Thanks for lead Ivan. I was able to make it work by changing radiusd.conf I add module files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } and on authorize { .... files .... Thanks also Nicolas. 2008/4/30 Ivan Kalik <tnt@kalik.net>:
I am afraid your radiusd.conf is seriously butchered. fiels module and quite a few others are missing. It should be before detail but you have deleted it.
Ivan Kalik Kalik Informatika ISP
Dana 30/4/2008, "rmp dmd" <rmp.dmd1229@gmail.com> piše:
Hi,
I checked around and see this
The *MS-CHAP-Use-NTLM-Auth := 0*, will tell that freeradius with aduser1 will not be preprocessed by the ntlm_auth auxiliary program, this is, will not request the key to compare credentials against the Active Directory, instead, will compare against the users file of the freeradius configuration directory.
I also read that It is important to verify that the line on radiusd.conf:
authorize { .... files .... }
It was not on my radiusd.conf so I add it and restart radiusd but now it's has errors
Wed Apr 30 15:15:52 2008 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Apr 30 15:15:52 2008 : Error: ERROR: Cannot find a configuration entry for module "files". Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[111] Unknown module "files". Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[108] Failed to parse authorize section.
Is there something else that should be configured?
Here's the complete radiusd.conf
## ## radiusd.conf -- FreeRADIUS server configuration file. ##
prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad
security { max_attributes = 200 reject_delay = 1 status_server = no }
proxy_requests = yes $INCLUDE ${confdir}/proxy.conf
# Client configuration is defined in "clients.conf". $INCLUDE ${confdir}/clients.conf
# To enable SNMP querying of the server, set the value of the # 'snmp' attribute to 'yes' snmp = no $INCLUDE ${confdir}/snmp.conf
thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 }
modules { detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 }
mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" }
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no
tls { private_key_file = ${raddbdir}/certs/ttls-server-echowlan.key certificate_file = ${raddbdir}/certs/ttls-server-echowlan.crt CA_file = ${raddbdir}/certs/ca.crt dh_file = ${raddbdir}/certs/dh2048.pem random_file = /dev/urandom }
ttls { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } } }
authorize { mschap eap }
authenticate { Auth-Type MS-CHAP { mschap } eap }
accounting { detail}
post-auth { }
Here's the On Wed, Apr 30, 2008 at 12:52 PM, rmp dmd <rmp.dmd1229@gmail.com> wrote:
Thanks.
I put it on users aduser1 MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject restart radius: /etc/init.d/radiusd restart test but user aduser1 can still log to our VPN.
On Wed, Apr 30, 2008 at 12:47 PM, Nicolas Goutte < nicolas.goutte@extragroup.de> wrote:
Am 30.04.2008 um 18:41 schrieb rmp dmd:
thanks for the reply.
Just to confirm.
I add that line also on ~/raddb/users?
Sorry to not have mentioned. I'm new on radius.
As far as I understand: yes.
The line looks like an user entry.
Have a nice day!
Thanks again! Roehl
2008/4/30 Ivan Kalik <tnt@kalik.net>:
To stop a valid AD account from being authenticated you need to
avoid
ntlm_auth:
testuser MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
Ivan Kalik Kalik Informatika ISP
Dana 30/4/2008, "rmp dmd" <rmp.dmd1229@gmail.com> pi�e:
Hi,
We have a wireless network that uses freeRadius integrated with AD for authentication. There are some test user accounts on AD that I would like to deny access on our Wireless and VPN.
I have tried "How do I deny access to a specific user, or group of users" on FAQ but it is not working. I'm guessing that this is not the correct method.
Please help me on how to set-up correctly.
Thanks! Roehl
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html