Deny Users AD on Freeradius + Wireless&VPN

Ivan Kalik tnt at kalik.net
Thu May 1 00:39:54 CEST 2008


I am afraid your radiusd.conf is seriously butchered. fiels module and
quite a few others are missing. It should be before detail but you have
deleted it.

Ivan Kalik
Kalik Informatika ISP


Dana 30/4/2008, "rmp dmd" <rmp.dmd1229 at gmail.com> piše:

>Hi,
>
>I checked around and see this
>
>The *MS-CHAP-Use-NTLM-Auth := 0*, will tell that freeradius with aduser1
>will not be preprocessed by the ntlm_auth auxiliary program, this is, will
>not request the key to compare credentials against the Active Directory,
>instead, will compare against the users file of the freeradius configuration
>directory.
>
>I also read that It is important to verify that the line  on radiusd.conf:
>
>authorize {
>....
>files
>....
>}
>
>It was not on my radiusd.conf so I add it and restart radiusd but now it's
>has errors
>
>Wed Apr 30 15:15:52 2008 : Info: rlm_eap_tls: Loading the certificate file
>as a chain
>Wed Apr 30 15:15:52 2008 : Error: ERROR: Cannot find a configuration entry
>for module "files".
>Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[111] Unknown module "files".
>Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[108] Failed to parse
>authorize section.
>
>Is there something else that should be configured?
>
>Here's the complete radiusd.conf
>
>##
>## radiusd.conf -- FreeRADIUS server configuration file.
>##
>
>prefix = /usr
>exec_prefix = ${prefix}
>sysconfdir = /etc
>localstatedir = /var
>sbindir = ${exec_prefix}/sbin
>logdir = ${localstatedir}/log/radius
>raddbdir = ${sysconfdir}/raddb
>radacctdir = ${logdir}/radacct
>confdir = ${raddbdir}
>run_dir = ${localstatedir}/run/radiusd
>log_file = ${logdir}/radius.log
>libdir = /usr/lib/freeradius
>pidfile = ${run_dir}/radiusd.pid
>user = radiusd
>group = radiusd
>max_request_time = 30
>delete_blocked_requests = no
>cleanup_delay = 5
>max_requests = 1024
>bind_address = *
>port = 0
>hostname_lookups = no
>allow_core_dumps = no
>regular_expressions     = yes
>extended_expressions    = yes
>log_stripped_names = no
>log_auth = yes
>log_auth_badpass = no
>log_auth_goodpass = no
>usercollide = no
>lower_user = no
>lower_pass = no
>nospace_user = no
>nospace_pass = no
>checkrad = ${sbindir}/checkrad
>
>
>security {
>        max_attributes = 200
>        reject_delay = 1
>        status_server = no
>}
>
>proxy_requests  = yes
>$INCLUDE  ${confdir}/proxy.conf
>
>#  Client configuration is defined in "clients.conf".
>$INCLUDE  ${confdir}/clients.conf
>
>#  To enable SNMP querying of the server, set the value of the
>#  'snmp' attribute to 'yes'
>snmp    = no
>$INCLUDE  ${confdir}/snmp.conf
>
>thread pool {
>        start_servers = 5
>        max_servers = 32
>        min_spare_servers = 3
>        max_spare_servers = 10
>        max_requests_per_server = 0
>}
>
>modules {
>        detail {
>                detailfile =
>${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>                detailperm = 0600
>        }
>
>        mschap {
>                authtype = MS-CHAP
>                use_mppe = yes
>                require_encryption = yes
>                require_strong = yes
>                ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>--username=%{Stripped-User-Name:-%{User-Name:-None}}
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>        }
>
>        eap {
>                default_eap_type = ttls
>              timer_expire     = 60
>                ignore_unknown_eap_types = no
>                cisco_accounting_username_bug = no
>
>                tls {
>                        private_key_file =
>${raddbdir}/certs/ttls-server-echowlan.key
>                        certificate_file =
>${raddbdir}/certs/ttls-server-echowlan.crt
>                        CA_file = ${raddbdir}/certs/ca.crt
>                        dh_file = ${raddbdir}/certs/dh2048.pem
>                        random_file = /dev/urandom
>                }
>
>                ttls {
>                        default_eap_type = mschapv2
>                        copy_request_to_tunnel = no
>                        use_tunneled_reply = no
>                }
>                peap {
>                        default_eap_type = mschapv2
>                }
>                mschapv2 {
>                }
>        }
>}
>
>authorize {
>        mschap
>        eap
>}
>
>authenticate {
>        Auth-Type MS-CHAP {
>                mschap
>        }
>        eap
>}
>
>accounting {
>        detail}
>
>post-auth {
>}
>
>
>
>
>
>
>Here's the
>On Wed, Apr 30, 2008 at 12:52 PM, rmp dmd <rmp.dmd1229 at gmail.com> wrote:
>
>> Thanks.
>>
>> I put it on users
>>    aduser1  MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
>> restart radius: /etc/init.d/radiusd restart
>> test but user aduser1 can still log to our VPN.
>>
>>   On Wed, Apr 30, 2008 at 12:47 PM, Nicolas Goutte <
>> nicolas.goutte at extragroup.de> wrote:
>>
>> >
>> >  Am 30.04.2008 um 18:41 schrieb rmp dmd:
>> >
>> >  thanks for the reply.
>> >
>> > Just to confirm.
>> >
>> > I add that line also on ~/raddb/users?
>> >
>> > Sorry to not have mentioned.  I'm new on radius.
>> >
>> >
>> > As far as I understand: yes.
>> >
>> > The line looks like an user entry.
>> >
>> > Have a nice day!
>> >
>> >
>> >
>> > Thanks again!
>> > Roehl
>> >
>> > 2008/4/30 Ivan Kalik <tnt at kalik.net>:
>> >
>> > > To stop a valid AD account from being authenticated you need to avoid
>> > > ntlm_auth:
>> > >
>> > > testuser   MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
>> > >
>> > > Ivan Kalik
>> > > Kalik Informatika ISP
>> > >
>> > >
>> > > Dana 30/4/2008, "rmp dmd" <rmp.dmd1229 at gmail.com> pi�e:
>> > >
>> > > >Hi,
>> > > >
>> > > >We have a wireless network that uses freeRadius integrated with AD
>> > > for
>> > > >authentication.  There are some test user accounts on AD that I would
>> > > like
>> > > >to deny access on our Wireless and VPN.
>> > > >
>> > > >I have tried "How do I deny access to a specific user, or group of
>> > > users" on
>> > > >FAQ  but it is not working.  I'm guessing that this is not the
>> > > correct
>> > > >method.
>> > > >
>> > > >Please help me on how to set-up correctly.
>> > > >
>> > > >Thanks!
>> > > >Roehl
>> > > >
>> > > >
>> > >
>> > > -
>> > > List info/subscribe/unsubscribe? See
>> > > http://www.freeradius.org/list/users.html
>> > >
>> >
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> >
>> >
>> >  Nicolas Goutte
>> >
>> >
>> > extragroup GmbH - Karlsruhe
>> > Waldstr. 49
>> > 76133 Karlsruhe
>> > Germany
>> >
>> > Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
>> > Registergericht: Amtsgericht Münster / HRB: 5624
>> > Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
>> >
>> >
>> >
>> >
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> >
>>
>>
>
>




More information about the Freeradius-Users mailing list