RE: freeradius and ntlm_auth howto
Some things I've noticed from your attached files Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes I've never enabled these before, I'm unaware what affect they will have tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" Did you generate your OWN certs... They one's that ship with the server ARE NOT vailid. You have to generate your own. rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 That doesn't look right BUT YOUR FINAL ANSWER: xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0 Exec-Program output: Account locked out (0xc0000234) Exec-Program-Wait: plaintext: Account locked out (0xc0000234) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your account in the domain is not correct. Looks like it's been disabled or something. Fix that first before you change anymore config files. ________________________________ From: Stieven.Struyf@komatsu.eu [mailto:Stieven.Struyf@komatsu.eu] Sent: Monday, November 06, 2006 3:16 AM To: King, Michael Subject: Fw: freeradius and ntlm_auth howto Michael, I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was rejected. Below you can find the mail. Thanks for helping me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 ----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM ----- Stieven Struyf/KEISA/BE/KOMEUR 11/02/2006 08:55 AM To FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc Subject RE: freeradius and ntlm_auth howtoLink <Notes://BENT63KE/C1257011005324FB/DABA975B9FB113EB852564B5001283EA/625A 148B6EA233CDC125721400531414> I added the debuglog as attachment(as it is a little large to paste here). This is the mschap config: mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/27/2006 04:36:00 PM: > Let's see if we can get this solved... > > > -----Original Message----- > > Here's the full log: > > Waking up in 6 seconds... > > rad_recv: Access-Request packet from host 10.104.254.73:1645, > > This is NOT the full log. The full log would have started with the line > /path/to/radiusd -X > > Some important stuff is printed out there, it helps us help you. > > > > rlm_mschap: NT Domain delimeter found, should we have > > enabled with_ntdomain_hack? > > rlm_mschap: NT Domain delimeter found, should we have > > enabled with_ntdomain_hack? > > Did you enable Ntdomain Hack in the MSCHAP module? (See below) > > > Including your radius.conf file would help. > > > > > HOWEVER, first you may want to check your mschap module definition: > > > > > > modules { > > > mschap { > > > ntlm_auth = "/usr/bin/ntlm_auth \ > > > --request-nt-key \ > > > --username=%{mschap:User-Name:-None} \ > > > --domain=%{mschap:NT-Domain:-None} \ > > > --challenge=%{mschap:Challenge:-00} \ > > > --nt-response=%{mschap:NT-Response:-00}" > > > > > > ...all on one line of course. Note the use of the > > "mschap:User-Name" > > > and "mschap:NT-Domain" values. > > Mine radiusd.conf file's mschap section looks like this: > NOTE that I do NOT have the :-00 and the :-None statements, and I DO > have with_ntdomain_hack=yes > > > # Microsoft CHAP authentication > # > # This module supports MS-CHAP and MS-CHAPv2 authentication. > # It also enforces the SMB-Account-Ctrl attribute. > # > mschap { > with_ntdomain_hack = yes > ntlm_auth = "/usr/bin/ntlm_auth \ > --request-nt-key \ > --username=%{mschap:User-Name} \ > --challenge=%{mschap:Challenge} \ > --nt-response=%{mschap:NT-Response} > } > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
michael, The configuration works when i type in my username as 'username@domain', when i let windows fill it in i don't get in. My password gets locked after 3 attempts, and the wifi retries several times. If you look higher in the file you will see another error:(logon failure) It works with the standard certs, so for finding a good working configuration this is ok for now. Obviously i will change this for production. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 "King, Michael" <MKing@bridgew.edu> 11/06/2006 04:04 PM To <Stieven.Struyf@komatsu.eu>, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> cc Subject RE: freeradius and ntlm_auth howto Some things I've noticed from your attached files Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes I've never enabled these before, I'm unaware what affect they will have tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" Did you generate your OWN certs... They one's that ship with the server ARE NOT vailid. You have to generate your own. rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 That doesn't look right BUT YOUR FINAL ANSWER: xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0 Exec-Program output: Account locked out (0xc0000234) Exec-Program-Wait: plaintext: Account locked out (0xc0000234) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your account in the domain is not correct. Looks like it's been disabled or something. Fix that first before you change anymore config files. From: Stieven.Struyf@komatsu.eu [mailto:Stieven.Struyf@komatsu.eu] Sent: Monday, November 06, 2006 3:16 AM To: King, Michael Subject: Fw: freeradius and ntlm_auth howto Michael, I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was rejected. Below you can find the mail. Thanks for helping me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 ----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM ----- Stieven Struyf/KEISA/BE/KOMEUR 11/02/2006 08:55 AM To FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc Subject RE: freeradius and ntlm_auth howtoLink I added the debuglog as attachment(as it is a little large to paste here). This is the mschap config: mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/27/2006 04:36:00 PM:
Let's see if we can get this solved...
