how to configure Cisco vpn clients againts freeradius
Hi I installed the Freeradius and I'd like to authenticate cisco vpn clients against AD Clients are autheticated thorugh domainame\username and password and they need to be a members of the AD group I have already running AD authentication but with the access to the router ( priv level 15 ) What shoud I set in the users file ? My current seetings is: Users: user Auth-Type := ntlm_auth Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" Mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-DOMAINNAME} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Then I added another ntlm authentication for the VPN Cisco clients: ntlm_auth2 = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain:} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of='SOMEDOMAIN+domain users'" And I added this lines into users file: DEFAULT Huntgroup-Name == "vpn" Auth-Type := ntlm_auth2 Huntgroup file: vpn NAS-IP-Address == x.x.x.x , NAS-Port-Type == "Virtual" But it doesn't work When I run command "ntlm_auth --request-nt-key --username=MYNAME --require-membership-of='SOMEDOMAIN+domain users'" , it works Can somebody help me how should look Users file Thanks
Jevos, Peter wrote:
user Auth-Type := ntlm_auth Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" ... And I added this lines into users file: DEFAULT Huntgroup-Name == "vpn" Auth-Type := ntlm_auth2
What is "Auth-Type" on the first line for "user", and on the second for "DEFAULT"? See "man users" Run the server in debugging mode. It WILL complain about the "Auth-Type" being on the second line. Alan DeKok.
Jevos, Peter wrote:
user Auth-Type := ntlm_auth Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" ... And I added this lines into users file: DEFAULT Huntgroup-Name == "vpn" Auth-Type := ntlm_auth2
What is "Auth-Type" on the first line for "user", and on the second for "DEFAULT"? See "man users" Run the server in debugging mode. It WILL complain about the "Auth-Type" being on the second line. Alan DeKok. - HI alan Thank you for your answer, but I don't understand I took it from the mailing list: http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February /msg00046.html I'd like to authenticate all cisco vpn clients that match the proper domain name and password. I already have the ntlm_auth command, but I don't know how should look like the Users file My ntlm_auth is: ntlm_auth2 = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain:} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of='SOMEDOMAIN+domain users'" I'm using ntlm_auth2 because ntlm_auth is already used ( for the router access ) Thanks pet
Jevos, Peter wrote:
Thank you for your answer, but I don't understand
The documentation && debug mode is clear. Do you have a *specific* question?
I took it from the mailing list: http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February /msg00046.html
I see. You'll believe some random post on the list, but not the documentation, debug mode, or the main author?
I'd like to authenticate all cisco vpn clients that match the proper domain name and password. I already have the ntlm_auth command, but I don't know how should look like the Users file
You were told what the "users" file should look like. The "Auth-Type" text goes on the FIRST line of the entry. See "man users", and the examples in the default "users" file. NONE of the examples in the default "users" file have "Auth-Type" on the second line of an entry. Alan DeKok.
Jevos, Peter wrote:
Thank you for your answer, but I don't understand
The documentation && debug mode is clear. Do you have a *specific* question?
I took it from the mailing list:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February
/msg00046.html
I see. You'll believe some random post on the list, but not the documentation, debug mode, or the main author?
I'd like to authenticate all cisco vpn clients that match the proper domain name and password. I already have the ntlm_auth command, but I don't know how should look like the Users file
You were told what the "users" file should look like. The "Auth-Type" text goes on the FIRST line of the entry. See "man users", and the examples in the default "users" file. NONE of the examples in the default "users" file have "Auth-Type" on the second line of an entry. Alan DeKok. - Dear Alan, thank you for your answer Actually debug says : Unknown value ntlm_auth2 for attribute Auth-Type I've changed it as you adviced and I put the Auth-Type on the first place. However in the man page there is no example how to use Auth-Type and HUntgorup together. So my config is: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ntlm_auth2 = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of='DOMAIN+vpn users'" And the user file is: user Auth-Type := ntlm_auth Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" DEFAULT Auth-Type := ntlm_auth2 Huntgroup-Name == "vpn" Of course, I would prefer direct post how it should looks like, cause the documentation has lack of examples and the only source is examples from mailing list. Please, does anybody has example how to combine two ntlm_auth ? Thanks a lot pet
Jevos, Peter wrote:
Actually debug says : Unknown value ntlm_auth2 for attribute Auth-Type
Which means you didn't list "ntlm_auth2" in the "authenticate" section.
I've changed it as you adviced and I put the Auth-Type on the first place. However in the man page there is no example how to use Auth-Type and HUntgorup together.
