Persistent MySQL connections to arbitrary databases
I am asking about MySQL connections to a database *other than* the usual radius database. For one of my wireless SSIDs, part of the authorization process invokes a perl script which opens a MySQL handle to a different database, does a query, destroys the handle, and returns the value to radiusd. There's a lot of overhead in this so I would like to make radiusd open a pool of handles to this database, as it does with its own database. What's the approved method for making radiusd open persistent connections to an arbitrary database, and then using these handles from a perl module? Cheers, Jonathan ---------------------------- Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team IT Services University of Bristol ----------------------------
Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk> wrote:
I am asking about MySQL connections to a database *other than* the usual radius database.
For one of my wireless SSIDs, part of the authorization process invokes a perl script which opens a MySQL handle to a different database, does a query, destroys the handle, and returns the value to radiusd.
There's a lot of overhead in this so I would like to make radiusd open a pool of handles to this database, as it does with its own database.
What's the approved method for making radiusd open persistent connections to an arbitrary database, and then using these handles from a perl module?
Although I have not tried it for what you want, you should be able to do this all in your Perl module in the BEGIN section. If you 'die' in the BEGIN section then freeradius will fail to load which is handy for doing some pre-flight checking...which can also include creating a pool of DB connections. However, why do you need to close the handle? Just when you open it, do your work, store it to the side in a hash and mark it available for use (remember to add locking as it sounds like your script is threaded). Cheers -- Alexander Clouter .sigmonster says: Buck-passing usually turns out to be a boomerang.
On 02/09/2011 10:33 AM, Alexander Clouter wrote:
However, why do you need to close the handle? Just when you open it, do your work, store it to the side in a hash and mark it available for use (remember to add locking as it sounds like your script is threaded).
Please excuse the ignorance - can you elaborate a bit on the process of storing it in a hash, and marking it as available?
Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk> wrote:
However, why do you need to close the handle? Just when you open it, do your work, store it to the side in a hash and mark it available for use (remember to add locking as it sounds like your script is threaded).
Please excuse the ignorance - can you elaborate a bit on the process of storing it in a hash, and marking it as available?
Meant to say an array of hashes: ---- my @foobar; [snipped] push @foobar, { dbh => $dbh, busy => 0, }; ---- An example of dumping objects into an array of hashes can be seen with: ---- alex@berk:~$ perl -e 'use Digest::MD5; use Data::Dumper; my @foobar; my $md5 = Digest::MD5->new; push @foobar, { md5 => $md5, busy => 0 }; print Dumper \@foobar' $VAR1 = [ { 'busy' => 0, 'md5' => bless( do{\(my $o = 23868256)}, 'Digest::MD5' ) } ]; ---- Without knowing what queries and logic you are throwing at your database and passing back to FreeRADIUS, I have a hard time understanding why you could not just use unlang with sql-xlat? Cheers -- Alexander Clouter .sigmonster says: Showing up is 80% of life. -- Woody Allen
Well, I solved my own problem by creating another instance of the sql module... sql myVlanDB { database = "mysql" driver = "rlm_sql_${database}" server = "db.resnet.bris.ac.uk" port = 3306 login = "radiusd" password = "********" radius_db = "VLANS" } ...and then querying it directly from unlang in my virtual server, skipping perl, like so... if (User-Name) { update reply { Tunnel-Private-Group-Id := "%{%{myVlanDB:select vlanNumber from VLANS where common_username = '%{User-Name}' limit 1}:-448}" } } else { reject } This causes radiusd to open N database handles to its usual radius database, and N database handles to the vlan database. Querying is much faster than calling a perl script each time that opens the handle and does the query. I hope this is useful to someone else :) Cheers, Jonathan ---------------------------- Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team IT Services University of Bristol ---------------------------- On 09/02/11 13:17, Alexander Clouter wrote:
Jonathan Gazeley<jonathan.gazeley@bristol.ac.uk> wrote:
However, why do you need to close the handle? Just when you open it, do your work, store it to the side in a hash and mark it available for use (remember to add locking as it sounds like your script is threaded).
Please excuse the ignorance - can you elaborate a bit on the process of storing it in a hash, and marking it as available?
Meant to say an array of hashes: ---- my @foobar; [snipped] push @foobar, { dbh => $dbh, busy => 0, }; ----
An example of dumping objects into an array of hashes can be seen with: ---- alex@berk:~$ perl -e 'use Digest::MD5; use Data::Dumper; my @foobar; my $md5 = Digest::MD5->new; push @foobar, { md5 => $md5, busy => 0 }; print Dumper \@foobar' $VAR1 = [ { 'busy' => 0, 'md5' => bless( do{\(my $o = 23868256)}, 'Digest::MD5' ) } ]; ----
Without knowing what queries and logic you are throwing at your database and passing back to FreeRADIUS, I have a hard time understanding why you could not just use unlang with sql-xlat?