-----Original Message----- Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645,
This is NOT the full log. The full log would have started with the line /path/to/radiusd -X
Some important stuff is printed out there, it helps us help you.
rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?
Did you enable Ntdomain Hack in the MSCHAP module? (See below)
Including your radius.conf file would help.
HOWEVER, first you may want to check your mschap module definition:
modules { mschap { ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-None} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}"
...all on one line of course. Note the use of the "mschap:User-Name" and "mschap:NT-Domain" values.
Mine radiusd.conf file's mschap section looks like this: NOTE that I do NOT have the :-00 and the :-None statements, and I DO have with_ntdomain_hack=yes
# Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge} \ --nt-response=%{mschap:NT-Response} }
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Actually this is the exact same problem I have. I need to type my credentials in for authentication to work. If I let windows do it, I won't get in. If any of you could please help us out with this issue, that'd be great Cheers Héctor ________________________________ Von: freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org [mailto:freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org] Im Auftrag von Stieven.Struyf@komatsu.eu Gesendet: Montag, 6. November 2006 16:17 An: King, Michael Cc: freeradius-users@lists.freeradius.org Betreff: RE: freeradius and ntlm_auth howto michael, The configuration works when i type in my username as 'username@domain', when i let windows fill it in i don't get in. My password gets locked after 3 attempts, and the wifi retries several times. If you look higher in the file you will see another error:(logon failure) It works with the standard certs, so for finding a good working configuration this is ok for now. Obviously i will change this for production. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 "King, Michael" <MKing@bridgew.edu> 11/06/2006 04:04 PM To <Stieven.Struyf@komatsu.eu>, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> cc Subject RE: freeradius and ntlm_auth howto Some things I've noticed from your attached files Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes I've never enabled these before, I'm unaware what affect they will have tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" Did you generate your OWN certs... They one's that ship with the server ARE NOT vailid. You have to generate your own. rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 That doesn't look right BUT YOUR FINAL ANSWER: xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0 Exec-Program output: Account locked out (0xc0000234) Exec-Program-Wait: plaintext: Account locked out (0xc0000234) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your account in the domain is not correct. Looks like it's been disabled or something. Fix that first before you change anymore config files. ________________________________ From: Stieven.Struyf@komatsu.eu [mailto:Stieven.Struyf@komatsu.eu] Sent: Monday, November 06, 2006 3:16 AM To: King, Michael Subject: Fw: freeradius and ntlm_auth howto Michael, I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was rejected. Below you can find the mail. Thanks for helping me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 ----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM ----- Stieven Struyf/KEISA/BE/KOMEUR 11/02/2006 08:55 AM To FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc Subject RE: freeradius and ntlm_auth howtoLink <Notes://bent63ke/C1257011005324FB/DABA975B9FB113EB852564B5001283EA/625A148B6EA233CDC125721400531414> I added the debuglog as attachment(as it is a little large to paste here). This is the mschap config: mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/27/2006 04:36:00 PM:
Let's see if we can get this solved...
-----Original Message----- Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645,
This is NOT the full log. The full log would have started with the line /path/to/radiusd -X
Some important stuff is printed out there, it helps us help you.
rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?
Did you enable Ntdomain Hack in the MSCHAP module? (See below)
Including your radius.conf file would help.
HOWEVER, first you may want to check your mschap module definition:
modules { mschap { ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-None} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}"
...all on one line of course. Note the use of the "mschap:User-Name" and "mschap:NT-Domain" values.
