Hi, I still can face a problem of LDAP users with Dialup access not able to authenticate through Radius Server. Attached it the Radiusd.conf file and The Logs. ldap { server = "10.91.0.33" identity = "cn=radiususer,ou=Users,ou=QMHI,dc=india,dc=quark,dc=com" password = Quark_123 basedn = "dc=india,dc=quark,dc=com" filter = "(&(samaccountname=%{user-name}))" #filter = "(SamAccountName=%u)" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # password_header = "{clear}" # # Set: dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # #password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 40 timelimit = 30 net_timeout = 10 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Logs rad_recv: Access-Request packet from host 10.91.192.115:3072, id=0, length=139 User-Name = "INDIA\\vmarwah" NAS-IP-Address = 10.91.192.115 Called-Station-Id = "0012178026ed" Calling-Station-Id = "0012f0b442e3" NAS-Identifier = "0012178026ed" NAS-Port = 21 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001201494e4449415c766d6172776168 Message-Authenticator = 0x663d5b4e1e084bb62c6db0268f187847 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "INDIA\vmarwah", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for INDIA\vmarwah radius_xlat: '(&(samaccountname=INDIA))' radius_xlat: 'dc=india,dc=quark,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.91.0.33:389, authentication 0 rlm_ldap: bind as cn=radiususer,ou=Users,ou=QMHI,dc=india,dc=quark,dc=com/Quark_123 to 10.91.0.33:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=india,dc=quark,dc=com, with filter (&(samaccountname=INDIA)) rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: group authorize returns fail for request 0 Finished request 0 Going to the next request Please help me out to resolve this............. Thanks & Regards Varun Marwah CONFIDENTIALITY NOTICE This e-mail transmission and any documents, files, or previous e-mail messages appended or attached to it, may contain information that is confidential or legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, printing, distribution, or use of the information contained or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify the sender by telephone (+91-172-2299137) or return e-mail message (vmarwah@quark.com) and delete the original transmission, its attachments, and any copies without reading or saving in any manner. Thank you. -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of freeradius-users-request@lists.freeradius.org Sent: Monday, November 21, 2005 11:45 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 7, Issue 79 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: Freeradius - LDAP - Active Directory (Konne) 2. RE: wireless+freeradius+AD (King, Michael) 3. Re: 802.1x machine authentication patch help (Jamie Crawford) 4. tool for testing machine authentication (Norbert Wegener) 5. Re: tool for testing machine authentication (Konne) 6. RE: tool for testing machine authentication (Cris Boisvert) 7. Re: tool for testing machine authentication (Robin Mordasiewicz) 8. Re: tool for testing machine authentication (Konne) 9. Cache with proxy (Romain GAILLEGUE) 10. RE: tool for testing machine authentication (Robin Mordasiewicz) ---------------------------------------------------------------------- Message: 1 Date: Mon, 21 Nov 2005 13:03:52 +0100 From: Konne <bridge_stone@gmx.net> Subject: Re: Freeradius - LDAP - Active Directory To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4381B7A8.7020303@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed hi i found the problem... *before* basedn = "dc=my,dc=dom" # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 *after, now it goes* basedn = "ou=wireless,dc=my,dc=dom" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = memberOf timeout = 40 timelimit = 30 net_timeout = 10 thx ------------------------------ Message: 2 Date: Mon, 21 Nov 2005 09:50:15 -0500 From: "King, Michael" <MKing@bridgew.edu> Subject: RE: wireless+freeradius+AD To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <EFB7B6506E9AB147BCC8EF9417E22091046723D4@EXCH2.campus.bridgew.edu> Content-Type: text/plain; charset="US-ASCII"
Oh, excellent. I just joined this list hoping to query the members on finding more information on doing wireless+activedirectory+freeradius, unfortunately I could not find any good postings, or web toots/examples.
Hi Robin, Welcome to the club.
I would need to use Microsoft IAS. Is this false ? Yes, That particular example used Microsoft IAS, but it is not required.
Are people using Active Directory successfully ? Yes. Besides myself, there are many people on this list that are.
I have a linux box that is currently acting as a tacacs server while authenticating using winbind etc, and was hoping to make it a radius server as well.
You are already 3/4 of the way there, since the trickest part of my freeradius setup was getting winbind to talk to activedirectory Depending on your Linux distribution, you will just have to install freeradius. (Some distributions like Debian require a -disable-shared) Go thru the radiusd.conf and the eap.conf files, it's clearly commented on what you need to configure. You'll see a section marked: ntlm_auth = "/path/to/ntlm_auth ........(Trimmed) You might need to modify this to: ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Don't hesitate to ask questions. There is a good Howto (unfortuantly, I don't have my bookmarks with me) but some others on the list hopefully will post it. ------------------------------ Message: 3 Date: Mon, 21 Nov 2005 08:54:11 -0600 From: "Jamie Crawford" <crawford@cmsu1.cmsu.edu> Subject: Re: 802.1x machine authentication patch help To: <freeradius-users@lists.freeradius.org>, <samba@lists.samba.org>, <mgriego@utdallas.edu> Message-ID: <s3818b53.061@NETMAIL.CMSU.EDU> Content-Type: text/plain; charset=US-ASCII I found my problem. From Andrew Bartlett himself "This is not supported against NT4. Only Samba 3.0.21rc1 and AD support this extra flag." To do machine authentication with freeradius, your workstation (supplicant) and samba server must be a member of a 2000/2003 domain. I had the supplicant and samba server still a member of the nt4 domain. Once I changed this, it worked great. Were still in the middle of a migration from nt4 to 2003 and all accounts still authenticate fine. Thanks for everyones help!!!!!! jamie
mgriego@utdallas.edu 11/18/2005 12:16:43 PM >>> Make sure you used the rlm_MSchap module from the snapshot, not the rlm_chap module. They're different.
