawiki pages contain content from our old mediawiki instance. Feel free to convert these to RST or Markdown, the wiki cloth renderer sucks so they probably won't render quite right in mediawiki format anyway.
restructuedtext pages either came from the docs directory in the server, or were created in RST because the author thought they might one day be included in the server docs. If you're editing a page in restructured text DO NOT CHANGE THE FORMAT. RST is the preferred format for all new pages.
markdown pages are intended to exist exclusively on the wiki, we only really allow markdown because the syntax is easier than RST and there are cute little buttons to do basic formatting so it makes it easier for wiki novices to contribute.
HTML tags in wiki content are bad. DO NOT USE THEM EVER! Instead use the proper code formatting system for the format you're using.
1. HTML tags like '<pre>' will not be parsed by all renderers, just because it works in Gollum, doesn't mean it will work with a proper renderer for that markup format.
For markdown its 3 spaces or a tab in front of every line, for RST it's double colon, return, 4 spaces indent in front of every line.
2. The main reason for moving to Gollum was so that users could contribute directly to documentation without needing to learn GIT. The end goal is to distribute the entire wiki with the server tar ball, which means people will be reading just the plaintext source. Having HTML tags everywhere is ugly, having properly indented code examples is pretty.
-Arran
Arran Cudbard-Bell
a.cudbardb(a)freeradius.org
RADIUS - Half the complexity of Diameter
5
8
David Suarez De Lis/UN24956/OPERACION Y MANTENIMIENTO/TSM está ausente de la oficina.
by david.suarezdelis@telefonica.es 14 Jul '11
by david.suarezdelis@telefonica.es 14 Jul '11
14 Jul '11
Estaré ausente de la oficina desde el 14/07/2011 y no volveré hasta el
01/08/2011.
Responderé a su mensaje cuando regrese. Si tiene alguna emergencia, puede
contactar con Accesos_SOR@telefonica (900 111 245 opción 2) o Jose Manuel
Gomez Perez (jmgomez(a)telefonica.es) ¡Felices fiestas y próspero año nuevo!
___________________________________________________________________________
Este mensaje se dirige exclusivamente a su destinatario y puede contener
información privilegiada o confidencial. Si no es vd. el destinatario
indicado, queda notificado de que la lectura, utilización, divulgación y/o
copia sin autorización está prohibida en virtud de la legislación vigente.
Si ha recibido este mensaje por error, le rogamos que nos lo comunique
inmediatamente por esta misma vía y proceda a su destrucción.
El correo electrónico vía Internet no permite asegurar la confidencialidad
de los mensajes que se transmiten ni su integridad o correcta recepción.
Telefónica no asume ninguna responsabilidad por estas circunstancias.
This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by a professional privilege
or whose disclosure is prohibited by law.If you are not the intended
recipient you are hereby notified that any read, dissemination, copy or
disclosure of this communication is strictly prohibited by law. If this
message has been received in error, please immediately notify us via e-mail
and delete it.
Internet e-mail neither guarantees the confidentiality nor the integrity or
proper receipt of the messages sent. Telefónica does not assume any
liability for those circumstances.
___________________________________________________________________________
1
0
Phil,
It would seem I must have made a typo, Gareth has tried this again and
due to his golden touch the array is now being evaluated.
Sorry for the confusion.
Cheers,
Jezz.
-----Original Message-----
From: Ayres G.J.
Sent: 14 July 2011 17:02
To: Palmer J.D.F.