Cheers
On 02/09/2011 10:38 AM, Alan DeKok wrote:
Jonathan Gazeley wrote:
What's the approved method for making radiusd open persistent connections to an arbitrary database, and then using these handles from a perl module?
Use static variables in the Perl code. This is really a Perl question.
I'm not sure if this is a wholly Perl question, unless I have misunderstood. I want radiusd to open the handles at startup, in the same way that it already opens its own handles. Then I think I have two options: 1. A module similar to the existing sql module that is capable of running custom queries, and that should be sufficient to do my authorization - no Perl needed. 2. A Perl module that is capable of using one from the pool of handles that radiusd has opened, and will do the query itself. Are either of these feasible? Thanks, Jonathan
Jonathan Gazeley wrote:
I want radiusd to open the handles at startup, in the same way that it already opens its own handles.
Read the "example.pl" file: # If you are using DBI and do some queries to DB, please be sure to # use the CLONE function to initialize the DBI connection to DB.
Then I think I have two options:
1. A module similar to the existing sql module that is capable of running custom queries, and that should be sufficient to do my authorization - no Perl needed.
The existing SQL module is capable of running custom queries. However, the *results* need to be simple.
2. A Perl module that is capable of using one from the pool of handles that radiusd has opened, and will do the query itself.
Are either of these feasible?
The docs && my previous message suggested (2). Alan DeKok.
Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen
If no one else jumps in I can he'll you out in a couple hours. ----- Original Message ----- From: Schaatsbergen, Chris [mailto:Chris.Schaatsbergen@aleo-solar.de] Sent: Wednesday, February 09, 2011 09:24 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Authenticating SSH login on a Cisco IOS switch to AD Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 7:24 AM, in message <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote:
Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication with ntlm-auth and "require-membership-of" works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is "authorized" locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our "dev" FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 7:24 AM, in message <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote: Greetings all,
We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Yep, simple auth should be no problem, I was referring to pushing the authorization out to the switch. So for us, we login and are automatically at the enable level we defined in TACACS. When I was researching this, I believe it said you could get all the same stuff with Radius, the only real difference is that TACACS encrypts more of the authentication requests then Radius and does better accounting. Of course it only really works on Cisco which is a major draw back. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 8:11 AM, in message <9938_1297267879_4D52BCA7_9938_10000_2_D9B37353831173459FDAA836D3B43499AF0FA72D@WADPMBXV0.waddell.com>, Gary Gatten <Ggatten@waddell.com> wrote:
Authentication with ntlm-auth and *require-membership-of* works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is *authorized* locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our *dev* FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I*ll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else* G From:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 7:24 AM, in message <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote:
Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
Greetings Gary, Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it. We currently have one admin user account and all domain admins know the password. To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD. I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed. Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and "require-membership-of" works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is "authorized" locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our "dev" FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 7:24 AM, in message <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote: Greetings all,
We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
I had a look into this and as far as I could tell, the conversation between the switch and the radius server was not encrypted unless you use TACACS. Does anyone know if this conversation can be encrypted while using Freeradius, as otherwise the domain login details are presumably being sent over the network in clear text? Oli On 09/02/11 16:30, Schaatsbergen, Chris wrote:
Greetings Gary,
Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it.
We currently have one admin user account and all domain admins know the password.
To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD.
I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed.
Chris
*Von:*freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] *Im Auftrag von *Gary Gatten *Gesendet:* Mittwoch, 9. Februar 2011 17:11 *An:* 'FreeRadius users mailing list' *Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD
Authentication with ntlm-auth and “require-membership-of” works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is “authorized” locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our “dev” FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I’ll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else…
G
------------------------------------------------------------------------
*From:*freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] *On Behalf Of *Brett Littrell *Sent:* Wednesday, February 09, 2011 9:57 AM *To:* FreeRadius users mailing list *Subject:* Re: Authenticating SSH login on a Cisco IOS switch to AD
Hi Chris,
We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login.
I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants.
Hope that helps.
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 7:24 AM, in message <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote:
Greetings all,
We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation.
I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD.
Now I am trying to combine those two.
On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK.
First question: Would this at all be possible?
And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work?
Help would be highly appreciated.