Mine radiusd.conf file's mschap section looks like this: NOTE that I do NOT have the :-00 and the :-None statements, and I DO have with_ntdomain_hack=yes
# Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge} \ --nt-response=%{mschap:NT-Response} }
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I finally managed to filter out the last issues with my setup. When i have more time i will post a small howto that worked for me. Although people on the list told me that there are plenty guides already, i couldn't find one that worked. Thanks everyone for all hints that helped me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 11/06/2006 04:36:25 PM:
Actually this is the exact same problem I have. I need to type my credentials in for authentication to work. If I let windows do it, I won't get in.
If any of you could please help us out with this issue, that'd be great
Cheers
Héctor
Von: freeradius-users-bounces+hector.ortiz=swisscom.com@lists. freeradius.org [mailto:freeradius-users-bounces+hector. ortiz=swisscom.com@lists.freeradius.org] Im Auftrag von Stieven. Struyf@komatsu.eu Gesendet: Montag, 6. November 2006 16:17 An: King, Michael Cc: freeradius-users@lists.freeradius.org Betreff: RE: freeradius and ntlm_auth howto
michael, The configuration works when i type in my username as 'username@domain', when i let windows fill it in i don't get in. My password gets locked after 3 attempts, and the wifi retries several times. If you look higher in the file you will see another error:(logon failure)
It works with the standard certs, so for finding a good working configuration this is ok for now. Obviously i will change this for
production.
Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551
"King, Michael" <MKing@bridgew.edu> 11/06/2006 04:04 PM
To
<Stieven.Struyf@komatsu.eu>, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
cc
Subject
RE: freeradius and ntlm_auth howto
Some things I've noticed from your attached files
Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes
I've never enabled these before, I'm unaware what affect they will have
tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random"
Did you generate your OWN certs... They one's that ship with the server ARE NOT vailid. You have to generate your own.
rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2
That doesn't look right
BUT YOUR FINAL ANSWER:
xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt- response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0 Exec-Program output: Account locked out (0xc0000234) Exec-Program-Wait: plaintext: Account locked out (0xc0000234) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Your account in the domain is not correct.
Looks like it's been disabled or something.
Fix that first before you change anymore config files.
From: Stieven.Struyf@komatsu.eu [mailto:Stieven.Struyf@komatsu.eu] Sent: Monday, November 06, 2006 3:16 AM To: King, Michael Subject: Fw: freeradius and ntlm_auth howto
Michael, I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was
rejected.
Below you can find the mail. Thanks for helping me.
Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 ----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM
Stieven Struyf/KEISA/BE/KOMEUR 11/02/2006 08:55 AM
To
FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
cc
Subject
RE: freeradius and ntlm_auth howtoLink
I added the debuglog as attachment(as it is a little large to paste
here).
This is the mschap config: mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key -- username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt- response=%{mschap:NT-Response}" }
Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551
freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius. org wrote on 10/27/2006 04:36:00 PM:
Let's see if we can get this solved...
-----Original Message----- Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645,
This is NOT the full log. The full log would have started with the line /path/to/radiusd -X
Some important stuff is printed out there, it helps us help you.
rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?
Did you enable Ntdomain Hack in the MSCHAP module? (See below)
Including your radius.conf file would help.
HOWEVER, first you may want to check your mschap module definition:
modules { mschap { ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-None} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}"
...all on one line of course. Note the use of the "mschap:User-Name" and "mschap:NT-Domain" values.