Subject: RE: SoH - FR 2.1.11
I just tried this out of curiosity and it worked :S
[peap] Processing SoH request
SoH-Supported = yes
SoH-MS-Machine-OS-vendor = Microsoft
SoH-MS-Machine-OS-version = 6
SoH-MS-Machine-OS-release = 1
SoH-MS-Machine-OS-build = 7600
SoH-MS-Machine-SP-version = 0
SoH-MS-Machine-SP-release = 0
SoH-MS-Machine-Processor = x86_64
SoH-MS-Machine-Name = "jezztosh"
SoH-MS-Correlation-Id =
0xa381264b0c2d4feeb2ebf9bb7c00b94501cc423e63ba7481
SoH-MS-Machine-Role = client
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0
microsoft=1 up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0
microsoft=0 up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0
microsoft=0 up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0
microsoft=1 up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "auto-updates ok action=download"
SoH-MS-Windows-Health-Status = "security-updates warn
some-missing"
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
Calling-Station-Id = "4c-ed-de-1c-56-2f"
Called-Station-Id = "00-0f-34-46-82-50:devroam"
NAS-Port = 29
NAS-IP-Address = 10.10.246.238
NAS-Identifier = "Slot11-Port1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "654"
[peap] server soh-server {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/soh-server
+- entering group authorize {...}
++? if (SoH-Supported == no)
? Evaluating (SoH-Supported == no) -> FALSE
++? if (SoH-Supported == no) -> FALSE
++- entering else else {...}
+++? if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/)
expand: %{SoH-MS-Windows-Health-Status[*]} -> firewall ok
snoozed=0 microsoft=1 up2date=1 enabled=1 antivirus ok snoozed=0
microsoft=0 up2date=1 enabled
=1 antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 antispyware
ok snoozed=0 microsoft=1 up2date=1 enabled=0 auto-updates ok
action=download security-up
dates warn some-missing
? Evaluating ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) -> TRUE
+++? if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) -> TRUE
+++- entering if ("%{SoH-MS-Windows-Health-Status[*]}" =~
/security-updates (warn|error)/) {...}
++++[config] returns notfound
++++[reply] returns notfound
+++- if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) returns notfound
+++ ... skipping else for request 7: Preceding "if" was taken
++- else else returns notfound
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
So looks like it correctly evaluates it against the whole
SoH-MS-Windows-Health-Status array to me:
? Evaluating ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) -> TRUE
+++? if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) -> TRUE
+++- entering if ("%{SoH-MS-Windows-Health-Status[*]}" =~
/security-updates (warn|error)/) {...}
> -----Original Message-----
> From: freeradius-users-
> bounces+g.j.ayres=swansea.ac.uk(a)lists.freeradius.org
> [mailto:freeradius-users-
> bounces+g.j.ayres=swansea.ac.uk(a)lists.freeradius.org] On Behalf Of
> Palmer J.D.F.
> Sent: 14 July 2011 15:59
> To: FreeRadius users mailing list
> Subject: RE: SoH - FR 2.1.11
>
> Thanks Phil & Arran,
>
> I keep starting reply emails and another arrives before I get to send
> them.
>
> I've tried array hack, that fails even with 'firewall' as the
> condition.
> if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /firewall/), where as if
> (SoH-MS-Windows-Health-Status =~ /firewall/) is satisfied.
>
> Cheers,
> Jezz.
>
> > -----Original Message-----
> > From: freeradius-users-
> > bounces+j.d.f.palmer=swansea.ac.uk(a)lists.freeradius.org
> > [mailto:freeradius-users-
> > bounces+j.d.f.palmer=swansea.ac.uk(a)lists.freeradius.org] On Behalf
Of
> > Phil Mayers
> > Sent: 14 July 2011 15:45
> > To: freeradius-users(a)lists.freeradius.org
> > Subject: Re: SoH - FR 2.1.11
> >
> > On 14/07/11 15:24, Phil Mayers wrote:
> >
> > > I thought that the =~ regexp operator tried all attributes on the
> > > left-hand side; that is, I thought it looped through until it got
> > > first-match.
> > >
> > > If it doesn't, then the idea of squeezing all the SoH data into a
> > > multiple instances of a single text attribute is going to need
> > > revisiting (or the "foreach" unlang operator will need
> backporting!)
> >
> > Damn. You're right. It just looks at the first attribute.
> >
> > Erm.... Hmm. That's a problem. It makes checking the attributes
> really
> > painful. Blast. Sorry about that.
> >
> >
> > Maybe try this, which is a horrible hack:
> >
> > if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /antivirus
(warn|error)/)
> {
> > ...
> > }
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
1
0
Im following the AD config guide over at deployingradius.com and think I
have an error in one of the config files, I suspect Im not using the right
syntax, or another really simple error .
Fresh install of the latest freeradius version on ubuntu - not the packaged
version, built from source
PAP is working
I have configured and tested samba and ntlm_auth - both working fine
The deployingradius guide then states
<You will also have to list ntlm_auth in the authenticate sections of each
the raddb/sites-enabled/default file, and of the
raddb/sites-enabled/inner-tunnel file:>
This is where I have hit problems.....
ERROR: No authenticate method (Auth-Type) found for the request:
The above error makes me think I have amended the config files incorrectly.
I have copied the /usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel files below and at the end
the radius debug information Can someone have a look at them and tell me
where I have gone wrong? I just didn't understand what format the entry had
to take, so copied the existing entries in both files. If you search for
ntlm_auth it will take you straight to the areas I have changed..
Many thanks
My /sites-enabled/default file - I have just copied the authentication
section as everything else in the file is at default settings
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).