Chris Schaatsbergen
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Oliver Elliott Network Specialist Information Services University of Bristol e: Oliver.Elliott@bristol.ac.uk t: 0117 92 (87861)
I *think* you are correct. Between FR and AD it may just be a one-way-hash of the pw, but not sure. FR can't support anything the NAS doesn't. Well, it could but what good would it do? I remember reading about a new / different flavor of RADIUS that includes encryption, but I forget what it's called. And again, no Cisco stuff I'm using supports it so I didn't really put much effort into it. We don't necessarily have ssh "everywhere" so obviously unencrypted passwords are a possibility. I can think of several....what's the opposite of elegant.... F'd up ways to encrypt this - but not pretty. Network isolation (VLAN's) with strict ACL's would at least be a good start - ie:, an "authentication" vlan. If the data can't be accessed on the wire, then it doesn't really matter if it's encrypted - right? Yeah, I know - better encrypted and some compliance issues may pop up as a result on unencrypted stuff "flying" around. Interesting.... -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Oliver Elliott Sent: Wednesday, February 09, 2011 11:05 AM To: freeradius-users@lists.freeradius.org Subject: Re: AW: Authenticating SSH login on a Cisco IOS switch to AD I had a look into this and as far as I could tell, the conversation between the switch and the radius server was not encrypted unless you use TACACS. Does anyone know if this conversation can be encrypted while using Freeradius, as otherwise the domain login details are presumably being sent over the network in clear text? Oli On 09/02/11 16:30, Schaatsbergen, Chris wrote:
Greetings Gary,
Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it.
We currently have one admin user account and all domain admins know the password.
To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD.
I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed.
Chris
*Von:*freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] *Im Auftrag von *Gary Gatten *Gesendet:* Mittwoch, 9. Februar 2011 17:11 *An:* 'FreeRadius users mailing list' *Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD
Authentication with ntlm-auth and "require-membership-of" works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is "authorized" locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our "dev" FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else...
G
------------------------------------------------------------------------
*From:*freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] *On Behalf Of *Brett Littrell *Sent:* Wednesday, February 09, 2011 9:57 AM *To:* FreeRadius users mailing list *Subject:* Re: Authenticating SSH login on a Cisco IOS switch to AD
Hi Chris,
We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login.
I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants.
Hope that helps.
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 7:24 AM, in message <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote:
Greetings all,
We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation.
I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD.
Now I am trying to combine those two.
On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK.
First question: Would this at all be possible?
And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work?
Help would be highly appreciated.
Chris Schaatsbergen
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Oliver Elliott Network Specialist Information Services University of Bristol e: Oliver.Elliott@bristol.ac.uk t: 0117 92 (87861) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Hey Oli, I think it is always a good idea to keep the switch management on a separate management vlan, regardless of wether you encrypt the info or not. Between Cisco and Radius servers it does encrypt the password but I don't think it does much else. Gary may be right that it just hashes the password to be compared. Granted, someone may be able to see what level you login as from a Radius request, the question is wether it matters? If they do not have the password they will have to run some sort of crack on the switch that should throw up warning flags in your Radius logs and hopefully lock your AD account with a intruder lockout. Having a separate vlan for switch management is a lot like a hidden SSID, it is by no means the most secure way to protect a network but it keeps the rif-raf from trying to hack your network. People who know how to flood the arp tables can bypass vlans if need be, just as someone can get the SSID from a hidden Wireless network, that does not mean you have to make it easier for them:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 9:20 AM, in message <9935_1297272057_4D52CCF9_9935_1355_2_D9B37353831173459FDAA836D3B43499AF0FA730@WADPMBXV0.waddell.com>, Gary Gatten <Ggatten@waddell.com> wrote:
I *think* you are correct. Between FR and AD it may just be a one-way-hash of the pw, but not sure. FR can't support anything the NAS doesn't. Well, it could but what good would it do? I remember reading about a new / different flavor of RADIUS that includes encryption, but I forget what it's called. And again, no Cisco stuff I'm using supports it so I didn't really put much effort into it. We don't necessarily have ssh "everywhere" so obviously unencrypted passwords are a possibility. I can think of several....what's the opposite of elegant.... F'd up ways to encrypt this - but not pretty. Network isolation (VLAN's) with strict ACL's would at least be a good start - ie:, an "authentication" vlan. If the data can't be accessed on the wire, then it doesn't really matter if it's encrypted - right? Yeah, I know - better encrypted and some compliance issues may pop up as a result on unencrypted stuff "flying" around. Interesting.... -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Oliver Elliott Sent: Wednesday, February 09, 2011 11:05 AM To: freeradius-users@lists.freeradius.org Subject: Re: AW: Authenticating SSH login on a Cisco IOS switch to AD I had a look into this and as far as I could tell, the conversation between the switch and the radius server was not encrypted unless you use TACACS. Does anyone know if this conversation can be encrypted while using Freeradius, as otherwise the domain login details are presumably being sent over the network in clear text? Oli On 09/02/11 16:30, Schaatsbergen, Chris wrote:
Greetings Gary,
Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it.
