FR with Active Directory

Thu Apr 10 14:06:00 CEST 2014

And I also change eap.conf (default - PEAP and added my certificates)
eap {
default_eap_type = peap
timer_expire     = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096

md5 {
}

leap {
}

gtc {
auth_type = PAP
}

tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = /etc/ssl/private/friradius.key
certificate_file = /etc/ssl/certs/friradius.cer
CA_file = /etc/ssl/certs/cert.cer
dh_file = ${certdir}/dh
random_file = /dev/urandom

CA_path = ${cadir}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
ecdh_curve = "prime256v1"

cache {
      enable = no
      lifetime = 24 # hours
      max_entries = 255
}

verify {
}


ocsp {
      enable = no
      override_cert_url = yes
      url = "http://127.0.0.1/ocsp/"
}
}


ttls {
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}

peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}


2014-04-10 13:57 GMT+02:00 Rado Matisko <rado.matisko2 at gmail.com>:

> Hi I want to  set up my FR to connect to AD, which is on another host.
> I was following this tutorial :
> http://deployingradius.com/documents/configuration/active_directory.html
>
> I configured smb.conf and then krb5.conf and then this works great :
> ntlm_auth --request-nt-key --domain=*MYDOMAIN* --username=*user*
>  --password=*password*
>
>
> * root at friradius:/# ntlm_auth --request-nt-key --domain=FRI
> --username=hajtmanek --password=<password> NT_STATUS_OK: Success (0x0)*
> Then I configured FR :
> > commented "files" in sites-available/default and inner-tunnel and added ntlm_auth
> in authorize section
> > changed /modules/ntlm_auth
>
>
> After running *radtest* I get this debug :
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "eduroam", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
>  Authentication may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
> Failed to authenticate the user.
> Login incorrect: [eduroam] (from client localhost port 0)
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> eduroam
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
>
>
> Apparently I'm missing something but tried to follow tutorial.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140410/cb8e8c50/attachment.html>