FW: mpd+freeradius+AD
Егоров Сергей
admin at i-on.ru
Fri Jun 30 10:57:21 CEST 2006
Ok, this is my users file
test Auth-Type := MS-CHAP
Framed-IP-Address = 192.168.10.65
DEFAULT Auth-Type := MS-CHAP
And this is freeradius log, then I connect to mpd via test account:
Login OK: [test/<no User-Password attribute>] (from client localhost port 0 cli 192.168.12.126)
Sending Access-Accept of id 121 to 127.0.0.1 port 49791
Framed-IP-Address = 192.168.10.65
MS-CHAP2-Success = 0x01533d42454334303938434341393443383234413844444431463938303641384133453236394441413430
MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808
MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119, length=139
NAS-Identifier = "testradius.ion.ru"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "192.168.12.126"
User-Name = "test"
Framed-IP-Address = 192.168.10.12
Acct-Status-Type = Start
Acct-Session-Id = "1652038-pptp0"
Acct-Multi-Session-Id = "1652038-pptp0"
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Sending Accounting-Response of id 119 to 127.0.0.1 port 54511
In this log freeradius said that account test OK, and his address 192.168.10.65. But mpd replace it this his own. How could I improve it?
-----Original Message-----
From: Nikos Vassiliadis [mailto:nvass at teledomenet.gr]
Sent: Thursday, June 29, 2006 7:05 PM
To: Undisclosed.Recipients :
Cc: Егоров Сергей
Subject: Re: FW: mpd+freeradius+AD
On Thursday 29 June 2006 15:28, Егоров Сергей wrote:
> >This is Framed-IP-Address in radius dialect.
>
> Thanks for explaining freeradius basic concepts. I understood, that to
> assign IP to user I should use users freeradius file. But I couldn't
> configure it correctly. Now I have only one line in this file
>
> DEFAULT Auth-Type := MS-CHAP
>
> I've add another string (for user test), but it doesn't correct
>
> test Auth-Type := MS-CHAP,
Try without the comma
run the server in debug mode(radiusd -X)
and use radclient
> Framed-IP-Address = 192.168.10.65,
>
I think you can put this in AD. Don't know...
> That should I fix?
>
>
> -----Original Message-----
> From: Nikos Vassiliadis [mailto:nvass at teledomenet.gr]
> Sent: Monday, June 26, 2006 5:09 PM
> To: freeradius-users at lists.freeradius.org
> Cc: Егоров Сергей
> Subject: Re: mpd+freeradius+AD
>
> On Monday 26 June 2006 14:04, Егоров Сергей wrote:
> > Thanks for reply.
> >
> > >You can use one of the three firewalls avaliable in the base
> > > system(ipfw,
> > >
> > > >ipf and pf), however mpd comes with a small dictionary that uses
> > >
> > > ipfw(8) >and you can easily define some filter bound to an interface
> > > (bound to a >username) via a radius reply attribute, let filter be a
> > > pipe(for bandwidth >control) or a packet filtering expression.
> >
> > That's fine for filtering vpn users access to local net. But how could I
> > assign specific IP for specific user in AD?
> >
> > > Your questions don't clearly tell where your problem is.
> > >Active Directory? mpd? or FreeRADIUS? You should define
> > >them better in order to get help from the list.
> >
> > My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
> > 2003 can do 1 and 2 in my questions, so I have to realize how to setup
> > this in mpd + freeradius. I already authenticate users from AD group:
> >
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --username=%{Stripped-User-Name:-%{User-Name:-None}}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}
> > --require-membership-of=EXAMPLE+VPN_Allowed".
> >
> > But I have several vpn groups and need to setup timeouts on each one.
>
> setup timeout? This looks like Session-Timeout in radius dialect.
>
> > Also
> > I need to I assign specific IP for specific user in AD.
>
> This is Framed-IP-Address in radius dialect.
>
> > Looks like
> > FreeRadius should respond for this.
>
> Yes, you have to have basic understanding of what radius is. All of these
> are very basic setup. I don't know how FreeRADIUS interacts with AD and
> what info it should get from AD. So, try searching (or asking) for active
> directory and FreeRADIUS. Keep the mpd part out of it, since it will
> add unneeded complexity. Or perhaps start from setting up mpd and
> FreeRADIUS. And then you could add AD.
>
> A few suggestions, Nikos
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060630/9c5e44ae/attachment.html>
More information about the Freeradius-Users
mailing list