No. There's no documentation on how to use Filter-Id and User-Name together, either. Documenting all possible combinations of all attributes would require thousands of pages of text. Instead, the *concepts* are documented, and it is expected that people understand, and apply those concepts.
DEFAULT Auth-Type := ntlm_auth2 Huntgroup-Name == "vpn"
Were you told to move the "Huntrgoup-Name" line? No. So why did you move it?
Of course, I would prefer direct post how it should looks like, cause the documentation has lack of examples and the only source is examples from mailing list.
No. It doesn't help anyone to give you the exact solution. Doing that would mean that you don't need to think for yourself.
Please, does anybody has example how to combine two ntlm_auth ?
Configure ntlm_auth. Then, duplicate & edit the configuration, including all refefences to ntlm_auth, for the "ntlm_auth2" module. Alan DeKok.
Dear Alan, thank you , I'm moving slowly forward : ) So now, I have created second ntlm_auth2 file in the modules directory, with this command: exec ntlm_auth2 { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=S-1-5-21-853024553-185696384-3473746203-512" } I also added new authentication method ntlm_auth2 into sites-available/inner-tunnel and default I tested with "radtest USER PASSWORD localhost 0 testing123" and the test passed : ) So I have created another line in the modules/mschap that looks like: ntlm_auth2 = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of= S-1-5-21-853024553-185696384-3473746203-512" But the vpn cisco clients are authenticated through domainname\username and password Is this ntlm_auth2 in the mschap ok ? or should I remove --domain=%{%{mschap:NT-Domain}:} ? I also changed users to : DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == "vpn" Thanks pet
Jevos, Peter wrote:
So now, I have created second ntlm_auth2 file in the modules directory, with this command:
Good.
I also added new authentication method ntlm_auth2 into sites-available/inner-tunnel and default
Good.
I tested with "radtest USER PASSWORD localhost 0 testing123" and the test passed : )
Very good!
So I have created another line in the modules/mschap that looks like:
ntlm_auth2 = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of= S-1-5-21-853024553-185696384-3473746203-512"
Err... no. That won't work.
But the vpn cisco clients are authenticated through domainname\username and password
Then you don't need to edit the mschap configuration.
Is this ntlm_auth2 in the mschap ok ? or should I remove --domain=%{%{mschap:NT-Domain}:} ?
Delete the "ntlm_auth2" line from the mschap config. It does nothing.
I also changed users to :
DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == "vpn"
That should work. Alan DeKok.
Err... no. That won't work.
But the vpn cisco clients are authenticated through domainname\username and password
Then you don't need to edit the mschap configuration.
Is this ntlm_auth2 in the mschap ok ? or should I remove --domain=%{%{mschap:NT-Domain}:} ?
Delete the "ntlm_auth2" line from the mschap config. It does nothing.
I also changed users to :
DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == "vpn"
That should work. Dear Alan Yest , it'working, but I had to change the users file, cause it falled down always into ntlm_auth2, when I wante to authenticate with my username Now it looks like: DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == "vpn" Fall-Through = Yes username Auth-Type := ntlm_auth Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" And this works, but only with one domain. I need to check how it works with more domains BY for now thanks a lot, I will let you know Pet
ntlm_auth2 = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of= S-1-5-21-853024553-185696384-3473746203-512"
Err... no. That won't work.
But the vpn cisco clients are authenticated through domainname\username and password
Then you don't need to edit the mschap configuration.
Is this ntlm_auth2 in the mschap ok ? or should I remove --domain=%{%{mschap:NT-Domain}:} ?
Delete the "ntlm_auth2" line from the mschap config. It does nothing.
I also changed users to :
DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == "vpn"
That should work. Alan DeKok. Hello Alan, One more question . Why shoud I delete the ntlm_auth2 line from the mschap file ? I thought that it is necessary. I have ntlm_auth file and ntlm_auth2 file 9 with the diferrent commands ), but only one cpmmand ntlm_auth in the mschap file What is the connection between command in the modules/ntlm_authx file, and the command ntlm_auth in the mschap. Thanks pet
Jevos, Peter wrote:
One more question . Why shoud I delete the ntlm_auth2 line from the mschap file ?
Does the mschap module documentation/comments say it will understand an "ntlm_auth2" line?
I thought that it is necessary. I have ntlm_auth file and ntlm_auth2 file 9 with the diferrent commands ), but only one cpmmand ntlm_auth in the mschap file
Did you read my previous message explaining why you didn't need an ntlm_auth2 configuration for mschap?
What is the connection between command in the modules/ntlm_authx file, and the command ntlm_auth in the mschap.
Nothing. Alan DeKok.
participants (2)
-
Alan DeKok -
Jevos, Peter