Huh....I've searched all over and haven't seen any reference to that syntax for the users file. Let me give that a shot. Are there any additional modules I would have to configure, or should I be good to go considering I can already authenticate via Active Directory? From: freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron.com@lists.freeradius.org] On Behalf Of Nolan King Sent: Friday, June 22, 2012 1:22 PM To: FreeRadius users mailing list Subject: RE: Can't figure out Group Authentication I do it like this, in users file: DEFAULT Ldap-Group == "wifiusers" DEFAULT Auth-Type := Reject Anyone in wifiusers AD security group gets in, all others are rejected. Nolan From: freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org<mailto:freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org> [mailto:freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org]<mailto:[mailto:freeradius-users-bounces+nking=mnwd.com@lists.freeradius.org]> On Behalf Of Julson, Jim Sent: Friday, June 22, 2012 8:32 AM To: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Can't figure out Group Authentication First, I'd like to thank Alan for his beyond countless hours of dedication to all the blogs, forum posting, and general support within the community. Your write-ups are thorough and well thought out. I wish more people were like you. I'm pretty new to RADIUS and as consequently, Linux in general. So I might ask questions that seem noobish or lame, but it doesn't mean I'm not willing to learn, research etc. Just bare with me. Now, the problem is this. Following Alan DeKok's guide at http://deployingradius.com/documents/configuration/active_directory.html, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this. It's authenticating...a little too well. I've added the following entry into "/etc/raddb/clients.conf" to allow AAA on one of my cisco routers. ************************************* client 10.10.0.5 { secret = REALSECRETOMMITTED shortname = Cisco-2911-VPCRTR nastype = cisco } ************************************* Now, I then setup my Cisco router accordingly, and then did an SSH test to it using my AD Account. Voila! It worked great. However, so did every other "Domain User" account in the environment. This goes back to me being so new to RADIUS and Linux where I don't feel like I'm fully grasping all of the directives within the configuration files, and exactly how they all tie together. I'm getting there, but just not fast enough. So, how do I lock down the SSH Authentication to an Active Directory Group of users, or individual users? Remember, go easy on me. I'll provide whatever you need to help. I'm assuming you will ask for my RADIUSD -X output, so I've attached that as well. NOTE: One thing I don't understand is how in Alan DeKok's write up from the link above, he says don't use the "DEFAULT Auth-Type = ntlm_auth" in the "/etc/raddb/users" file, but yet that's one of the final steps to test in the write-up. Maybe it's because I am so new, but I've been through that document probably 30 times line by line, and yet every time I remove that entry, it breaks the Authentication. BEGIN RADIUSD -X DEBUG OUTPUT ************************************************************************************************** ************************************************************************************************** ************************************************************************************************** FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Jul 19 2011 at 10:21:08 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 172.16.1.1 { require_message_authenticator = no secret = "REALSECRETOMMITTED" shortname = "Cisco-4507-1" nastype = "cisco" } client 172.16.1.3 { require_message_authenticator = no secret = "REALSECRETOMMITTED" shortname = "Cisco-4507-2" nastype = "cisco" } client 172.16.1.2 { require_message_authenticator = no secret = "REALSECRETOMMITTED" shortname = "Cisco-ASA-5520-01" nastype = "cisco" } client 10.10.0.5 { require_message_authenticator = no secret = "REALSECRETOMMITTED" shortname = "Cisco-2911-VPCRTR" nastype = "cisco" } client 172.16.1.10 { require_message_authenticator = no secret = "REALSECRETOMMITTED" shortname = "Cisco-ASA-5510-GDM" nastype = "cisco" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYREALDOMAIN-OMMITTED --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. ************************************************************************************************** ************************************************************************************************** ************************************************************************************************** END RADIUSD -X DEBUG OUTPUT Jim C. Julson Sr. Network & Systems Administrator C 208.908.1476 jjulson@marketron.com<mailto:jjulson@marketron.com> [www.marketron.com]<http://www.marketron.com> <http://www.marketron.com> [Learn more about Network Connect]<http://www.marketron.com/network-connect.php?email> The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system.