We currently have one admin user account and all domain admins know the password.
To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD.
I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed.
Chris
*Von:*freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] *Im Auftrag von *Gary Gatten *Gesendet:* Mittwoch, 9. Februar 2011 17:11 *An:* 'FreeRadius users mailing list' *Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD
Authentication with ntlm-auth and "require-membership-of" works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is "authorized" locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our "dev" FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else...
G
------------------------------------------------------------------------
*From:*freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] *On Behalf Of *Brett Littrell *Sent:* Wednesday, February 09, 2011 9:57 AM *To:* FreeRadius users mailing list *Subject:* Re: Authenticating SSH login on a Cisco IOS switch to AD
Hi Chris,
We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login.
I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants.
Hope that helps.
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 7:24 AM, in message <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote:
Greetings all,
We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation.
I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD.
Now I am trying to combine those two.
On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK.
First question: Would this at all be possible?
And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work?
Help would be highly appreciated.
Chris Schaatsbergen
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Oliver Elliott Network Specialist Information Services University of Bristol e: Oliver.Elliott@bristol.ac.uk t: 0117 92 (87861) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Feb 09, 2011 at 09:35:35AM -0800, Brett Littrell wrote:
I think it is always a good idea to keep the switch management on a separate management vlan, regardless of wether you encrypt the info or not. Between Cisco and Radius servers it does encrypt the password but I don't think it does much else.
For regular logins, you will get User-Password attribute which is encrypted with the RADIUS shared secret. I'm pretty sure the Cisco won't do CHAP. The response attributes will be signed using the shared secret, so they cannot be tampered with. So, the important thing is to choose strong shared secrets, and to limit access to any places where your switch configs are stored. Someone sniffing the RADIUS traffic will be able to see (a) who is logging in, and (b) what privilege level they have been given. If they are able to sniff your network then you probably have worse problems to worry about. Incidentally, it's quite reasonable to use RADIUS for authentication and authorization, and TACACS for accounting (e.g. point your aaa accounting at an instance of tac_plus). Then you have a real-time log of individual commands run. Having a management network is a good idea too though.
Having a separate vlan for switch management is a lot like a hidden SSID, it is by no means the most secure way to protect a network but it keeps the rif-raf from trying to hack your network. People who know how to flood the arp tables can bypass vlans if need be
It sounds like you have pretty broken switches then. VLANs are always separate, floods or no floods. Also, true switches don't care about ARP at all (as opposed to "layer 3 switches"). Regards, Brian.
Ya, your right, I meant the CAM table. flooding the CAM table with MAC addresses caused all the traffic to broadcast to all ports. My bad, but it is/was a fundamental flaw in the way switches work, I know Cisco had a fix out for it but it did not work with dot1x and DVlans. The moral of the story is that vlans are not the end security stop-gap, they are just one layer to keep the casual hacker at bay, just as the hidden SSID does. Thanks for the correction Brian.
It sounds like you have pretty broken switches then. VLANs are always separate, floods or no floods.
Also, true switches don't care about ARP at all (as opposed to "layer 3 switches").
Regards,
Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
Brian Candler <B.Candler@pobox.com> wrote:
Incidentally, it's quite reasonable to use RADIUS for authentication and authorization, and TACACS for accounting (e.g. point your aaa accounting at an instance of tac_plus). Then you have a real-time log of individual commands run.
I would say it is easier to send the command log over syslog, but that's just how we like to skin our cats round here. Cheers -- Alexander Clouter .sigmonster says: ... and furthermore ... I don't like your trousers.
Oliver Elliott wrote:
I had a look into this and as far as I could tell, the conversation between the switch and the radius server was not encrypted unless you use TACACS. Does anyone know if this conversation can be encrypted while using Freeradius, as otherwise the domain login details are presumably being sent over the network in clear text?
RADIUS passwords are always encrypted. If you want a "real" TACACS+ server, add TACACS+ support to FreeRADIUS. It isn't hard. i.e. probably ~2K LoC. But I haven't had the incentive to do it yet. After that, maybe ARP. I've been looking at the "arpwatch" programs, and none of them talk to databases. <sigh> Alan DeKok.
