Hi All, I'm following along with the docs for Autz-Type in freeradius-2.1.8, specifically the section about selecting between multiple instances of a module. In users.conf I have: DEFAULT Realm == "siteone.edu", Autz-Type := siteone_ldap, Auth-Type := siteone_ldap In sites-enabled/default I have: authorize{ preprocess chap mscap suffix ntdomain Autz-Type siteone_ldap{ siteone_ldap } ... } authenticate{ ... Auth-Type siteone_ldap { siteone_ldap } } In proxy.conf I have: realm "siteone.edu" { authhost = LOCAL accthost = LOCAL } When I run radiusd -XC I get the following parse error: /etc/raddb/users[205]: Parse error (check) for entry DEFAULT: Unknown value siteone_ldap for attribute Autz-Type Errors reading /etc/raddb/users As far as I can tell I'm following the example verbatim. Can someone shed some light on why I'm getting the parse error? Below if full debug output: [root@avocet raddb]# radiusd -XC FreeRADIUS Version 2.1.8, for host i386-redhat-linux-gnu, built on Jan 19 2010 at 18:23:59 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/siteone_ntlm_auth including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/siteone_ldap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm siteone.edu { authhost = LOCAL accthost = LOCAL } realm siteone { authhost = LOCAL accthost = LOCAL } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Skipping instantiation of expiration Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Skipping instantiation of mschap Module: Linked to module rlm_ldap Module: Skipping instantiation of ldap Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/radius.siteone.edu-key.pem" certificate_file = "/etc/raddb/certs/radius.siteone.edu-cert.pem" CA_file = "/etc/pki/tls/cert.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } /etc/raddb/users[205]: Parse error (check) for entry DEFAULT: Unknown value siteone_ldap for attribute Autz-Type Errors reading /etc/raddb/users /etc/raddb/modules/files[7]: Instantiation failed for module "files" /etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module "files". /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
Harry Hoffman wrote:
I'm following along with the docs for Autz-Type in freeradius-2.1.8, specifically the section about selecting between multiple instances of a module.
In 2.x, there are better ways to do this. See "man unlang" for conditionally calling a module.
In users.conf I have: DEFAULT Realm == "siteone.edu", Autz-Type := siteone_ldap, Auth-Type := siteone_ldap
Please don't say "users.conf". It's the "users" file. The issue is that 2.x has the "inner-tunnel" virtual server, and the documentation is left over from 1.1.x. The solution is instead to *not* use the "users" file. Instead, do: authorize { ... if (Realm == "siteone.edu") { siteone_ldap } ... } This will *also* have it automatically set "Auth-Type" to siteone_ldap, too. That's simpler than the "users" file entry, and gives less room for mistakes. Alan DeKok.
Hi Alan, Thanks for the help! This works well and lessens the confusion on my part. I do have one question. When using ldap as the authorization module the Auth-Type gets set properly to siteone_ldap. But if I try using ntlm_auth then the Auth-Type is not set even though ntlm_auth returns OK. rad_recv: Access-Request packet from host 127.0.0.1 port 38806, id=14, length=63 User-Name = "SITEONE\\hhoffman" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SITEONE\hhoffman", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "SITEONE" for User-Name = "SITEONE\hhoffman" [ntdomain] Found realm "SITEONE" [ntdomain] Adding Stripped-User-Name = "hhoffman" [ntdomain] Adding Realm = "SITEONE" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++? if (!Realm) ? Evaluating !(Realm) -> FALSE ++? if (!Realm) -> FALSE ++? elsif (Realm == "siteone.edu") ? Evaluating (Realm == "siteone.edu") -> FALSE ++? elsif (Realm == "siteone.edu") -> FALSE ++? elsif (Realm == "SITEONE") ? Evaluating (Realm == "SITEONE") -> TRUE ++? elsif (Realm == "SITEONE") -> TRUE ++- entering elsif (Realm == "SITEONE") {...} [siteone_ntlm_auth] expand: --username=%{Stripped-User-Name} -> --username=hhoffman [siteone_ntlm_auth] expand: --password=%{User-Password} -> --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 +++[siteone_ntlm_auth] returns ok ++- elsif (Realm == "SITEONE") returns ok ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping elsif for request 6: Preceding "if" was taken [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [SITEONE\\hhoffman] (from client localhost port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> SITEONE\hhoffman attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 14 to 127.0.0.1 port 38806 Waking up in 4.9 seconds. Cleaning up request 6 ID 14 with timestamp +864 Ready to process requests. On Tue, 2010-10-12 at 21:48 +0200, Alan DeKok wrote:
Harry Hoffman wrote:
I'm following along with the docs for Autz-Type in freeradius-2.1.8, specifically the section about selecting between multiple instances of a module.
