FR + AD + Vlans + LDAP help
Hello, Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process. Questions: 1: Is ldap the only way of retreiving the users group/s 2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server. 3: Does users entry look correct it is ment to disallow people in the group rejects, assign priv students to 1 vlan and students to the other vlan: # !! testing groups DEFAULT LDAP-Group == "rejects", Auth-Type := Reject DEFAULT Auth-Type = ntlm_auth Fall-Through = 1 DEFAULT LDAP-Group == "staff" Service-Type = Framed-User, Tunnel-Type = :1:VLAN, Tunnel-Medium-Type = :1:6, Tunnel-Private-Group-ID = :1:140 DEFAULT LDAP-Group == "students" Service-Type = Framed-User, Tunnel-Type = :1:VLAN, Tunnel-Medium-Type = :1:6, Tunnel-Private-Group-ID = :1:141
I have been slowly reading through source docs (some are a bit full on for me the 1st go) and I turned up this howto via google that supposedly runs down the needed steps to auththenticate via ldap. http://www.telenovela-world.com/~spade/linux/howto/LDAP-Implementation-HOWTO... Im not sure what is happening atm, the wireless client trys to authenticate but fails. radiusd -X -A output: http://pastebin.ca/444005 Now I am still asumming radius can auth against ADS using ldap (am I wrong or right there ppl), the config seems correct. If some1 could once again point me in a direction to study more on Id be more than happy. Thanks alot. Files: users http://pastebin.ca/444008 clients.conf http://pastebin.ca/444009 naslist http://pastebin.ca/444010 dictionary http://pastebin.ca/444011 radiusd.conf http://pastebin.ca/444012 ---------- Forwarded message ---------- From: Jacob Jarick <mem.namefix@gmail.com> Date: Apr 17, 2007 11:11 AM Subject: FR + AD + Vlans + LDAP help To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Hello, Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process. Questions: 1: Is ldap the only way of retreiving the users group/s 2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server. 3: Does users entry look correct it is ment to disallow people in the group rejects, assign priv students to 1 vlan and students to the other vlan: # !! testing groups DEFAULT LDAP-Group == "rejects", Auth-Type := Reject DEFAULT Auth-Type = ntlm_auth Fall-Through = 1 DEFAULT LDAP-Group == "staff" Service-Type = Framed-User, Tunnel-Type = :1:VLAN, Tunnel-Medium-Type = :1:6, Tunnel-Private-Group-ID = :1:140 DEFAULT LDAP-Group == "students" Service-Type = Framed-User, Tunnel-Type = :1:VLAN, Tunnel-Medium-Type = :1:6, Tunnel-Private-Group-ID = :1:141
Jacob Jarick wrote:
Im not sure what is happening atm, the wireless client trys to authenticate but fails.
radiusd -X -A output: http://pastebin.ca/444005
The debug output shows an error message from ntlm_auth. Fix that.
Now I am still asumming radius can auth against ADS using ldap (am I wrong or right there ppl),
No. This comes up a lot, and the answer is always the same. LDAP servers don't do authentication. They're databases. FreeRADIUS is an authentication server, not a database. And Active Directory is barely an LDAP server. You can query it for *some* information, but not for passwords. That's what ntlm_auth has to be used. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Jacob Jarick wrote:
Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process.
Questions:
1: Is ldap the only way of retreiving the users group/s
If the users and groups are in LDAP, yes.
2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server.
Yes. Just point the ldap module to active directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks again alan. ntlm_auth error fixed, just working on the next 1 now :) On 4/17/07, Alan DeKok <aland@deployingradius.com> wrote:
Jacob Jarick wrote:
Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process.
Questions:
1: Is ldap the only way of retreiving the users group/s
If the users and groups are in LDAP, yes.
2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server.
Yes. Just point the ldap module to active directory.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd -X -A output: http://pastebin.ca/444131 radius.conf: http://pastebin.ca/444132 OK Ive sorted that pesky ntlm_auth error, but I have encountered a new 1 (at least its something new :D ). The specific part of the error is below. rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.1.1.11:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=freeradius,ou=admins,ou=radius,dc=tfxschool,dc=com/frpass to 10.1.1.11:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 1 modcall: leaving group authorize (returns fail) for request 1 It complains about my password in radius.conf. Here is the section in question: ldap { # !! I assume that mydomain is replaced with desired domain. server = 10.1.1.11 identity = cn=freeradius,ou=admins,ou=radius,dc=tfxschool,dc=com password = frpass #this is the basedn to do searches on a user basedn = ou=users,ou=radius,dc=tfxschool,dc=com #notice the username is the stripped user-name or user-name filter = (uid=%{Stripped-User-Name:-{User-Name}}) start_tls = no tls_mode = no #this maps ldap attributetypes to radius attributes dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 #password_header = {clear} #While integrating FreeRADIUS with Novell eDirectory, set #'password_attribute = nspmpassword' in order to use the universal password #of the eDirectory users for RADIUS authentication. This will work only if #FreeRADIUS is configured to build with --with-edir option. password_attribute = frpass I have created the user freeradius on the win2k3 server, added him to the groups admins and radius and set the password to frpass. All insights and suggestions welcome.
radiusd -X -A output: http://pastebin.ca/444162 radiusd.conf: http://pastebin.ca/444163 I just figured out that ou != groups. So my current freeradius user is \admins\radius\freeradius admins being an orgnisational unit, radius being an ou inside admins. I get this error when freeradius trys to confirm the user/passwd against the ADS. "rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf" On 4/17/07, Alan DeKok <aland@deployingradius.com> wrote:
Jacob Jarick wrote:
Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process.
Questions:
1: Is ldap the only way of retreiving the users group/s
If the users and groups are in LDAP, yes.
2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server.
Yes. Just point the ldap module to active directory.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd -X -A output: http://pastebin.ca/444201 radiusd.conf: http://pastebin.ca/444205 After re-reading http://wiki.freeradius.org/index.php/Rlm_ldap I enabled ldap debug and re-aranged the ldap config like so: before: identity = cn=freeradius,ou=admins,ou=radius,dc=tfxschool,dc=internal password = frpass after: identity = "cn=freeradius,ou=admins,ou=radius,dc=tfxschool" password = frpass It didnt seem to make any difference unfortunately. On 4/17/07, Alan DeKok <aland@deployingradius.com> wrote:
Jacob Jarick wrote:
Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process.
Questions:
1: Is ldap the only way of retreiving the users group/s
If the users and groups are in LDAP, yes.
2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server.
Yes. Just point the ldap module to active directory.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Jacob Jarick