Gary Would you mind if I contacted you directly (I have your e-mail) about this? I have seen a very nice discussion and reading this a second time has proven that what you describe here is exactly what we are looking for. But I would still really appreciate some help getting it to work. Thanks, Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and "require-membership-of" works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is "authorized" locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our "dev" FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 7:24 AM, in message <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote: Greetings all,
We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
That's fine. I'm refreshing myself on our confs this morn, so I'll be able to help you more effeciently after that. In the mean time ensure your SAMBA works, that can take a little work. Also, obtain the SID of the AD group you want to check membership of. NTLM_AUTH says it can use the group "name", but I tried several different syntax and could only get it working with the SID. From: Schaatsbergen, Chris [mailto:Chris.Schaatsbergen@aleo-solar.de] Sent: Thursday, February 10, 2011 05:31 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: AW: Authenticating SSH login on a Cisco IOS switch to AD Gary Would you mind if I contacted you directly (I have your e-mail) about this? I have seen a very nice discussion and reading this a second time has proven that what you describe here is exactly what we are looking for. But I would still really appreciate some help getting it to work. Thanks, Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and “require-membership-of” works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is “authorized” locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our “dev” FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I’ll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else… G ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 09, 2011 at 7:24 AM, in message <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, Chris" <Chris.Schaatsbergen@aleo-solar.de> wrote: Greetings all,
We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
On Wed, Feb 09, 2011 at 04:24:05PM +0100, Schaatsbergen, Chris wrote:
We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation.
The solution I have built is to configure freeradius as a proxy, and install IAS on the Windows AD server. You can use AD groups to configure specific reply attributes for specific users in IAS. Windows AD is limited to 50 clients (unless you have Enterprise edition) - but that is client IPs. Your freeradius server counts as only one, no matter how many Cisco boxes are authenticating through it. Regards, Brian.
OK, so the current problem seems to be that I cannot get the ntlm_auth to work. I read http://freeradius.1045715.n5.nabble.com/Freeradius-with-Active-Directory-td2... but that does not seem to apply for me as the ntlm_auth file contains the exec. Attached (if that works) is the radius -X output for the current working configuration (basic_configuration_run.txt). We are only doing mac-authentication now and depending on the mac-address, the device is placed in a certain VLAN. I unfortunately did not install the server myself but as far as I know FR was originally installed from the Debian package 2.1.8 and we recently upgraded to 2.1.10. Until a year ago I never really worked with (free)radius, linux or cisco switches and it still is just a small part of my daily work, so I probably make a lot of beginner mistakes. # -*- text -*- # # $Id$ # NTLM module # # To authenticate requests using AD. # exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=ALEO.LOCAL --username=%{mschap:User-Name} --password=%{User-Password}" } If I add ntlm_auth to the beginning of the users file I get an error /etc/freeradius/users[157]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users If I add ntlm_auth to the authenticate section of the default virtual server I get an error /etc/freeradius/sites-enabled/default[254]: Failed to load module "ntlm_auth". /etc/freeradius/sites-enabled/default[217]: Errors parsing authenticate section. If I add ntlm_auth to the modules section of radiusd.conf I get a 'warning' /etc/freeradius/radiusd.conf[1840]: Failed to link to module 'rlm_ntlm_auth': file not found
Schaatsbergen, Chris wrote:
OK, so the current problem seems to be that I cannot get the ntlm_auth to work. I read http://freeradius.1045715.n5.nabble.com/Freeradius-with-Active-Directory-td2... but that does not seem to apply for me as the ntlm_auth file contains the exec.
Why? Why not read the main web page that *correctly* describes how to get it to work? http://deployingradius.com/documents/configuration/active_directory.html
If I add ntlm_auth to the beginning of the users file I get an error /etc/freeradius/users[157]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users
Because you didn't add it in the "authenticate" section as described in the web page.
If I add ntlm_auth to the authenticate section of the default virtual server I get an error /etc/freeradius/sites-enabled/default[254]: Failed to load module "ntlm_auth". /etc/freeradius/sites-enabled/default[217]: Errors parsing authenticate section.
Because you didn't add the module definition as described in the web page.
If I add ntlm_auth to the modules section of radiusd.conf I get a 'warning' /etc/freeradius/radiusd.conf[1840]: Failed to link to module 'rlm_ntlm_auth': file not found
Because you followed the *wrong* example from the list archive, instead of following the example on the web page. Read the web page, and look for "Configuring FreeRADIUS to use ntlm_auth". Follow the instructions there *exactly*, and it *will* work. Alan DeKok.
Greetings and thanks for the quick reply. As stated in my original posting, http://deployingradius.com/documents/configuration/active_directory.html is what I have been working with from the beginning. So far I have done everything there exactly as described with the same outcome.
Why? Why not read the main web page that *correctly* describes how to get it to work?
http://deployingradius.com/documents/configuration/active_directory.htm l
If I add ntlm_auth to the authenticate section of the default virtual server I get an error /etc/freeradius/sites-enabled/default[254]: Failed to load module "ntlm_auth". /etc/freeradius/sites-enabled/default[217]: Errors parsing authenticate section.