In 2.x, there are better ways to do this. See "man unlang" for conditionally calling a module.
In users.conf I have: DEFAULT Realm == "siteone.edu", Autz-Type := siteone_ldap, Auth-Type := siteone_ldap
Please don't say "users.conf". It's the "users" file.
The issue is that 2.x has the "inner-tunnel" virtual server, and the documentation is left over from 1.1.x. The solution is instead to *not* use the "users" file. Instead, do:
authorize { ... if (Realm == "siteone.edu") { siteone_ldap } ... }
This will *also* have it automatically set "Auth-Type" to siteone_ldap, too. That's simpler than the "users" file entry, and gives less room for mistakes.
Alan DeKok.
On 13/10/10 14:40, Harry Hoffman wrote:
Hi Alan,
Thanks for the help! This works well and lessens the confusion on my part.
I do have one question. When using ldap as the authorization module the Auth-Type gets set properly to siteone_ldap. But if I try using
That's a feature of the "ldap" module; if it is a "named" module it sets the Auth-Type to that name (otherwise using "LDAP")
ntlm_auth then the Auth-Type is not set even though ntlm_auth returns OK.
The (confusingly named) "ntlm_auth" module is actually a copy of the "exec" module which checks PAP requests; it does not have that feature. You are also using it wrong, by running it in the "authorize" section. You want something like: authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { update control { Auth-Type := PAP-ntdom } } } authenticate { Auth-Type ldap_siteone { ldap_siteone } Auth-Type PAP-ntdom { ntlm_auth } } I guess the other alternative is: authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { ntlm_auth if (ok) { update control { Auth-Type := PAP-ntdom } } } } ...but maybe it's not really what you should be doing; "authenticate" should happen after "authorize"
Hi Phil, Thanks for the pointers. I was attempting to use ntlm_auth to ensure the account actually existed for the authorization section. And then again in the authentication section to ensure the user name and password match. Is there a better way to check for authorization against AD? Cheers, Harry On Wed, 2010-10-13 at 14:56 +0100, Phil Mayers wrote:
On 13/10/10 14:40, Harry Hoffman wrote:
Hi Alan,
Thanks for the help! This works well and lessens the confusion on my part.
I do have one question. When using ldap as the authorization module the Auth-Type gets set properly to siteone_ldap. But if I try using
That's a feature of the "ldap" module; if it is a "named" module it sets the Auth-Type to that name (otherwise using "LDAP")
ntlm_auth then the Auth-Type is not set even though ntlm_auth returns OK.
The (confusingly named) "ntlm_auth" module is actually a copy of the "exec" module which checks PAP requests; it does not have that feature. You are also using it wrong, by running it in the "authorize" section.
You want something like:
authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { update control { Auth-Type := PAP-ntdom } } }
authenticate { Auth-Type ldap_siteone { ldap_siteone } Auth-Type PAP-ntdom { ntlm_auth } }
I guess the other alternative is:
authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { ntlm_auth if (ok) { update control { Auth-Type := PAP-ntdom } } } }
...but maybe it's not really what you should be doing; "authenticate" should happen after "authorize" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 13/10/10 15:17, Harry Hoffman wrote:
Hi Phil,
Thanks for the pointers. I was attempting to use ntlm_auth to ensure the account actually existed for the authorization section. And then again in the authentication section to ensure the user name and password match.
But that's not what you're doing. You're actually issuing a password check request. And why check twice? If they don't exist, auth will fail in the authenticate {} section.
Is there a better way to check for authorization against AD?
"It depends". What does "authorization" in this context mean? AD has an integrated LDAP server, which is moderately useful; if you configure FreeRadius you can
participants (3)
-
Alan DeKok -
Harry Hoffman -
Phil Mayers