RE: Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Dusty Doris Sent: November 25, 2005 9:43 AM To: FreeRadius users mailing list Subject: RE: Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]
So, the question again is if the VPN Concentrator is only sending username and password, do I need ntml_auth or ms-chap? FreeRADIUS doesn't have any usernames and password and will query Active Directory for the actual authentication.
Thanks,
If the packet is merely containing plaintext username and password, then you can probably just use rlm_ldap against AD and hit it directly. Just need to setup a user with read access to the directory to do the initial bind with and search of the user for authorization. Then the user will be authenticated by doing a bind against AD with the username/password in the packet.
BTW - I use freeradius w/ ldap for cisco VPN concentrators as well, although its openldap instead of AD. To pass back the class attribute, you must modify ldap.attrmap and specify the reply item of Class to match what you call it in the directory.
eg:
replyItem Class radiusClass
Then in the directory, you have
dn: cn=someuser,... ... radiusClass: "OU=myvpngroup;"
So, for AD, you'll need to extend the schema and add an attribute for this. Or if you already have something that you can use, just modify ldap.attrmap to know what it is.
Ok, this is the part that's not working for me. I have gotten FreeRADIUS to authenticate and authorize both user and group.
Radiusd.conf: filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=rptp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))" This works fine. However I can't get it to return any replyItems. Has anyone gotten this to work with Active Directory? All the docs I see on the Net refeerence OpenLDAP. I'm sure there is a lot of folks out there running Windows 2000/2003 Active Directory. I have spent a couple of days on this not having much luck. Here are a few questions that would help me a bit. 1) Do I need groupname_attribute to get this to work? 2) What about groupmembership_filter and groupmembership_attribute? My ldap.attrmap looks like this: replyItem Class groupofnames replyItem Class group I think the above is correct. Can some shed some light on this? Here is my debug output when I authenticate.... Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:37372, id=210, length=57 User-Name = "apuye" User-Password = "XXXXXXXX" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for apuye radius_xlat: '(&(sAMAccountName=apuye)(memberOf=CN=rptpcps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))' radius_xlat: 'DC=corp,DC=van,DC=dwave' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 0 rlm_ldap: bind as cn=Alhagie Puye,ou=Information Technology,ou=DataWave Users,dc=corp,dc=van,dc=dwave/XXXXXXXX to huckster.corp.van.dwave:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=corp,DC=van,DC=dwave, with filter (&(sAMAccountName=apuye)(memberOf=CN=rptpcps,OU=Datawave Users,DC=corp,DC=van,DC=dwave)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user apuye authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "apuye" with password "XXXXXXXX" rlm_ldap: user DN: CN=Alhagie Puye,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 1 rlm_ldap: bind as CN=Alhagie Puye,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave/XXXXXXXX to huckster.corp.van.dwave:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user apuye authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 210 to 127.0.0.1:37372 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 210 with timestamp 438d009d Nothing to do. Sleeping until we see a request. The ObjectClass for group is "group". Shouldn't I just be able to use that instead of extending the schema? Any help is greatly appreciated. Thanks in advance
-Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.
Radiusd.conf:
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=rptp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))"
This works fine. However I can't get it to return any replyItems. Has anyone gotten this to work with Active Directory? All the docs I see on the Net refeerence OpenLDAP. I'm sure there is a lot of folks out there running Windows 2000/2003 Active Directory.
I have spent a couple of days on this not having much luck. Here are a few questions that would help me a bit.
1) Do I need groupname_attribute to get this to work?
2) What about groupmembership_filter and groupmembership_attribute?
My ldap.attrmap looks like this:
replyItem Class groupofnames replyItem Class group
I think the above is correct. Can some shed some light on this?
Is group and groupofnames something that is an attribute of a user? When freeradius searches for reply items it is searching for attributes of that user. eg: dn: cn=someuser,... group: somegroup Should then add Class = somegroup to the reply items. If you want to make reply items attached to a group, rather than in individual, you will need to set the User-Profile attribute. For example, dn: cn=somegroup,ou=groups,... group: somegroup Then in the users file. DEFAULT Ldap-Group == somegroup, User-Profile := "cn=somegroup,ou=groups,..." You may be able to do this dynamically using xlat or something like huntgroups too. If you want an example, send us an example of a user and group from AD in ldif format and an example of a radius packet that you would expect in the reply and I'll see if I can come up with an idea for ya.
participants (2)
-
Alhagie Puye -
Dusty Doris