hi users, I'm hoping this is possible, having pretty vanilla mschap & pap(ntlm) to tweak radius so it - for eap & pap (basically AD) - would fail if there is no @domain part in the request. Like when AD domain is @private.dom.my / PRIVATE and radius will absolutely need this. At the moment having configs constructed of bits from wikis/howtos, both: "me@private.dom.my" and "me" get authenticated. how to tweak? many thanks, L
On Tue, Jun 21, 2016 at 02:43:13PM +0100, lejeczek via Freeradius-Users wrote:
I'm hoping this is possible, having pretty vanilla mschap & pap(ntlm) to tweak radius so it - for eap & pap (basically AD) - would fail if there is no @domain part in the request.
Like when AD domain is @private.dom.my / PRIVATE and radius will absolutely need this. At the moment having configs constructed of bits from wikis/howtos, both: "me@private.dom.my" and "me" get authenticated.
how to tweak?
if (&User-Name !~ /@private.dom.my$/) { reject } Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
Like when AD domain is @private.dom.my / PRIVATE and radius will absolutely need this. At the moment having configs constructed of bits from wikis/howtos, both: "me@private.dom.my" and "me" get authenticated.
unlang. in fact, recent releases of the server come with many default policies which will do this sort of check/enforcement for you (because they are useful...eg for eduroam!) either invoke the policy (call it by its name in the virtual server config) or use unlang directly int he authorize section eg if( User-Name !~ /@/ ) { update reply { Reply-Message = "no realm defined" } reject } alan
On 21/06/16 15:02, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Like when AD domain is @private.dom.my / PRIVATE and radius will absolutely need this. At the moment having configs constructed of bits from wikis/howtos, both: "me@private.dom.my" and "me" get authenticated. unlang.
in fact, recent releases of the server come with many default policies which will do this sort of check/enforcement for you (because they are useful...eg for eduroam!)
either invoke the policy (call it by its name in the virtual server config) or use unlang directly int he authorize section eg
if( User-Name !~ /@/ ) { update reply { Reply-Message = "no realm defined" } reject }
alan thanks guys, Alan, when I try what you shared earlier it works, almost perfect, probably because my (unusual?) setup it fails in one place. Here is what I'm hoping to achieve - local domain (freeipa's ldap) and samba being a client to an AD (all same one box) Radius' a) ldap backend, b) ntlm/winbind backend to AD Now radius authentication fails like I wanted, if auth request does not include @realm. Config (default) goes like this:
authorize .. ntlm_auth if (&User-Name !~ /@private.dom.my$/i) { reject } } I'm not trying it as in a policy yet. It fails now for users like "me" which do exist in ldap (again, all local, locally freeipa ldap). I see ldap is being tried but then radius moves over to ntlm and fails. Care to share more thoughts - I'll be grateful.
On Jun 22, 2016, at 5:12 AM, lejeczek via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Alan, when I try what you shared earlier it works, almost perfect, probably because my (unusual?) setup it fails in one place. Here is what I'm hoping to achieve - local domain (freeipa's ldap) and samba being a client to an AD (all same one box) Radius' a) ldap backend, b) ntlm/winbind backend to AD
That works. Other people use it.
Now radius authentication fails like I wanted, if auth request does not include @realm. Config (default) goes like this:
authorize .. ntlm_auth if (&User-Name !~ /@private.dom.my$/i) { reject }
That's sort of OK. But you should put the username check *before* the ntlm_auth line. That way if the User-Name is wrong, then ntlm_auth won't even be run.
It fails now for users like "me" which do exist in ldap (again, all local, locally freeipa ldap). I see ldap is being tried but then radius moves over to ntlm and fails. Care to share more thoughts - I'll be grateful.
What is *supposed* to happen? Do you know? i.e. have you written down what's supposed to happen in plain English? No? Then don't expect to be able to configure FreeRADIUS correctly. Write down what needs to happen. Be detailed. Then, implement it unlang. If you're not sure what to do, ask here. But ask questions with *content*. Saying "I need freeipa LDAP and AD" is pretty much content free. WHAT users use freeipa? What users use AD? How are those User-Names different? Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
lejeczek -
Matthew Newton