Deny Users AD on Freeradius + Wireless&VPN

rmp dmd rmp.dmd1229 at gmail.com
Wed Apr 30 21:36:13 CEST 2008


Hi,

I checked around and see this

The *MS-CHAP-Use-NTLM-Auth := 0*, will tell that freeradius with aduser1
will not be preprocessed by the ntlm_auth auxiliary program, this is, will
not request the key to compare credentials against the Active Directory,
instead, will compare against the users file of the freeradius configuration
directory.

I also read that It is important to verify that the line  on radiusd.conf:

authorize {
...
files
...
}

It was not on my radiusd.conf so I add it and restart radiusd but now it's
has errors

Wed Apr 30 15:15:52 2008 : Info: rlm_eap_tls: Loading the certificate file
as a chain
Wed Apr 30 15:15:52 2008 : Error: ERROR: Cannot find a configuration entry
for module "files".
Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[111] Unknown module "files".
Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[108] Failed to parse
authorize section.

Is there something else that should be configured?

Here's the complete radiusd.conf

##
## radiusd.conf -- FreeRADIUS server configuration file.
##

prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad


security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

#  Client configuration is defined in "clients.conf".
$INCLUDE  ${confdir}/clients.conf

#  To enable SNMP querying of the server, set the value of the
#  'snmp' attribute to 'yes'
snmp    = no
$INCLUDE  ${confdir}/snmp.conf

thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {
        detail {
                detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }

        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = yes
                require_strong = yes
                ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
        }

        eap {
                default_eap_type = ttls
              timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no

                tls {
                        private_key_file =
${raddbdir}/certs/ttls-server-echowlan.key
                        certificate_file =
${raddbdir}/certs/ttls-server-echowlan.crt
                        CA_file = ${raddbdir}/certs/ca.crt
                        dh_file = ${raddbdir}/certs/dh2048.pem
                        random_file = /dev/urandom
                }

                ttls {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                }
                peap {
                        default_eap_type = mschapv2
                }
                mschapv2 {
                }
        }
}

authorize {
        mschap
        eap
}

authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
        eap
}

accounting {
        detail}

post-auth {
}






Here's the
On Wed, Apr 30, 2008 at 12:52 PM, rmp dmd <rmp.dmd1229 at gmail.com> wrote:

> Thanks.
>
> I put it on users
>    aduser1  MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
> restart radius: /etc/init.d/radiusd restart
> test but user aduser1 can still log to our VPN.
>
>   On Wed, Apr 30, 2008 at 12:47 PM, Nicolas Goutte <
> nicolas.goutte at extragroup.de> wrote:
>
> >
> >  Am 30.04.2008 um 18:41 schrieb rmp dmd:
> >
> >  thanks for the reply.
> >
> > Just to confirm.
> >
> > I add that line also on ~/raddb/users?
> >
> > Sorry to not have mentioned.  I'm new on radius.
> >
> >
> > As far as I understand: yes.
> >
> > The line looks like an user entry.
> >
> > Have a nice day!
> >
> >
> >
> > Thanks again!
> > Roehl
> >
> > 2008/4/30 Ivan Kalik <tnt at kalik.net>:
> >
> > > To stop a valid AD account from being authenticated you need to avoid
> > > ntlm_auth:
> > >
> > > testuser   MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
> > >
> > > Ivan Kalik
> > > Kalik Informatika ISP
> > >
> > >
> > > Dana 30/4/2008, "rmp dmd" <rmp.dmd1229 at gmail.com> piše:
> > >
> > > >Hi,
> > > >
> > > >We have a wireless network that uses freeRadius integrated with AD
> > > for
> > > >authentication.  There are some test user accounts on AD that I would
> > > like
> > > >to deny access on our Wireless and VPN.
> > > >
> > > >I have tried "How do I deny access to a specific user, or group of
> > > users" on
> > > >FAQ  but it is not working.  I'm guessing that this is not the
> > > correct
> > > >method.
> > > >
> > > >Please help me on how to set-up correctly.
> > > >
> > > >Thanks!
> > > >Roehl
> > > >
> > > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> >  Nicolas Goutte
> >
> >
> > extragroup GmbH - Karlsruhe
> > Waldstr. 49
> > 76133 Karlsruhe
> > Germany
> >
> > Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
> > Registergericht: Amtsgericht Münster / HRB: 5624
> > Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080430/1106b553/attachment.html>


More information about the Freeradius-Users mailing list