Deny Users AD on Freeradius + Wireless&VPN
rmp dmd
rmp.dmd1229 at gmail.com
Thu May 1 15:52:58 CEST 2008
Thanks for lead Ivan. I was able to make it work by changing radiusd.conf
I add module
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
and on authorize {
....
files
....
Thanks also Nicolas.
2008/4/30 Ivan Kalik <tnt at kalik.net>:
> I am afraid your radiusd.conf is seriously butchered. fiels module and
> quite a few others are missing. It should be before detail but you have
> deleted it.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 30/4/2008, "rmp dmd" <rmp.dmd1229 at gmail.com> piše:
>
> >Hi,
> >
> >I checked around and see this
> >
> >The *MS-CHAP-Use-NTLM-Auth := 0*, will tell that freeradius with aduser1
> >will not be preprocessed by the ntlm_auth auxiliary program, this is,
> will
> >not request the key to compare credentials against the Active Directory,
> >instead, will compare against the users file of the freeradius
> configuration
> >directory.
> >
> >I also read that It is important to verify that the line on
> radiusd.conf:
> >
> >authorize {
> >....
> >files
> >....
> >}
> >
> >It was not on my radiusd.conf so I add it and restart radiusd but now
> it's
> >has errors
> >
> >Wed Apr 30 15:15:52 2008 : Info: rlm_eap_tls: Loading the certificate
> file
> >as a chain
> >Wed Apr 30 15:15:52 2008 : Error: ERROR: Cannot find a configuration
> entry
> >for module "files".
> >Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[111] Unknown module
> "files".
> >Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[108] Failed to parse
> >authorize section.
> >
> >Is there something else that should be configured?
> >
> >Here's the complete radiusd.conf
> >
> >##
> >## radiusd.conf -- FreeRADIUS server configuration file.
> >##
> >
> >prefix = /usr
> >exec_prefix = ${prefix}
> >sysconfdir = /etc
> >localstatedir = /var
> >sbindir = ${exec_prefix}/sbin
> >logdir = ${localstatedir}/log/radius
> >raddbdir = ${sysconfdir}/raddb
> >radacctdir = ${logdir}/radacct
> >confdir = ${raddbdir}
> >run_dir = ${localstatedir}/run/radiusd
> >log_file = ${logdir}/radius.log
> >libdir = /usr/lib/freeradius
> >pidfile = ${run_dir}/radiusd.pid
> >user = radiusd
> >group = radiusd
> >max_request_time = 30
> >delete_blocked_requests = no
> >cleanup_delay = 5
> >max_requests = 1024
> >bind_address = *
> >port = 0
> >hostname_lookups = no
> >allow_core_dumps = no
> >regular_expressions = yes
> >extended_expressions = yes
> >log_stripped_names = no
> >log_auth = yes
> >log_auth_badpass = no
> >log_auth_goodpass = no
> >usercollide = no
> >lower_user = no
> >lower_pass = no
> >nospace_user = no
> >nospace_pass = no
> >checkrad = ${sbindir}/checkrad
> >
> >
> >security {
> > max_attributes = 200
> > reject_delay = 1
> > status_server = no
> >}
> >
> >proxy_requests = yes
> >$INCLUDE ${confdir}/proxy.conf
> >
> ># Client configuration is defined in "clients.conf".