Because you didn't add the module definition as described in the web page.
This is I believe indeed the missing piece, problem is I cannot find it in your web page.
Schaatsbergen, Chris wrote:
Greetings and thanks for the quick reply.
As stated in my original posting, http://deployingradius.com/documents/configuration/active_directory.html is what I have been working with from the beginning.
So far I have done everything there exactly as described with the same outcome.
No. If you get the error "Failed to link to module 'rlm_ntlm_auth':...", it means you did something *other* than what is on the web page.
This is I believe indeed the missing piece, problem is I cannot find it in your web page.
It's the "exec ntlm_auth { ..." text. Add it, *and* the "ntlm_auth" entry in the "authenticate" section. Alan DeKok.
So far I have done everything there exactly as described with the same outcome.
No.
If you get the error "Failed to link to module 'rlm_ntlm_auth':...", it means you did something *other* than what is on the web page.
This is I believe indeed the missing piece, problem is I cannot find it in your web page.
It's the "exec ntlm_auth { ..." text.
Add it, *and* the "ntlm_auth" entry in the "authenticate" section.
The ntlm_auth file with the exec ntlm_auth text has been in the module folder since I started working on this (actually I believe it was already there as it is has been added in 2.1.8), about a week ago. It is also what I have indicated both in my original post and in the repost I made today. The file is there, and the exact contents of that file are in the repost I posted earlier today. Now if there is something wrong with that file I would love to hear it. I tried various ways of adding ntlm_auth to the authentication section of the default virtual machine but all with the same outcome, module not found. Unfortunately I do not see where the actual problem lies, otherwise I would not have bothered you with it. I have followed the instructions from your webpage to the letter and when that did not work I tried some other suggestions but they all proven without effect and are therefore removed again. Now, if anyone is willing to actually look to see what is going wrong instead of immediately jumping to the easy conclusions, that help would be highly appreciated. I am pretty sure I made a mistake somewhere, but it has not been in following these instructions. More likely it is in the original configuration or how I changed it to fit our need (Mac authentication). The current running config works properly, but it is very well possible I disabled something that is needed for ntlm_auth.
OK, I think I found out where things are going wrong. In my Radius -X log I noticed the "Starting - reading configuration files" is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ (followed by including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/unix including configuration file/usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/perl) This is all not in my freeradius -X logs and is in the logs of others. Now where do I enable/disable loading the modules folder?
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar.de@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Schaatsbergen, Chris Gesendet: Freitag, 11. Februar 2011 19:32 An: FreeRadius users mailing list Betreff: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
So far I have done everything there exactly as described with the same outcome.
No.
If you get the error "Failed to link to module 'rlm_ntlm_auth':...", it means you did something *other* than what is on the web page.
This is I believe indeed the missing piece, problem is I cannot find it in your web page.
It's the "exec ntlm_auth { ..." text.
Add it, *and* the "ntlm_auth" entry in the "authenticate" section.
The ntlm_auth file with the exec ntlm_auth text has been in the module folder since I started working on this (actually I believe it was already there as it is has been added in 2.1.8), about a week ago. It is also what I have indicated both in my original post and in the repost I made today. The file is there, and the exact contents of that file are in the repost I posted earlier today. Now if there is something wrong with that file I would love to hear it. I tried various ways of adding ntlm_auth to the authentication section of the default virtual machine but all with the same outcome, module not found.
Unfortunately I do not see where the actual problem lies, otherwise I would not have bothered you with it.
I have followed the instructions from your webpage to the letter and when that did not work I tried some other suggestions but they all proven without effect and are therefore removed again.
Now, if anyone is willing to actually look to see what is going wrong instead of immediately jumping to the easy conclusions, that help would be highly appreciated. I am pretty sure I made a mistake somewhere, but it has not been in following these instructions. More likely it is in the original configuration or how I changed it to fit our need (Mac authentication). The current running config works properly, but it is very well possible I disabled something that is needed for ntlm_auth.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Schaatsbergen, Chris wrote:
OK, I think I found out where things are going wrong.
In my Radius -X log I noticed the "Starting - reading configuration files" is short, compared to those of others. What is missing is actually:
including files in directory /usr/local/etc/raddb/modules/ ... Now where do I enable/disable loading the modules folder?
radiusd.conf? Alan DeKok.
