RE: Freeradius+Active directory - router login authentciation
Thanks a lot Fredriksson. I managed to start radius daemon successfully with your suggestions, now my next problem to test user authentication from Active directory. Using ntlm_auth I can test user authentication. When I do following - radtest ActDirectUser ActDirectUserPassword 127.0.0.1 1812 testing123 Sending Access-Request of id 178 to 127.0.0.1 port 1812 User-Name = "ActDirectUser" User-Password = "ActDirectUserPassword" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=178, length=20 And when I use IP address x.x.x.x in place of 127.0.0.1, requests are kept on being resent and ultimately I get " radclient: no response from server for ID nnn" Need more help. THANKS -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Turbo Fredriksson Sent: Monday, September 10, 2007 2:06 PM To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius+Active directory - router login authentciation Quoting "Rakesh Jha" <rakesh@burgan.com>: I'm far from an expert in FreeRADIUS (so take what I say with a grane of salt), but I instantly noticed this.
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap_tls: Unable to open DH file - (null) rlm_eap: Failed to initialize type tls
It can't open the 'DH file' (don't quite know which one that is), but I would assume that it's some (or maybe all?) of the first three files. Do they exist? Does the freeradius daemon have the right to _read_ those files (are you running the daemon under some user _not_ root). I run (default in Debian GNU/Linux) the daemon under the 'freerad' user so this user must be able to read the files mentioned (AND have the right to access all directory paths before it). Also, the 'check_cert_cn' is empty. If you don't use it, uncomment it in the config file. probably goes for the options 'check_cert_cn' and 'check_cert_issuer' to. I DO use them, and my eap.conf file looks like this: ----- s n i p ----- celia:~# egrep 'check_cert_issuer|check_cert_cn|cipher_list' /etc/freeradius/eap.conf check_cert_issuer = "<see below>" check_cert_cn = %{User-Name} cipher_list = "DEFAULT" ----- s n i p ----- The 'check_cert_issuer' value is a little personal (something I wouldn't want to post to the 'Net) but is the value found in the 'subject' line when running the command: openssl x509 -subject -noout -in <cacert> ----- s n i p ----- celia:~# openssl x509 -subject -noout -in /etc/ssl/CA/cacert.pem subject= <secret> ----- s n i p -----
radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1962] Unknown module "eap". radiusd.conf[1909] Failed to parse authenticate section.
These will probably go away once you have fixed the tls parts above...
As you have written 'as are most "helpful" pages not on freeradius.org', can you please suggest some links which guide correctly to configure radius, openssl and active directory.
I think Alan is a little 'judgmental' (wrong choice, but I can't quite get the exact translation of what I meant) if here. I would to if (since!) people don't think for them self and only follow external 'documentation' by the letter without trying to actually understand what it means... Following ANY documentation require UNDERSTANDING! Not HOW, but WHY ('... a certain option is used with a special value'). DISCLAIMER (before Alan slaps me :): I'm in no way better my self - I'm lousy in reading documentation. I only read a little here and a little there, but I (almost) always understand the parts that I DO read :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Attention: Any non-official business related views, opinions and other information presented in this electronic mail are solely those of the sender/author. Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed indicated in this mail or responsible for delivering this message to the intended, you should delete this message and notify the sender immediately. ------------------------------------------------------- Burgan Bank S.A.K www.burgan.com
Quoting "Rakesh Jha" <rakesh@burgan.com>:
Using ntlm_auth I can test user authentication.
Are you saying that ntlm_auth tests work?
When I do following -
radtest ActDirectUser ActDirectUserPassword 127.0.0.1 1812 testing123
As said before, output from 'freeradius -X' is necessary for anyone to help... freeradius -X 2>&1 | tee /tmp/freeradius.log Then look in the file /tmp/freeradius.log for something that don't seem right (try figuring it out for yourself first before asking for help - you will earn more respect/help that way).
participants (2)
-
Rakesh Jha -
Turbo Fredriksson