Hi, Source data: Active directory freeradius 3.0.21 In /etc/freeradius/mods-enabled/mschap ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key —domain=DOMAIN.COM<http://domain.com/> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" Freeradius ldap module installed and configured Question: Is it possible to configure freeradius with Active Directory without ntlm ? If possible, how ? )
On 14/05/2020 13:19, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
Freeradius ldap module installed and configured
Question: Is it possible to configure freeradius with Active Directory without ntlm ? If possible, how ? )
To do what? Just get policy information/groups etc, or to authenticate? FreeRADIUS can use LDAP to query AD to get group information etc just fine. However, AD won't give you a password over LDAP. So in the vast majority of cases if you want to authenticate you need to use mschap. -- Matthew
Ideally, I want to authenticate the domain user and if he is in the domain, check his group. If not in the group, do not connect to wifi. Is this possible without ntlm ? 14 мая 2020 г., в 16:07, Matthew Newton <mcn@freeradius.org<mailto:mcn@freeradius.org>> написал(а): o do what? Just get policy information/groups etc, or to authenticate? FreeRADIUS can use LDAP to query AD to get group information etc just fine. However, AD won't give you a password over LDAP. So in the vast majority of cases if you want to authenticate you need to use mschap.
On 14/05/2020 14:32, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
Ideally, I want to authenticate the domain user and if he is in the domain, check his group. If not in the group, do not connect to wifi. Is this possible without ntlm ? What EAP type(s)?
EAP-TTLS/PAP, it might be possible. Pretty much anything else (i.e. the most common case), no. Matthew -- Matthew
On May 14, 2020, at 9:32 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Ideally, I want to authenticate the domain user and if he is in the domain, check his group. If not in the group, do not connect to wifi. Is this possible without ntlm ?
Read this: http://deployingradius.com/documents/protocols/compatibility.html AD is in the column for "NT-Hash / ntlm_auth". Those are your options. And as a general rule, we give the *simplest* possible way to get things done. We have to use FreeRADIUS, too. It's just not helpful to make things complicated. So if we recommend ntlm, it's because ntlm is the simplest way to get things done. Alan DeKok.
Is it possible, that you mean that you just don't want to use ntlm_auth command? If yes, then read the winbind comment section in the mschap module config. # winbind_username = "%{mschap:User-Name}" # winbind_domain = "%{mschap:NT-Domain}" or this https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Ideally, I want to authenticate the domain user and if he is in the domain, check his group. If not in the group, do not connect to wifi. Is this possible without ntlm ?
14 мая 2020 г., в 16:07, Matthew Newton <mcn@freeradius.org<mailto: mcn@freeradius.org>> написал(а):
o do what? Just get policy information/groups etc, or to authenticate?
FreeRADIUS can use LDAP to query AD to get group information etc just fine. However, AD won't give you a password over LDAP. So in the vast majority of cases if you want to authenticate you need to use mschap.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The idea was to link freeradius and ad via an ldap module. That is, do not install samba and windbind. To authentifizierte using the ldap module. That is, it will not work like this. Right ? So the ldap module is it for other LDAP implementations, such as openldap ?
> 14 мая 2020 г., в 16:40, Josef Vybíhal <josef.vybihal@gmail.com> написал(а):
>
> Is it possible, that you mean that you just don't want to use ntlm_auth
> command? If yes, then read the winbind comment section in the mschap module
> config.
> # winbind_username = "%{mschap:User-Name}"
> # winbind_domain = "%{mschap:NT-Domain}"
>
> or this
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>
> On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
> Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
>
>> Ideally, I want to authenticate the domain user and if he is in the
>> domain, check his group. If not in the group, do not connect to wifi. Is
>> this possible without ntlm ?
>>
>> 14 мая 2020 г., в 16:07, Matthew Newton <mcn@freeradius.org<mailto:
>> mcn@freeradius.org>> написал(а):
>>
>> o do what? Just get policy information/groups etc, or to authenticate?
>>
>> FreeRADIUS can use LDAP to query AD to get group information etc just
>> fine. However, AD won't give you a password over LDAP. So in the vast
>> majority of cases if you want to authenticate you need to use mschap.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 14, 2020, at 10:56 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
The idea was to link freeradius and ad via an ldap module. That is, do not install samba and windbind. To authentifizierte using the ldap module. That is, it will not work like this. Right ?
That question has been asked and answered about 4 times now. The answer won't change if you keep asking the same question. The only thing you'll do is annoy the people who are trying to help you.
So the ldap module is it for other LDAP implementations, such as openldap ?