> >$INCLUDE ${confdir}/clients.conf
> >
> ># To enable SNMP querying of the server, set the value of the
> ># 'snmp' attribute to 'yes'
> >snmp = no
> >$INCLUDE ${confdir}/snmp.conf
> >
> >thread pool {
> > start_servers = 5
> > max_servers = 32
> > min_spare_servers = 3
> > max_spare_servers = 10
> > max_requests_per_server = 0
> >}
> >
> >modules {
> > detail {
> > detailfile =
> >${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> > detailperm = 0600
> > }
> >
> > mschap {
> > authtype = MS-CHAP
> > use_mppe = yes
> > require_encryption = yes
> > require_strong = yes
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> >--username=%{Stripped-User-Name:-%{User-Name:-None}}
> >--challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> > }
> >
> > eap {
> > default_eap_type = ttls
> > timer_expire = 60
> > ignore_unknown_eap_types = no
> > cisco_accounting_username_bug = no
> >
> > tls {
> > private_key_file =
> >${raddbdir}/certs/ttls-server-echowlan.key
> > certificate_file =
> >${raddbdir}/certs/ttls-server-echowlan.crt
> > CA_file = ${raddbdir}/certs/ca.crt
> > dh_file = ${raddbdir}/certs/dh2048.pem
> > random_file = /dev/urandom
> > }
> >
> > ttls {
> > default_eap_type = mschapv2
> > copy_request_to_tunnel = no
> > use_tunneled_reply = no
> > }
> > peap {
> > default_eap_type = mschapv2
> > }
> > mschapv2 {
> > }
> > }
> >}
> >
> >authorize {
> > mschap
> > eap
> >}
> >
> >authenticate {
> > Auth-Type MS-CHAP {
> > mschap
> > }
> > eap
> >}
> >
> >accounting {
> > detail}
> >
> >post-auth {
> >}
> >
> >
> >
> >
> >
> >
> >Here's the
> >On Wed, Apr 30, 2008 at 12:52 PM, rmp dmd <rmp.dmd1229 at gmail.com> wrote:
> >
> >> Thanks.
> >>
> >> I put it on users
> >> aduser1 MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
> >> restart radius: /etc/init.d/radiusd restart
> >> test but user aduser1 can still log to our VPN.
> >>
> >> On Wed, Apr 30, 2008 at 12:47 PM, Nicolas Goutte <
> >> nicolas.goutte at extragroup.de> wrote:
> >>
> >> >
> >> > Am 30.04.2008 um 18:41 schrieb rmp dmd:
> >> >
> >> > thanks for the reply.
> >> >
> >> > Just to confirm.
> >> >
> >> > I add that line also on ~/raddb/users?
> >> >
> >> > Sorry to not have mentioned. I'm new on radius.
> >> >
> >> >
> >> > As far as I understand: yes.
> >> >
> >> > The line looks like an user entry.
> >> >
> >> > Have a nice day!
> >> >
> >> >
> >> >
> >> > Thanks again!
> >> > Roehl
> >> >
> >> > 2008/4/30 Ivan Kalik <tnt at kalik.net>:
> >> >
> >> > > To stop a valid AD account from being authenticated you need to
> avoid
> >> > > ntlm_auth:
> >> > >
> >> > > testuser MS-CHAP-Use-NTLM-Auth := 0, Auth-Type := Reject
> >> > >
> >> > > Ivan Kalik
> >> > > Kalik Informatika ISP
> >> > >
> >> > >
> >> > > Dana 30/4/2008, "rmp dmd" <rmp.dmd1229 at gmail.com> pi�e:
> >> > >
> >> > > >Hi,
> >> > > >
> >> > > >We have a wireless network that uses freeRadius integrated with AD
> >> > > for
> >> > > >authentication. There are some test user accounts on AD that I
> would
> >> > > like
> >> > > >to deny access on our Wireless and VPN.
> >> > > >
> >> > > >I have tried "How do I deny access to a specific user, or group of
> >> > > users" on
> >> > > >FAQ but it is not working. I'm guessing that this is not the
> >> > > correct
> >> > > >method.
> >> > > >
> >> > > >Please help me on how to set-up correctly.
> >> > > >
> >> > > >Thanks!
> >> > > >Roehl
> >> > > >
> >> > > >
> >> > >
> >> > > -
> >> > > List info/subscribe/unsubscribe? See
> >> > > http://www.freeradius.org/list/users.html
> >> > >
> >> >
> >> > -
> >> > List info/subscribe/unsubscribe? See
> >> > http://www.freeradius.org/list/users.html
> >> >
> >> >
> >> > Nicolas Goutte
> >> >
> >> >
> >> > extragroup GmbH - Karlsruhe
> >> > Waldstr. 49
> >> > 76133 Karlsruhe
> >> > Germany
> >> >
> >> > Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman
> Haerdle
> >> > Registergericht: Amtsgericht Münster / HRB: 5624
> >> > Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
> >> >
> >> >
> >> >
> >> >
> >> > -
> >> > List info/subscribe/unsubscribe? See
> >> > http://www.freeradius.org/list/users.html
> >> >
> >>
> >>
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080501/7fbbf5de/attachment.html>
More information about the Freeradius-Users
mailing list