Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]

darkblue darkblue2000 at gmail.com
Thu Dec 1 12:37:10 CET 2005 

I have a question about peap method, do I need to import the client
certificate from the freeradius' CA server to the winxp client?or just
import the server certificate?

2005/11/27, Alhagie Puye <APuye at datawave.com>:
> Thanks Dusty. That's very helpful.
>
> I have one little problem. I was hoping someone can shed some light on
> it.
>
> For the Active Directory security, I need to specify the username as
> "Domain\user" instead of just "user" for the identity in radiusd.conf
>
> "user at domain.com" doesn't seem to work.
>
> Here is the output:
>
> rad_recv: Access-Request packet from host 192.168.42.1:50667, id=146,
> length=57
>        User-Name = "user"
>        User-Password = "password"
>        NAS-IP-Address = 255.255.255.255
>        NAS-Port = 1
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 4
>  modcall[authorize]: module "preprocess" returns ok for request 4
>  modcall[authorize]: module "chap" returns noop for request 4
>  modcall[authorize]: module "mschap" returns noop for request 4
>    rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 4
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 4
>    users: Matched entry DEFAULT at line 153
>  modcall[authorize]: module "files" returns ok for request 4
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for apuye
> radius_xlat:  '(uid=apuye)'
> radius_xlat:  'dc=ad,dc=puyenet,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to orion.puyenet.com:389, authentication 0
> rlm_ldap: bind as
> cn=apuye at ad.puyenet.com,ou=users,dc=ad,dc=puyenet,dc=com/password to
> orion.puyenet.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: LDAP login failed: check identity, password settings in ldap
> section of radiusd.conf
> rlm_ldap: (re)connection attempt failed
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns fail for request 4
> modcall: group authorize returns fail for request 4
> Finished request 4
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 4 ID 146 with timestamp 4388ab87
> Nothing to do.  Sleeping until we see a request.
>
> The radiusd.conf file looks like this for the ldap section:
> ldap {
>                server = "orion.puyenet.com"
>                # identity = "cn=admin,o=My Org,c=UA"
>                 identity =
> "cn=apuye at ad.puyenet.com,ou=users,dc=ad,dc=puyenet,dc=com"
>                 password = password
>                #basedn = "o=My Org,c=UA"
>                basedn = "dc=ad,dc=puyenet,dc=com"
>                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                # base_filter = "(objectclass=radiusprofile)"
>
>
> Thanks in advance.
>
> Alhagie Puye - Network Engineer
> Datawave Group of Companies
> (604)295-1817
>
> > >-----Original Message-----
> > >From: freeradius-users-bounces at lists.freeradius.org
> > >[mailto:freeradius-users-bounces at lists.freeradius.org] On
> > >Behalf Of Dusty Doris
> > >Sent: November 25, 2005 9:43 AM
> > >To: FreeRadius users mailing list
> > >Subject: RE: Freeradius How to integrate Active
> > >Directory[ADIntegrationWindowsXP NTLM Tutorial]
> > >
> > >
> > >> So, the question again is if the VPN Concentrator is only sending
> > >> username and password, do I need ntml_auth or ms-chap? FreeRADIUS
> > >> doesn't have any usernames and password and will query Active
> > >> Directory for the actual authentication.
> > >>
> > >> Thanks,
> > >>
> > >
> > >If the packet is merely containing plaintext username and
> > >password, then you can probably just use rlm_ldap against AD
> > >and hit it directly.  Just need to setup a user with read
> > >access to the directory to do the initial bind with and
> > >search of the user for authorization.  Then the user will be
> > >authenticated by doing a bind against AD with the
> > >username/password in the packet.
> > >
> > >BTW - I use freeradius w/ ldap for cisco VPN concentrators
> > >as well, although its openldap instead of AD.  To pass back
> > >the class attribute, you must modify ldap.attrmap and
> > >specify the reply item of Class to match what you call it in
> > >the directory.
> > >
> > >eg:
> > >
> > >replyItem    Class   radiusClass
> > >
> > >Then in the directory, you have
> > >
> > >dn: cn=someuser,...
> > >...
> > >radiusClass: "OU=myvpngroup;"
> > >
> > >So, for AD, you'll need to extend the schema and add an
> > >attribute for this.  Or if you already have something that
> > >you can use, just modify ldap.attrmap to know what it is.
> > >
> > >-Dusty Doris
> > >-
> > >List info/subscribe/unsubscribe? See
> > >http://www.freeradius.org/list/users.html
> > >
>
>
> Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


--
He is nothing

More information about the Freeradius-Users mailing list