The LDAP module is for any server which implements LDAP. Like AD. But as you were already told, the issue isn't LDAP. It's AD. Alan DeKok.
I did this kind of configuration a long time ago and most of the work
needs to be done on the AD side.
The idea is to mimic what a Edirectory server do (universal password)
and create a ldap attribute where you will store the NTHASH of the
user/computer.
https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
The other way is to extract the NTHASH for each users, store it
somewhere (sql per example) and configure FreeRADIUS to fetch the NTHASH
based on the username.
https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
Regards
Fabrice
Le 20-05-14 à 10 h 56, Клеусов Владимир Сергеевич via Freeradius-Users a
écrit :
> The idea was to link freeradius and ad via an ldap module. That is, do not install samba and windbind. To authentifizierte using the ldap module. That is, it will not work like this. Right ? So the ldap module is it for other LDAP implementations, such as openldap ?
>
>> 14 мая 2020 г., в 16:40, Josef Vybíhal <josef.vybihal@gmail.com> написал(а):
>>
>> Is it possible, that you mean that you just don't want to use ntlm_auth
>> command? If yes, then read the winbind comment section in the mschap module
>> config.
>> # winbind_username = "%{mschap:User-Name}"
>> # winbind_domain = "%{mschap:NT-Domain}"
>>
>> or this
>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>>
>> On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
>> Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
>>
>>> Ideally, I want to authenticate the domain user and if he is in the
>>> domain, check his group. If not in the group, do not connect to wifi. Is
>>> this possible without ntlm ?
>>>
>>> 14 мая 2020 г., в 16:07, Matthew Newton <mcn@freeradius.org<mailto:
>>> mcn@freeradius.org>> написал(а):
>>>
>>> o do what? Just get policy information/groups etc, or to authenticate?
>>>
>>> FreeRADIUS can use LDAP to query AD to get group information etc just
>>> fine. However, AD won't give you a password over LDAP. So in the vast
>>> majority of cases if you want to authenticate you need to use mschap.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Fabrice Durand
fdurand@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?
> 14 мая 2020 г., в 19:53, Fabrice Durand <fdurand@inverse.ca> написал(а):
>
> I did this kind of configuration a long time ago and most of the work needs to be done on the AD side.
>
> The idea is to mimic what a Edirectory server do (universal password) and create a ldap attribute where you will store the NTHASH of the user/computer.
>
> https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
>
>
> The other way is to extract the NTHASH for each users, store it somewhere (sql per example) and configure FreeRADIUS to fetch the NTHASH based on the username.
>
> https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
>
>
> Regards
>
> Fabrice
>
> Le 20-05-14 à 10 h 56, Клеусов Владимир Сергеевич via Freeradius-Users a écrit :
>> The idea was to link freeradius and ad via an ldap module. That is, do not install samba and windbind. To authentifizierte using the ldap module. That is, it will not work like this. Right ? So the ldap module is it for other LDAP implementations, such as openldap ?
>>
>>> 14 мая 2020 г., в 16:40, Josef Vybíhal <josef.vybihal@gmail.com> написал(а):
>>>
>>> Is it possible, that you mean that you just don't want to use ntlm_auth
>>> command? If yes, then read the winbind comment section in the mschap module
>>> config.
>>> # winbind_username = "%{mschap:User-Name}"
>>> # winbind_domain = "%{mschap:NT-Domain}"
>>>
>>> or this
>>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>>>
>>> On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
>>> Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
>>>
>>>> Ideally, I want to authenticate the domain user and if he is in the
>>>> domain, check his group. If not in the group, do not connect to wifi. Is
>>>> this possible without ntlm ?
>>>>
>>>> 14 мая 2020 г., в 16:07, Matthew Newton <mcn@freeradius.org<mailto:
>>>> mcn@freeradius.org>> написал(а):
>>>>
>>>> o do what? Just get policy information/groups etc, or to authenticate?
>>>>
>>>> FreeRADIUS can use LDAP to query AD to get group information etc just
>>>> fine. However, AD won't give you a password over LDAP. So in the vast
>>>> majority of cases if you want to authenticate you need to use mschap.
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> --
> Fabrice Durand
> fdurand@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 19, 2020, at 7:35 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?