#
# Note that Auth-Type := Accept will NOT work with EAP.
#
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# For normal "crypt" authentication, the "pap" module should
# be used instead of the "unix" module. The "unix" module should
# be used for authentication ONLY for compatibility with legacy
# FreeRADIUS configurations.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from
attr_filter
# }
# }
}
My / sites-enabled/inner-tunnel file - again, I have just copied the section
I have added to...
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# NTLM authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
My debug output is as follows
rad_recv: Access-Request packet from host 127.0.0.1 port 44992, id=218,
length=60
User-Name = "xxxxxxxx"
User-Password = "xxxxxxxxx"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> xxxxxxxxxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 16 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 16
Sending Access-Reject of id 218 to 127.0.0.1 port 44992
Waking up in 4.9 seconds.
Cleaning up request 16 ID 218 with timestamp +84526
Ready to process requests.
Many thanks
4
8
Thanks for the quick reply Gary
I changed the /usr/local/etc/raddb/sites-enabled/default file to
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
ntlm_auth
#
I also changed the /usr/local/etc/raddb/sites-enabled/inner-tunnel file to
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# NTLM authentication.
ntlm_auth
# Pluggable Authentication Modules.
I can confirm that the top of my users file has the following entry..
DEFAULT Auth-Type = ntlm_auth
The debug file is still giving the same output..
rad_recv: Access-Request packet from host 127.0.0.1 port 46984, id=103,
length=60
User-Name = "xxxxxxxx"
User-Password = "xxxxxxx"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> xxxxxxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 17 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 17
Sending Access-Reject of id 103 to 127.0.0.1 port 46984
Waking up in 4.9 seconds.
Cleaning up request 17 ID 103 with timestamp +95119
Ready to process requests.
-----Original Message-----
From: freeradius-users-bounces+edgedemon=hotmail.com(a)lists.freeradius.org
[mailto:freeradius-users-bounces+edgedemon=hotmail.com@lists.freeradius.org]
On Behalf Of freeradius-users-request(a)lists.freeradius.org
Sent: 14 July 2011 16:19
To: freeradius-users(a)lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 75, Issue 49
Send Freeradius-Users mailing list submissions to
freeradius-users(a)lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request(a)lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner(a)lists.freeradius.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Error with AD/freeradius config (Phil Mayers)
2. Re: SoH - FR 2.1.11 (Phil Mayers)
3. RE: Error with AD/freeradius config (Gary Gatten)
----------------------------------------------------------------------
Message: 1
Date: Thu, 14 Jul 2011 16:13:28 +0100
From: Phil Mayers <p.mayers(a)imperial.ac.uk>
Subject: Re: Error with AD/freeradius config
To: freeradius-users(a)lists.freeradius.org
Message-ID: <4E1F0798.3000608(a)imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 14/07/11 16:04, Edge wrote:
> My /sites-enabled/default file - I have just copied the authentication
> section as everything else in the file is at default settings
Not necessary or helpful. Full debug (which you didn't provide; you trimmed
the start) is what's needed.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 44992,
> id=218,
> length=60
>
> User-Name = "xxxxxxxx"
>
> User-Password = "xxxxxxxxx"
>
> NAS-IP-Address = xxx.xxx.xxx.xxx
>
> NAS-Port = 0
This is not an MSCHAP request. It's a PAP request, probably from radtest or
radclient.
You need to test with EAP. Either use "eapol_test" from the wpa_supplicant
source, or use "radtest -t mschap" and direct the request to the "testing"
port of the inner-tunnel virtual server.
------------------------------
Message: 2
Date: Thu, 14 Jul 2011 16:14:48 +0100
From: Phil Mayers <p.mayers(a)imperial.ac.uk>
Subject: Re: SoH - FR 2.1.11
To: freeradius-users(a)lists.freeradius.org
Message-ID: <4E1F07E8.6060004(a)imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 14/07/11 15:59, Palmer J.D.F. wrote:
> Thanks Phil& Arran,
>
> I keep starting reply emails and another arrives before I get to send
> them.
Hehe.
>
> I've tried array hack, that fails even with 'firewall' as the condition.
> if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /firewall/), where as if
> (SoH-MS-Windows-Health-Status =~ /firewall/) is satisfied.
Really? Hmm, that's odd. I'll take a look.
