Hello everyone! I'm new to FreeRadius, so please bear with me. :) Goal: Make FreeRadius look-up a user in ActiveDirectory if he has "mydomain.com" domain. Used method: EAP/TTLS (PAP in the tunnel) This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :) (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server) parts from proxy.conf: proxy server { default_fallback = no } home_server localhost_ad { type = auth virtual_server = local_ad } home_server_pool active_directory { type = fail-over virtual_server = local_ad home_server = localhost_ad } realm mydomain.com { auth_pool = active_directory } And the output: rad_recv: Access-Request packet from host 192.168.0.101 port 1812, id=8, length=138 NAS-IP-Address = 192.168.0.101 NAS-Port-Type = Async User-Name = "user@mydomain.com" Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = "00-11-22-33-44-55" EAP-Message = 0x0200001d016a73691d756e646363406c73732d6e65542e6c73732e6872 Message-Authenticator = 0x10017179767a5ab6718168e8399c8993 +- entering group authorize ++[preprocess] returns ok rlm_realm: Looking up realm "mydomain.com" for User-Name = "user@mydomain.com" rlm_realm: Found realm "mydomain.com" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "mydomain.com" rlm_realm: Proxying request from user user to realm mydomain.com rlm_realm: Preparing to proxy authentication request to realm "mydomain.com" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop There was no response configured: rejecting request 0 Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user@mydomain.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Thanks in advance! _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Matthew P wrote:
I'm new to FreeRadius, so please bear with me. :)
Good questions are a very good start.
Goal: Make FreeRadius look-up a user in ActiveDirectory if he has "mydomain.com" domain. Used method: EAP/TTLS (PAP in the tunnel)
This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :) (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server)
If you read the start of the debug output, it *should* show it loading the "local_ad" virtual server. The output below shows it not *proxying* the request to the "local_ad" virtual server.
realm mydomain.com { auth_pool = active_directory
You'll need a line: nostrip To avoid EAP identity issues. ...
rlm_realm: Preparing to proxy authentication request to realm "mydomain.com" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop There was no response configured: rejecting request 0
i.e. it doesn't proxy it. This *does* work in 2.1.9. So which version are you running? And why are you creating this complicated configuration? The "inner-tunnel" virtual server is set up *precisely* for this kind of authentication. You do EAP in the "default" server. Then, the "inner-tunnel" server gets the PAP password, and you can configure it to look the user up in AD there. In fact, you should only need to do the following: * start with the default config * uncomment "ldap" everywhere in raddb/sites-enabled/inner-tunnel * configure raddb/modules/ldap to point to AD * ensure you have the correct certificates for TTLS * TTLS + PAP *should* work The default configuration is designed to work in the widest possible set of circumstances, with a minimal set of changes required to add any common functionality. Alan DeKok.
participants (2)
-
Alan DeKok -
Matthew P