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192... has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? The beginning part of our current radiusd.conf: # -*- text -*- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.272 2008/04/26 15:14:33 aland Exp $ ## ###################################################################### # # Read "man radiusd" before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. # # Run the server in debugging mode, and READ the output. # # $ radiusd -X # # We cannot emphasize this point strongly enough. The vast # majority of problems can be solved by carefully reading the # debugging output, which includes warnings about common issues, # and suggestions for how they may be fixed. # # There may be a lot of output, but look carefully for words like: # "warning", "error", "reject", or "failure". The messages there # will usually be enough to guide you to a solution. # # If you are going to ask a question on the mailing list, then # explain what you are trying to do, and include the output from # debugging mode (radiusd -X). Failure to do so means that all # of the responses to your question will be people telling you # to "post the output of radiusd -X". ###################################################################### # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See "man radiusd.conf" for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that "man" page. They are only documented here, # in the comments. # # As of 2.0.0, FreeRADIUS supports a simple processing language # in the "authorize", "authenticate", "accounting", etc. sections. # See "man unlang" for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius # Should likely be ${localstatedir}/lib/radiusd db_dir = $(raddbdir)
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar.de@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:40 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote:
OK, I think I found out where things are going wrong.
In my Radius -X log I noticed the "Starting - reading configuration files" is short, compared to those of others. What is missing is actually:
including files in directory /usr/local/etc/raddb/modules/ ... Now where do I enable/disable loading the modules folder?
radiusd.conf?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Schaatsbergen, Chris wrote:
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192... has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module.
<shrug> I don't run Lenny, so I can't say any more.
Where can I find a proper radiusd.conf?
Have you tried the 2.1.10 "tar" file on freeradius.org? Alan DeKok.
I think freeradius is a great piece of software and I will certainly continue to use it. I am also very happy with the great documentation that can be found, both the wiki and Alan's website are an awesome source of very good information. The support community here is also very active, which is a great thing. But had someone with freeradius knowledge taken the time to look at the freeradius -X logs I (and David Dumortier) supplied with our questions, they would have seen the problem right away I suppose, in both our cases. Probably there have been too many typical n00b users who asked questions after not following the (clear) documentation properly, but please understand we are not all like that. This has caused me an enormous load of stress and has cost me about 3 days (and one night sleep), and I assume it has caused you a certain amount of stress as well, and it could have been so much more satisfying had it been checked just a little bit more. Of course, you are not responsible for every package being produced and I do not know yet how this all works as I did not install our freeradius server myself (unfortunately). But in our cases, the users where not to blame, other than using an available and hopefully supported package. I will have a new lenny server installed with just the 2.1.10 debian backport package on it (no older versions) to see if that comes with a proper radiusd.conf file. If so then my problem is caused by an older package being installed earlier and new users will not be bothered by it. Again, I really think freeradius is a great piece of software, there is plenty of good documentation and it has an awesome support community here. So I will certainly continue to use freeradius as our authentication server. But please, if a user says he followed the instructions to the letter, give them the benefit of the doubt and see if something else is going wrong.
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar.de@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:57 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote:
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module.
<shrug> I don't run Lenny, so I can't say any more.
Where can I find a proper radiusd.conf?
Have you tried the 2.1.10 "tar" file on freeradius.org?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192... has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module.
Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be?
from the main source www.freeradius.org get the 2.1.10 tarball , extract it and look at what the config should be like. I wonder if lenny is requiring you to install other packages for purpose/facilities alan
Thanks! Actually in this case I was too early writing the mail (because I was rather annoyed), something I should not allow myself to happen. The radiusd.conf file is documented on the Wiki site (though the link there that should point to the latest version is not working as it points to the currently unexisting http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf). I found the missing piece: $INCLUDE ${confdir}/modules/ Which should be in (the top of) the modules section. With that addition freeradius starts without error messages so I can continue Alan DeKoks (excellent) description how to enable AD authentication.
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar.de@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Alan Buxey Gesendet: Montag, 14. Februar 2011 13:48 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Hi,
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module.
Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be?
from the main source
www.freeradius.org
get the 2.1.10 tarball , extract it and look at what the config should be like. I wonder if lenny is requiring you to install other packages for purpose/facilities
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do "the Alans" get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running.
Schaatsbergen, Chris wrote:
A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do "the Alans" get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running.
Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free. I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets. Alan DeKok.
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar.de@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 15:33 An: FreeRadius users mailing list Betreff: Re: Support
Schaatsbergen, Chris wrote:
A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do "the Alans" get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running.
Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free.
I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets.
Well, I am not doing it to keep you off the streets (you should not be a freeradius prisoner), but to make sure FreeRadius continues to get developed and this active community stays active. As a former developer myself I can understand how annoying it can be if you have helped someone a great deal and then get absolutely nothing in return (quite often people even forget to thank you). I will try and convince the management to cough up.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do "the Alans" get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running.
Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free.
I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets.