Mine radiusd.conf file's mschap section looks like this: NOTE that I do NOT have the :-00 and the :-None statements, and I DO have with_ntdomain_hack=yes
# Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge} \ --nt-response=%{mschap:NT-Response} }
- List info/subscribe/unsubscribe? See http://www.freeradius. org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
All, I've been struggling to get AD authentication working the way i want it. I wanted users to autom. login to the wireless network with their windows(ad) account without needing to enter their passwords. I created this procedure with bits and pieces i found on the internet, hints i got on this list and some things i found out myself. I hope this saves some time to others(as this was a popular question the list/google, but i didn't found the complete solution that worked for me). If there are better options then the ones i used let me know. I changed ipaddresses and realm names for privacy reasons, but if there's something not clear anymore let me know. 1. General config needed for 802.1X I added the AP in the clients.conf file. I configured the AP to use WPA2/aes (also had to add WPA/tkip). I entered the radiusserver i used below as radius server(enabled 802.1X on the AP) and used the secret i configured in the clients.conf file. freeradius+AD windows 2003 install samba(package samba+samba-common+samba-client) configure /etc/samba/smb.conf: [root@radsv samba]# cat smb.conf realm = DIVISION.DOMAIN.NET workgroup = division.domain.net security = ADS encrypt passwords = yes password server = 192.168.100.3 # idmap uid and idmap gid are aliases for # winbind uid and winbid gid, respectively idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes [test] comment = Samba functionality test directory path = /home/sambatest read only = no browsable = yes writable = yes guest ok = yes valid users = @DIVISION.DOMAIN.NET\"Domain Users" [root@radsv samba]# configure /etc/krb5.conf [root@radsv samba]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = DIVISION.DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc [realms] DIVISION.DOMAIN.NET = { kdc = 192.168.100.3:88 admin_server = 192.168.100.3:749 default_domain = division.domain.net } [domain_realm] .division.domain.net = DIVISION.DOMAIN.NET division.domain.net = DIVISION.DOMAIN.NET [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [root@radsv samba]# configure nsswitch.conf: change following entries in nssswitch.conf: passwd:files -> passwd:files winbind group:files -> group:files winbind join the radius server to the domain (account wireless-acount needs to be created and should have enough rights on AD) #net ads join -S 192.168.100.3 -U wireless-account Configure freeradius: Add user to /etc/raddb/users file(if you use it for 802.1X you prob. also want to add vlan assignment entries): [root@radsv raddb]# cat users|grep -i user123 user123 [root@radsv raddb]# Add realm(s) to /etc/raddb/proxy.conf file (add here all your aliases of your domain): realm DIVISION.DOMAIN.NET { type = radius authhost = LOCAL accthost = LOCAL } realm DIVISION { type = radius authhost = LOCAL accthost = LOCAL } Configure /etc/raddb/radiusd.conf (change/activate mschap part): mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Configure eap.conf: Uncomment tls keys(for production you should create your own!!). tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551
thanks for the information, I work on nearly the same and I've created a link collection of most of the infos I've researched: http://community.fh-salzburg.ac.at/forum/index.php?showtopic=27 also I've a complete documetation writen via a wiki but for now I can't open it for everybody ... hopefully in half a year or something else when the project is finished! I'll post it when it's open! ca mIke
Stieven.Struyf@komatsu.eu wrote:
I created this procedure with bits and pieces i found on the internet, hints i got on this list and some things i found out myself. I hope this saves some time to others(as this was a popular question the list/google, but i didn't found the complete solution that worked for me).
The Wiki? My web site? What part of those procedures didn't work? What part of your procedure is different than what's documented? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I created this procedure with bits and pieces i found on the internet,
hints i got on this list and some things i found out myself. I hope this saves some time to others(as this was a popular question the list/google, but i didn't found the complete solution that worked for me).
The Wiki? My web site? What part of those procedures didn't work? What part of your procedure is different than what's documented?
The proxy.conf configuration(without it i got realm not found), your document is also missing the tls section of eap.conf. as i said, i didn't found a document that i could follow and immediately gave results. There where always some smaller(but crucial) parts that where missing for me. For you all those things are trivial, but there are also users who don't spend whole days managing freeradius servers.
Stieven.Struyf@komatsu.eu wrote:
The proxy.conf configuration(without it i got realm not found),
I'm not sure why that's necessary. I don't think it is necessary, in fact.
your document is also missing the tls section of eap.conf.
Which is covered in the EAP-TLS howto, pointed to from the main freeradius.org web page.
as i said, i didn't found a document that i could follow and immediately gave results. There where always some smaller(but crucial) parts that where missing for me.
Well, yes. There is no one document saying how to configure the server for your local system. You have to look for the documents that describe the pieces you need, and follow those instructions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi,
The proxy.conf configuration(without it i got realm not found), your document is also missing the tls section of eap.conf. as i said, i didn't found a document that i could follow and immediately gave results. There where always some smaller(but crucial) parts that where missing for me.
well in this case it should be reported! its unsuitable to have dozens of 'how to do it' documents spread all over the internet...each with their own method .... with random ones saying Auth-Type := EAP etc alan
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Hector.Ortiz@swisscom.com -
King, Michael -
Michael Messner -
Stieven.Struyf@komatsu.eu