Freeradius+Active directory - router login authentciation

Rakesh Jha rakesh at burgan.com
Tue Sep 11 12:13:14 CEST 2007


Thanks a lot Fredriksson. I managed to start radius daemon successfully
with your suggestions, now my next problem to test user authentication
from Active directory. Using ntlm_auth I can test user authentication.
When I do following - 

radtest ActDirectUser ActDirectUserPassword 127.0.0.1 1812 testing123
Sending Access-Request of id 178 to 127.0.0.1 port 1812
        User-Name = "ActDirectUser"
        User-Password = "ActDirectUserPassword"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=178,
length=20

And when I use IP address x.x.x.x in place of 127.0.0.1, requests are
kept on being resent and ultimately I get " radclient: no response from
server for ID nnn"
Need more help.

THANKS

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
Turbo Fredriksson
Sent: Monday, September 10, 2007 2:06 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: Freeradius+Active directory - router login authentciation

Quoting "Rakesh Jha" <rakesh at burgan.com>:

I'm far from an expert in FreeRADIUS (so take what I say with a
grane of salt), but I instantly noticed this.

>  tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
>  tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
>  tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
>  tls: check_cert_cn = "(null)"
>  tls: cipher_list = "(null)"
>  tls: check_cert_issuer = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap_tls: Unable to open DH file - (null)
> rlm_eap: Failed to initialize type tls

It can't open the 'DH file' (don't quite know which one that is),
but I would assume that it's some (or maybe all?) of the first
three files. Do they exist? Does the freeradius daemon have the
right to _read_ those files (are you running the daemon under some
user _not_ root). I run (default in Debian GNU/Linux) the daemon
under the 'freerad' user so this user must be able to read the
files mentioned (AND have the right to access all directory paths
before it).

Also, the 'check_cert_cn' is empty. If you don't use it, uncomment
it in the config file. probably goes for the options 'check_cert_cn'
and 'check_cert_issuer' to.

I DO use them, and my eap.conf file looks like this:

----- s n i p -----
celia:~# egrep 'check_cert_issuer|check_cert_cn|cipher_list'
/etc/freeradius/eap.conf 
                        check_cert_issuer = "<see below>"
                        check_cert_cn = %{User-Name}
                        cipher_list = "DEFAULT"
----- s n i p -----

The 'check_cert_issuer' value is a little personal (something
I wouldn't want to post to the 'Net) but is the value
found in the 'subject' line when running the command:

  openssl x509 -subject -noout -in <cacert>

----- s n i p -----
celia:~# openssl x509 -subject -noout -in /etc/ssl/CA/cacert.pem
subject= <secret>
----- s n i p -----

> radiusd.conf[10]: eap: Module instantiation failed.
> radiusd.conf[1962] Unknown module "eap".
> radiusd.conf[1909] Failed to parse authenticate section.

These will probably go away once you have fixed the tls parts
above...

> As you have written 'as are most "helpful" pages not on
freeradius.org',
> can you please suggest some links which guide correctly to configure
> radius, openssl and active directory.

I think Alan is a little 'judgmental' (wrong choice, but I
can't quite get the exact translation of what I meant) if here.
I would to if (since!) people don't think for them self and
only follow external 'documentation' by the letter without
trying to actually understand what it means...

Following ANY documentation require UNDERSTANDING! Not HOW,
but WHY ('... a certain option is used with a special value').

DISCLAIMER (before Alan slaps me :): I'm in no way better
           my self - I'm lousy in reading documentation.
           I only read a little here and a little there,
           but I (almost) always understand the parts that
           I DO read :)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Attention: 
Any non-official business related views, opinions and other information presented in this electronic mail
are solely those of the sender/author.
Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed 
indicated in this mail or responsible for delivering this message to the intended,
you should delete this message and notify the sender immediately.
-------------------------------------------------------
Burgan Bank S.A.K
www.burgan.com




More information about the Freeradius-Users mailing list