That's a little confused. Doing MS-CHAP to AD requires ntlm_auth. If you have PAP, you can do normal LDAP bind to AD. If you're not using AD, then FreeRADIUS supports all standard encryption types. But these only work for PAP. NT hashed passwords also work for MS-CHAP. Alan DeKok.
hanks, Working version of Tttls/pap and ldap module. In /etc/freeradius/mods-enabled/eap eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_file = /etc/freeradius/certs/ssl-cert-snakeoil.key certificate_file = /etc/freeradius/certs/ssl-cert-snakeoil.pem ca_file = /etc/freeradius/certs/ca-certificates.crt dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "HIGH" cipher_server_preference = no ecdh_curve = "prime256v1" check_crl = no } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "inner-tunnel" } } But group access doesn't work. In /etc/freeradius/users LDAP-Group == "VPN_GROUP" DEFAULT Group != "VPN_GROUP", Auth-Type := Reject /etc/freeradius/mods-config/files/authorize[1]: Parse error (check) for entry LDAP-Group: Invalid attribute name Failed reading /etc/freeradius/mods-config/files/authorize /etc/freeradius/mods-enabled/files[9]: Instantiation failed for module «files" Is it possible to configure group access in this configuration ?
19 мая 2020 г., в 16:04, Alan DeKok <aland@deployingradius.com> написал(а):
On May 19, 2020, at 7:35 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?
That's a little confused.
Doing MS-CHAP to AD requires ntlm_auth.
If you have PAP, you can do normal LDAP bind to AD.
If you're not using AD, then FreeRADIUS supports all standard encryption types. But these only work for PAP. NT hashed passwords also work for MS-CHAP.
Alan DeKok.
If /etc/freeradius/users DEFAULT Auth-Type := LDAP, LDAP-Group == «test_group" DEFAULT Ldap-Group != «test_group", Auth-Type := Reject Then all users get access regardless of their membership in this group. Why can this happen ?
28 мая 2020 г., в 11:32, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> написал(а):
hanks, Working version of Tttls/pap and ldap module.
In /etc/freeradius/mods-enabled/eap eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_file = /etc/freeradius/certs/ssl-cert-snakeoil.key certificate_file = /etc/freeradius/certs/ssl-cert-snakeoil.pem ca_file = /etc/freeradius/certs/ca-certificates.crt dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "HIGH" cipher_server_preference = no ecdh_curve = "prime256v1" check_crl = no } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "inner-tunnel" } }
But group access doesn't work.
In /etc/freeradius/users LDAP-Group == "VPN_GROUP" DEFAULT Group != "VPN_GROUP", Auth-Type := Reject
/etc/freeradius/mods-config/files/authorize[1]: Parse error (check) for entry LDAP-Group: Invalid attribute name Failed reading /etc/freeradius/mods-config/files/authorize /etc/freeradius/mods-enabled/files[9]: Instantiation failed for module «files"
Is it possible to configure group access in this configuration ?
19 мая 2020 г., в 16:04, Alan DeKok <aland@deployingradius.com> написал(а):
On May 19, 2020, at 7:35 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?
That's a little confused.
Doing MS-CHAP to AD requires ntlm_auth.
If you have PAP, you can do normal LDAP bind to AD.
If you're not using AD, then FreeRADIUS supports all standard encryption types. But these only work for PAP. NT hashed passwords also work for MS-CHAP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 28, 2020, at 7:41 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
If /etc/freeradius/users
DEFAULT Auth-Type := LDAP, LDAP-Group == «test_group" DEFAULT Ldap-Group != «test_group", Auth-Type := Reject
Then all users get access regardless of their membership in this group. Why can this happen ?
Well, the debug output should tell you. But this kind of thing is generally easier to do in an "unlang" policy, instead of the "users" file: if (LDAP-Group == "test") { update control { Auth-Type := ldap } } else { reject } Alan DeKok.
How do I start debag to see what happens when I connect ? freeradius -X can do this ?
28 мая 2020 г., в 15:07, Alan DeKok <aland@deployingradius.com> написал(а):
On May 28, 2020, at 7:41 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
If /etc/freeradius/users
DEFAULT Auth-Type := LDAP, LDAP-Group == «test_group" DEFAULT Ldap-Group != «test_group", Auth-Type := Reject
Then all users get access regardless of their membership in this group. Why can this happen ?
Well, the debug output should tell you.
But this kind of thing is generally easier to do in an "unlang" policy, instead of the "users" file:
if (LDAP-Group == "test") { update control { Auth-Type := ldap } } else { reject }
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 28, 2020, at 8:48 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
How do I start debag to see what happens when I connect ? freeradius -X can do this ?
Yes. http://wiki.freeradius.org/list-help Alan DeKok.
participants (5)
-
Alan DeKok -
Fabrice Durand -
Josef Vybíhal -
Matthew Newton -
Клеусов Владимир Сергее вич