--Mike Jamie Crawford wrote:
Hi, I am trying to get machine authentication working with freeradius. I have patched the samba code and freeradius code. But am getting this error when the machine tries to authenticate. I patched the rlm_chap module by taking last nights cvs snapshot and copying over the rlm_chap folder overwriting the contents of the same folder in the freeradius-1.0.5 release and recompiling. I see that it is trying to pass the username as "host/IS--000031176". I thought the updated rlm_mschap was suppposed to strip the "host/" part of the username. Do I need to create a realm to strip the "host/"? Any help would be appreciated!!! Thanks, jamie
make clean
./configure --configure --with-raddbdir=/etc/radius --with-logdir=/var/log/radius --disable-snmp --without-rlm_sql --without-rlm_ldap --without-rlm_krb5
make
make install
modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/IS--000031176 with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: d3 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --domain= --request-nt-key --username=host/IS--000031176 --challenge=12345ce0768615e --nt-response=123456f1011a2f799b5d62e04ba
d8bb39719fa48c3d11299e' Exec-Program: /usr/bin/ntlm_auth --domain= --request-nt-key --username=host/IS--000031176 --challenge=123453ce0768615e --nt-response=12345f1011a2f799b5d62e04bad8bb39719fa48c3d11299e Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ------------------------------ Message: 4 Date: Mon, 21 Nov 2005 17:59:14 +0100 From: Norbert Wegener <nw@sbs.de> Subject: tool for testing machine authentication To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4381FCE2.4070209@sbs.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Does a tool exist, that lets me test machine account authentication against an AD? Something like an equivalent to radtest? Thanks Norbert Wegener ------------------------------ Message: 5 Date: Mon, 21 Nov 2005 18:11:31 +0100 From: Konne <bridge_stone@gmx.net> Subject: Re: tool for testing machine authentication To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4381FFC3.3010701@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Norbert, i use the programm NTRadTest... on Windows machine and start freeradius with "freeradius -X", for debug bye Norbert Wegener schrieb:
Does a tool exist, that lets me test machine account authentication against an AD? Something like an equivalent to radtest? Thanks Norbert Wegener
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ Message: 6 Date: Mon, 21 Nov 2005 12:15:10 -0500 From: "Cris Boisvert" <cris@usai.net> Subject: RE: tool for testing machine authentication To: "'FreeRadius users mailing list'" <freeradius-users@lists.freeradius.org> Message-ID: <000901c5eebf$22103960$064da8c0@systemadmin> Content-Type: text/plain; charset="us-ascii" NTRADPING It's a windows tool that does exactly what your looking for. -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Norbert Wegener Sent: Monday, November 21, 2005 11:59 AM To: FreeRadius users mailing list Subject: tool for testing machine authentication Does a tool exist, that lets me test machine account authentication against an AD? Something like an equivalent to radtest? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.4/176 - Release Date: 11/20/2005 ------------------------------ Message: 7 Date: Mon, 21 Nov 2005 12:13:30 -0500 (EST) From: Robin Mordasiewicz <rmordasiewicz@samuelmanutech.com> Subject: Re: tool for testing machine authentication To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <Pine.LNX.4.58.0511211212510.20094@smtcorms02.samuelmanutech.com> Content-Type: TEXT/PLAIN; charset=US-ASCII On Mon, 21 Nov 2005, Konne wrote:
Hi Norbert,
i use the programm NTRadTest... on Windows machine and start freeradius with "freeradius -X", for debug
i just did a google on NTRadTest, but found nothing. Where can I download NTRadTest ------------------------------ Message: 8 Date: Mon, 21 Nov 2005 18:23:14 +0100 From: Konne <bridge_stone@gmx.net> Subject: Re: tool for testing machine authentication To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <43820282.8080104@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed hi sorry it was my bug it must be NTRADPING sorry Robin Mordasiewicz schrieb:
On Mon, 21 Nov 2005, Konne wrote:
Hi Norbert,
i use the programm NTRadTest... on Windows machine and start freeradius with "freeradius -X", for debug
i just did a google on NTRadTest, but found nothing. Where can I download NTRadTest - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ Message: 9 Date: Mon, 21 Nov 2005 18:55:13 +0100 From: Romain GAILLEGUE <rgaillegue@wallix.com> Subject: Cache with proxy To: freeradius-users@lists.freeradius.org Message-ID: <1132595713.20382.7.camel@winxp> Content-Type: text/plain Hi, I have recently installed two freeradius servers one in server mode with MySQL authentication and an other in proxy mod. But sometime the connexion between the two servers is broken. I would like to know if it's possible to have a cache on the proxy ? Thanks Romain ------------------------------ Message: 10 Date: Mon, 21 Nov 2005 12:57:53 -0500 (EST) From: Robin Mordasiewicz <rmordasiewicz@samuelmanutech.com> Subject: RE: tool for testing machine authentication To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <Pine.LNX.4.58.0511211256420.20094@smtcorms02.samuelmanutech.com> Content-Type: TEXT/PLAIN; charset=US-ASCII On Mon, 21 Nov 2005, Cris Boisvert wrote:
NTRADPING
It's a windows tool that does exactly what your looking for.
ok that seems to work. I can authenticate using a local unix account. Now I need to find documentation on how to connect my freeradius to AD ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 7, Issue 79 ***********************************************