------------------------------
Message: 3
Date: Thu, 14 Jul 2011 10:18:56 -0500
From: Gary Gatten <Ggatten(a)waddell.com>
Subject: RE: Error with AD/freeradius config
To: "'FreeRadius users mailing list'"
<freeradius-users(a)lists.freeradius.org>
Message-ID:
<23289_1310656737_4E1F08E1_23289_66_1_D9B37353831173459FDAA836D3B43499C52186
02(a)WADPMBXV0.waddell.com>
Content-Type: text/plain; charset="us-ascii"
I don't think you need braces and such, this is not as much an auth type as
a method
Try just a single line that reads: ntlm_auth
Also, I actually had to set my default auth-type to ntlm_auth. You know the
part where it says "...for testing only..". in the users file? But, I had
to leave it in or it would never call ntlm_auth and hence to logins would
work.
G
________________________________
From: freeradius-users-bounces+ggatten=waddell.com(a)lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org]
On Behalf Of Edge
Sent: Thursday, July 14, 2011 10:05 AM
To: freeradius-users(a)lists.freeradius.org
Subject: Error with AD/freeradius config
Im following the AD config guide over at deployingradius.com and think I
have an error in one of the config files, I suspect Im not using the right
syntax, or another really simple error .
Fresh install of the latest freeradius version on ubuntu - not the packaged
version, built from source
PAP is working
I have configured and tested samba and ntlm_auth - both working fine
The deployingradius guide then states
<You will also have to list ntlm_auth in the authenticate sections of each
the raddb/sites-enabled/default file, and of the
raddb/sites-enabled/inner-tunnel file:>
This is where I have hit problems.....
ERROR: No authenticate method (Auth-Type) found for the request:
The above error makes me think I have amended the config files incorrectly.
I have copied the /usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel files below and at the end
the radius debug information Can someone have a look at them and tell me
where I have gone wrong? I just didn't understand what format the entry had
to take, so copied the existing entries in both files. If you search for
ntlm_auth it will take you straight to the areas I have changed..
Many thanks
My /sites-enabled/default file - I have just copied the authentication
section as everything else in the file is at default settings
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).
#
# Note that Auth-Type := Accept will NOT work with EAP.
#
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# For normal "crypt" authentication, the "pap" module should
# be used instead of the "unix" module. The "unix" module should
# be used for authentication ONLY for compatibility with legacy
# FreeRADIUS configurations.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from
attr_filter
# }
# }
}
My / sites-enabled/inner-tunnel file - again, I have just copied the section
I have added to...
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# NTLM authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
My debug output is as follows
rad_recv: Access-Request packet from host 127.0.0.1 port 44992, id=218,
length=60
User-Name = "xxxxxxxx"
User-Password = "xxxxxxxxx"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xxxxxxxx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> xxxxxxxxxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 16 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 16
Sending Access-Reject of id 218 to 127.0.0.1 port 44992
Waking up in 4.9 seconds.
Cleaning up request 16 ID 218 with timestamp +84526
Ready to process requests.
Many thanks
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in
0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the
intended recipient and may contain information that is privileged and/or
confidential.
If you are not the intended recipient, you are hereby notified that any
review, use, dissemination, disclosure or copying of this email and its
attachments, if any, is strictly prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system."
</font>
2
1
Hi,
We've started to look at SoH with the intention to implement it for the
new academic session in September, but are having an issue.
The server is setup using the example soh-server, but find that the
condition in the example (below) isn't being satisfied when a client
with no AV returns it's SoH status. (SoH Reply below)
It appears after some trial that only the first of the
"SoH-MS-Windows-Health-Status =" attributes is considered, if I
manipulate the condition to check the firewall status which is returned
first it works. Is this a bug or something I've done wrong?
Example condition...
if (SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) {
SoH Status Reply...
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=1
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antivirus error not-installed"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=1
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "auto-updates ok action=download"
SoH-MS-Windows-Health-Status = "security-updates ok all-installed"
Separate to this, an observation from the SoH reply after I'd installed
Microsoft Security Essentials; the two hashed lines below show that
Microsoft Security Essentials is classed as being non-Microsoft.
I presume this the NAP service on the client making this decision, not
FreeRADIUS?
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0
microsoft=1 up2date=1 enabled=1"
## SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0
microsoft=0 up2date=1 enabled=1" (MSE)
## SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0
microsoft=0 up2date=1 enabled=1" (MSE)
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0
microsoft=1 up2date=1 enabled=0" (Windows Defender)
SoH-MS-Windows-Health-Status = "auto-updates ok action=download"
SoH-MS-Windows-Health-Status = "security-updates warn
some-missing"
Thanks,
Jezz.
Jezz Palmer
Information Services and Systems
Swansea University
Singleton Park
Swansea
SA2 8PP
J.D.F.Palmer(a)swan.ac.uk
3
9