Yum install freeradius2-ldap

 

Cheers,

Harry

 

From: freeradius-users-bounces+hhoffman=ip-solutions.net@lists.freeradius.org [mailto:freeradius-users-bounces+hhoffman=ip-solutions.net@lists.freeradius.org] On Behalf Of Usuário do Sistema
Sent: Wednesday, March 09, 2011 2:39 PM
To: freeradius-users@lists.freeradius.org
Cc: freeradius-users-request@lists.freeradius.org
Subject: Re: Freeradius 2

 

Hello everyone, I've Installed by yum freeradius2-2.1.7-7.el5 but I'm can't found the ldap dirctory under /etc/raddb/..

I have creta it or install more any package ??

 

 

thank!

 

 

 

 


 

2011/3/5 <freeradius-users-request@lists.freeradius.org>

Send Freeradius-Users mailing list submissions to
       freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
       http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
       freeradius-users-request@lists.freeradius.org

You can reach the person managing the list at
       freeradius-users-owner@lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

  1. Re: Caching techniques with ntlm_auth usage?
     (EAP-PEAP-MSchapV2) (Phil Mayers)
  2. Re: Freeraidus 2 (Gary Gatten)
  3. Re: Caching techniques with ntlm_auth usage?
     (EAP-PEAP-MSchapV2) (James J J Hooper)
  4. RE: mschap with ntlm_auth and Active Directory (McNutt, Justin M.)
  5. Re: MS-CHAP-V2 with no retry (Alan DeKok)
  6. Re: Hopefully quick question: conditional processing sneaking
     in        and     setting Auth-Type (Alan DeKok)
  7. Re: Freeraidus 2 (Alan Buxey)


----------------------------------------------------------------------

Message: 1
Date: Sat, 05 Mar 2011 00:45:43 +0000
From: Phil Mayers <p.mayers@imperial.ac.uk>
Subject: Re: Caching techniques with ntlm_auth usage?
       (EAP-PEAP-MSchapV2)
To: freeradius-users@lists.freeradius.org
Message-ID: <4D7187B7.5000402@imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 03/05/2011 12:21 AM, Gary Gatten wrote:
> I kinda like your caching idea, but not sure of any security
> implications.

It's not a workable idea. MSCHAP responses are specific to the 8-byte
random challenge, which is different every time. You can't cache them.

>
> I have (2) FR servers (each pointing to different DC) and my NAS's
> are configured to use both.  But, iirc if AD is down on the backend
> FR still replies (with something) so the NAS never rolls over to the
> other FR server.

Yes, this is a bad idea.

Just configure samba to autodiscover the AD controllers. Winbind will
cache connections and open new ones when the old ones go away.

>
> So, I thought about some script that would use ntlm_auth every...n
> seconds, if it fails kill FR process (or use FR policy to act dead).
> When it starts working again, restart FR.  This should make the NAS
> roll to the next FR server.

That might work, but it seems like a sledgehammer to crack a nut.

>
> What about OpenLDAP on the FR server that's "refreshed" / sync'd to
> the winblows/AD?  I've never tried this but assume it's doable.

It's not possible. AD controllers will only sync to other AD controllers.

At some point in the future, Samba 4 might be able to slave the LDAP
database of an AD controller, but it's purely theoretical at the moment
I think.


------------------------------

Message: 2
Date: Fri, 4 Mar 2011 18:54:44 -0600
From: Gary Gatten <Ggatten@waddell.com>
Subject: Re: Freeraidus 2
To: "'freeradius-users@lists.freeradius.org'"
       <freeradius-users@lists.freeradius.org>
Message-ID:
       <27487_1299286485_4D7189D5_27487_3768_1_D9B37353831173459FDAA836D3B43499BD354A55@WADPMBXV0.waddell.com>

Content-Type: text/plain; charset="utf-8"

Try ../sites_enabled/default; or if *eap requests it would be inner-tunnel, - I think...

From: Paulo Maia [mailto:phc.maia@gmail.com]
Sent: Friday, March 04, 2011 06:43 PM
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: Re: Freeraidus 2

Compilou o instalou via yum  ?  Geralmente fica em $RADIUSDIR/modules/ldap

Abs,


2011/3/4 Usu?rio do Sistema <maiconlp@ig.com.br<mailto:maiconlp@ig.com.br>>
Hello everyone, I'm Maicon from Brazil.

I'm in a project with Freeradius. I want to deployment authentication with certificate from my wireless users EAP-TLS but I'm finding some difficult. there is a good how to for version 2 ?? I've started with version 1.x but decided to change for version 2 and I'm not finding where I set the LDAP conection. at the older version it was inside radiusd.conf. anybody help me ??


thank!