:-) I use FreeRADIUS in anger (well, sometimes I'm happy too) in a major environment and within a national level. as such I am very interested in seeing issues that people have with it and seeign what other people do to achieve results. I have learnt quite a lot from this list...and helping people out is just my altruistic streak that occasionally comes through (heck, I really want them to use FreeRADIUS rather than waste money on NPS or ACS etc ;-) ). I already have a salaried position.... but I do have an amazon wishlist that some kind people have looked at after I've got them out of a pickle or done their work for them! ;-) (many thanks to those people..I've enjoyed the books and games). please think about networkradius.com if you want to have a solid support for the product - it will ensure that you have a good FreeRADIUS deployment and you wont get Mr Random in management bearing down on you with money being thrown at some limited commercial platform.... whilst there are good people on this list, I'd state you should never rely on a public mailing list for support of critical systems!! - we're here when we have the time to be :-) alan
On Tue, Feb 15, 2011 at 4:45 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
please think about networkradius.com if you want to have a solid support for the product - it will ensure that you have a good FreeRADIUS deployment and you wont get Mr Random in management bearing down on you with money being thrown at some limited commercial platform....
or worse, throwing money for some limited commercial platform's LICENSE but not bothering spending anything on SUPPORT, leaving you high-and-dry when you need help the most. -- Fajar
Schaatsbergen, Chris wrote:
Thanks! Actually in this case I was too early writing the mail (because I was rather annoyed), something I should not allow myself to happen. The radiusd.conf file is documented on the Wiki site (though the link there that should point to the latest version is not working as it points to the currently unexisting http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf).
That should point to "radiusd.conf.in".
I found the missing piece:
$INCLUDE ${confdir}/modules/
Which should be in (the top of) the modules section.
With that addition freeradius starts without error messages so I can continue Alan DeKoks (excellent) description how to enable AD authentication.
Most of the "howtos" assume you're running a recent version of the server. Some systems have *old* versions of the server. We're unable to maintain copies of the documentation for each version of the server. This makes life harder for the average admin, but we have to draw the line somewhere. Alan DeKok.
Most of the "howtos" assume you're running a recent version of the server. Some systems have *old* versions of the server. We're unable to maintain copies of the documentation for each version of the server.
This makes life harder for the average admin, but we have to draw the line somewhere.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. I hope to find out what is wrong exactly and post it here for future use. After a short (and rather violent) discussion with our linux expert I believe originally version 2.0.4 had been installed as that is the current stable version for lenny. But before I started working with it, it had already been upgraded to 2.1.8 and I requested the upgrade to 2.1.10 recently because of the lowercase function. All upgrades, no new installs, perhaps there lies the problem.
Schaatsbergen, Chris wrote:
We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right.
The radiusd.conf file isn't over-written when a new package is installed. You've customized it locally, and it *must* be left alone. Alan DeKok.
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar.de@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 16:00 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote:
We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right.
The radiusd.conf file isn't over-written when a new package is installed. You've customized it locally, and it *must* be left alone.
Crystal Clear. So you should never upgrade the existing installation. And if you really do need a new version then you should backup the old installation, perform a clean new installation and then redo all the configuration you had done before (and hope that it still works). Pity, but on the other hand a very good reason to keep your documentation up to date. Talking about work for the admins :p I am glad when I have this server up and running, I just have to finish the documentation and can then 'throw it over the wall' to the system administrators ;) There are actually other programs (Splunk, costs 12k a year) that use different config files for system config and user config. Maybe an idea for a future release of freeradius?
Schaatsbergen, Chris wrote:
There are actually other programs (Splunk, costs 12k a year) that use different config files for system config and user config. Maybe an idea for a future release of freeradius?
What's "system config" ? In the context of a RADIUS server, *everything* is local customization. Most sites put the bulk "user config" into a database, where the schema doesn't change. Alan DeKok.
On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote:
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192... has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module.
Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be?
Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar.de@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar.de@lists.freeradius.org] Im Auftrag von Johan Meiring Gesendet: Montag, 14. Februar 2011 14:48 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote:
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module.
Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be?
Looking at config below... /usr/local/etc/raddb/modules/
Lenny package does NOT put stuff in /usr/local/
Seems you have two versions of freeradius on your system.
Cheers,
I took the other data from another 'ticket' here which is clearly not running on lenny indeed. But the problem has been solved, thanks for your help to think of an answer though :)
participants (11)
-
Alan Buxey -
Alan DeKok -
Alexander Clouter -
Brett Littrell -
Brian Candler -
Fajar A. Nugraha -
Gary Gatten -
Johan Meiring -
Jonathan Gazeley -
Oliver Elliott -
Schaatsbergen, Chris