The MS-CHAP-Use-NTLM-Auth := 0, will tell that freeradius with aduser1 will not be preprocessed by the ntlm_auth auxiliary program, this is, will not request the key to compare credentials against the Active Directory, instead, will compare against the users file of the freeradius configuration directory.
I also read that It is important to verify that the line on radiusd.conf:
authorize {
...
files
...
}
It was not on my radiusd.conf so I add it and restart radiusd but now it's has errors
Wed Apr 30 15:15:52 2008 : Info: rlm_eap_tls: Loading the certificate file as a chain
Wed Apr 30 15:15:52 2008 : Error: ERROR: Cannot find a configuration entry for module "files".
Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[111] Unknown module "files".
Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[108] Failed to parse authorize section.
Is there something else that should be configured?
Here's the complete radiusd.conf
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
# Client configuration is defined in "clients.conf".
$INCLUDE ${confdir}/clients.conf
# To enable SNMP querying of the server, set the value of the
# 'snmp' attribute to 'yes'
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_file = ${raddbdir}/certs/ttls-server-echowlan.key
certificate_file = ${raddbdir}/certs/ttls-server-echowlan.crt
CA_file = ${raddbdir}/certs/ca.crt
dh_file = ${raddbdir}/certs/dh2048.pem
random_file = /dev/urandom
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
}
authorize {
mschap
eap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
accounting {
detail}
post-auth {
}
Here's the
Thanks.I put it on usersaduser1 MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Rejectrestart radius: /etc/init.d/radiusd restarttest but user aduser1 can still log to our VPN.On Wed, Apr 30, 2008 at 12:47 PM, Nicolas Goutte <nicolas.goutte@extragroup.de> wrote:
Am 30.04.2008 um 18:41 schrieb rmp dmd:
thanks for the reply.Just to confirm.
I add that line also on ~/raddb/users?Sorry to not have mentioned. I'm new on radius.As far as I understand: yes.The line looks like an user entry.Have a nice day!
Thanks again!Roehl2008/4/30 Ivan Kalik <tnt@kalik.net>:
To stop a valid AD account from being authenticated you need to avoid
ntlm_auth:
testuser MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
Ivan Kalik
Kalik Informatika ISP
Dana 30/4/2008, "rmp dmd" <rmp.dmd1229@gmail.com> piše:
-
>Hi,
>
>We have a wireless network that uses freeRadius integrated with AD for
>authentication. There are some test user accounts on AD that I would like
>to deny access on our Wireless and VPN.
>
>I have tried "How do I deny access to a specific user, or group of users" on
>FAQ but it is not working. I'm guessing that this is not the correct
>method.
>
>Please help me on how to set-up correctly.
>
>Thanks!
>Roehl
>
>
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutteextragroup GmbH - KarlsruheWaldstr. 4976133 KarlsruheGermanyGeschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman HaerdleRegistergericht: Amtsgericht Münster / HRB: 5624Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html