Deny Users AD on Freeradius + Wireless&VPN
Ivan Kalik
tnt at kalik.net
Thu May 1 00:39:54 CEST 2008
I am afraid your radiusd.conf is seriously butchered. fiels module and
quite a few others are missing. It should be before detail but you have
deleted it.
Ivan Kalik
Kalik Informatika ISP
Dana 30/4/2008, "rmp dmd" <rmp.dmd1229 at gmail.com> piše:
>Hi,
>
>I checked around and see this
>
>The *MS-CHAP-Use-NTLM-Auth := 0*, will tell that freeradius with aduser1
>will not be preprocessed by the ntlm_auth auxiliary program, this is, will
>not request the key to compare credentials against the Active Directory,
>instead, will compare against the users file of the freeradius configuration
>directory.
>
>I also read that It is important to verify that the line on radiusd.conf:
>
>authorize {
>....
>files
>....
>}
>
>It was not on my radiusd.conf so I add it and restart radiusd but now it's
>has errors
>
>Wed Apr 30 15:15:52 2008 : Info: rlm_eap_tls: Loading the certificate file
>as a chain
>Wed Apr 30 15:15:52 2008 : Error: ERROR: Cannot find a configuration entry
>for module "files".
>Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[111] Unknown module "files".
>Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[108] Failed to parse
>authorize section.
>
>Is there something else that should be configured?
>
>Here's the complete radiusd.conf
>
>##
>## radiusd.conf -- FreeRADIUS server configuration file.
>##
>
>prefix = /usr
>exec_prefix = ${prefix}
>sysconfdir = /etc
>localstatedir = /var
>sbindir = ${exec_prefix}/sbin
>logdir = ${localstatedir}/log/radius
>raddbdir = ${sysconfdir}/raddb
>radacctdir = ${logdir}/radacct
>confdir = ${raddbdir}
>run_dir = ${localstatedir}/run/radiusd
>log_file = ${logdir}/radius.log
>libdir = /usr/lib/freeradius
>pidfile = ${run_dir}/radiusd.pid
>user = radiusd
>group = radiusd
>max_request_time = 30
>delete_blocked_requests = no
>cleanup_delay = 5
>max_requests = 1024
>bind_address = *
>port = 0
>hostname_lookups = no
>allow_core_dumps = no
>regular_expressions = yes
>extended_expressions = yes
>log_stripped_names = no
>log_auth = yes
>log_auth_badpass = no
>log_auth_goodpass = no
>usercollide = no
>lower_user = no
>lower_pass = no
>nospace_user = no
>nospace_pass = no
>checkrad = ${sbindir}/checkrad
>
>
>security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
>}
>
>proxy_requests = yes
>$INCLUDE ${confdir}/proxy.conf
>
># Client configuration is defined in "clients.conf".
>$INCLUDE ${confdir}/clients.conf
>
># To enable SNMP querying of the server, set the value of the
># 'snmp' attribute to 'yes'
>snmp = no
>$INCLUDE ${confdir}/snmp.conf
>
>thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
>}
>
>modules {
> detail {
> detailfile =
>${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
>
> mschap {
> authtype = MS-CHAP
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>--username=%{Stripped-User-Name:-%{User-Name:-None}}
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
> }
>
> eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
>
> tls {
> private_key_file =
>${raddbdir}/certs/ttls-server-echowlan.key
> certificate_file =
>${raddbdir}/certs/ttls-server-echowlan.crt
> CA_file = ${raddbdir}/certs/ca.crt
> dh_file = ${raddbdir}/certs/dh2048.pem
> random_file = /dev/urandom
> }
>
> ttls {
> default_eap_type = mschapv2
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> }
> peap {
> default_eap_type = mschapv2
> }
> mschapv2 {
> }
> }
>}
>
>authorize {
> mschap
> eap
>}
>
>authenticate {
> Auth-Type MS-CHAP {
> mschap
> }
> eap
>}
>
>accounting {
> detail}
>
>post-auth {
>}
>
>
>
>
>
>
>Here's the
>On Wed, Apr 30, 2008 at 12:52 PM, rmp dmd <rmp.dmd1229 at gmail.com> wrote:
>
>> Thanks.
>>
>> I put it on users
>> aduser1 MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
>> restart radius: /etc/init.d/radiusd restart
>> test but user aduser1 can still log to our VPN.
>>
>> On Wed, Apr 30, 2008 at 12:47 PM, Nicolas Goutte <
>> nicolas.goutte at extragroup.de> wrote:
>>
>> >
>> > Am 30.04.2008 um 18:41 schrieb rmp dmd:
>> >
>> > thanks for the reply.
>> >
>> > Just to confirm.
>> >
>> > I add that line also on ~/raddb/users?
>> >
>> > Sorry to not have mentioned. I'm new on radius.
>> >
>> >
>> > As far as I understand: yes.
>> >
>> > The line looks like an user entry.
>> >
>> > Have a nice day!
>> >
>> >
>> >
>> > Thanks again!
>> > Roehl
>> >
>> > 2008/4/30 Ivan Kalik <tnt at kalik.net>:
>> >
>> > > To stop a valid AD account from being authenticated you need to avoid
>> > > ntlm_auth:
>> > >
>> > > testuser MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
>> > >
>> > > Ivan Kalik
>> > > Kalik Informatika ISP
>> > >
>> > >
>> > > Dana 30/4/2008, "rmp dmd" <rmp.dmd1229 at gmail.com> pi�e:
>> > >
>> > > >Hi,
>> > > >
>> > > >We have a wireless network that uses freeRadius integrated with AD
>> > > for
>> > > >authentication. There are some test user accounts on AD that I would
>> > > like
>> > > >to deny access on our Wireless and VPN.
>> > > >
>> > > >I have tried "How do I deny access to a specific user, or group of
>> > > users" on
>> > > >FAQ but it is not working. I'm guessing that this is not the
>> > > correct
>> > > >method.
>> > > >
>> > > >Please help me on how to set-up correctly.
>> > > >
>> > > >Thanks!
>> > > >Roehl
>> > > >
>> > > >
>> > >
>> > > -
>> > > List info/subscribe/unsubscribe? See
>> > > http://www.freeradius.org/list/users.html
>> > >
>> >
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> >
>> >
>> > Nicolas Goutte
>> >
>> >
>> > extragroup GmbH - Karlsruhe
>> > Waldstr. 49
>> > 76133 Karlsruhe
>> > Germany
>> >
>> > Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
>> > Registergericht: Amtsgericht Münster / HRB: 5624
>> > Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
>> >
>> >
>> >
>> >
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> >
>>
>>
>
>
More information about the Freeradius-Users
mailing list