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110304/3cfd97ca/attachment.html>

------------------------------

Message: 3
Date: Sat, 05 Mar 2011 01:17:54 +0000
From: James J J Hooper <jjj.hooper@bristol.ac.uk>
Subject: Re: Caching techniques with ntlm_auth usage?
       (EAP-PEAP-MSchapV2)
To: FreeRadius users mailing list
       <freeradius-users@lists.freeradius.org>
Message-ID: <403FF343B2CCD5B162F64B80@[172.16.13.237]>
Content-Type: text/plain; charset=us-ascii; format=flowed



--On 04 March 2011 12:34 -0500 John Douglass <john.douglass@oit.gatech.edu>
wrote:

> Group,
>
> Recently, my AD servers were patched by another support group and this
> caused a (small but noticeable) service outage for our WPA radius
> services (Radius 2.1.9)

I can think of two things to investigate:
* Recent Samba can do winbind credential caching IIRC - I haven't
experimented with this so I'm not sure if it will work for this application.

* Enable Fast Session Resumption:
<https://github.com/alandekok/freeradius-server/blob/master/raddb/modules/eap#L312>

... We dropped the hits on our DCs by > 40% by doing this. N.B Resumed
sessions will not touch your inner-tunnel config, so you have to make sure
that you pay attention when (re-)assigning VLANs / other returned
attributes based on username.

-James

--
James J J Hooper
Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk
--




------------------------------

Message: 4
Date: Fri, 4 Mar 2011 21:05:46 -0600
From: "McNutt, Justin M." <McNuttJ@missouri.edu>
Subject: RE: mschap with ntlm_auth and Active Directory
To: FreeRadius users mailing list
       <freeradius-users@lists.freeradius.org>
Message-ID:
       <0A99E1DA688C7A4796A68B3BC4F74B793CE60E78A4@UM-EMAIL04.um.umsystem.edu>

Content-Type: text/plain; charset="us-ascii"

> > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> >
> > The password Pa$$w0rd is set in the Wireless Controller, if
> thats what you
> > mean by mschap client?

May I suggest two things:

1)  I'm assuming that the password is not actually 'Pa$$w0rd', but that string reminds me that certain special characters - the dollar sign is a notable one - are not always handled correctly in password strings.  Even if FreeRADIUS is handling it correctly, AD may not, and the wireless controller may not.  I suggest setting the password to something simpler.  If your password policy requires special characters, use dash, equals, underscore, or dot.  I have used passwords with these characters successfully when authenticating via EAP/PEAP through FreeRADIUS and then on through MSCHAPv2 to AD via ntlm_auth.  (Same chain as you.)

2)  Even if you are confident that your real password's characters are not a problem, re-enter it on the wireless controller, MANUALLY.  You may have accidentally entered an unprintable character or a space or some similar thing that causes the password to APPEAR to be correct, when in fact it doesn't match.

--J


------------------------------

Message: 5
Date: Sat, 05 Mar 2011 07:23:54 +0100
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: MS-CHAP-V2 with no retry
To: FreeRadius users mailing list
       <freeradius-users@lists.freeradius.org>
Message-ID: <4D71D6FA.7030306@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

John.Hayward@wheaton.edu wrote:
> 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
>    a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
>    a response sent back to the client but there was no message in the
>    response.

 It's more complicated.  The server would send EAP-Failure, and nothing
else.

> 2) The patch given resolves that problem - giving the message
>    of the rlm_mschap.c module of E=691 R=1

 On closer inspection, the patch doesn't resolve anything.  It still
sends an EAP-Failure.  It should instead send an EAP-Response with
EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code.  After the
client has ACKed that, it should *then* send EAP-Failure.

 i.e. fixing it is likely a fair bit more work.

> 3) It is possible to configure in radius.conf the message on failure by:

 No.  That sends back an MS-CHAP-Error.  The code has to package that
MS-CHAP-Error into an EAP sub-type, and send it back to the client in an
*additional* request/response round trip, before finally sending
EAP-Failure.

 Alan DeKok.


------------------------------

Message: 6
Date: Sat, 05 Mar 2011 07:38:15 +0100
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: Hopefully quick question: conditional processing sneaking
       in      and     setting Auth-Type
To: FreeRadius users mailing list
       <freeradius-users@lists.freeradius.org>
Message-ID: <4D71DA57.5080400@deployingradius.com>
Content-Type: text/plain; charset=UTF-8

Gary Gatten wrote:
> I can?t find where this conditional processing is happing.  I have two
> FR servers with ?nearly? the same config.  Auth works on one, but not
> the other:

 Posting 2-3 lines of debug output doesn't help.

 Alan DeKok.


------------------------------

Message: 7
Date: Sat, 5 Mar 2011 09:44:15 +0000
From: Alan Buxey <A.L.M.Buxey@lboro.ac.uk>
Subject: Re: Freeraidus 2
To: FreeRadius users mailing list
       <freeradius-users@lists.freeradius.org>
Message-ID: <20110305094415.GA20802@lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii

hi,

th details for your LDAP in 2.x go into $RADDB/modules/ldap

in 2.x most of the stuff was broken out of radiusd.conf
and put into either modules/*  or sites-available/*

if you want a particular feature, then configure the
module file , configure the sites-available file,

module files are pulled in by default, but to activate a 'site'
you need to ensure its in the sites-enabled/ directory
(a few 'sites' files are symlinked there by default... eg
default, inner-tunnel .....)

alan


------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 71, Issue 32
************************************************