Wifi + Active Directory without ntlm

Клеусов Владимир Сергеевич Kleusov.Vladimir at wildberries.ru
Thu May 28 13:41:14 CEST 2020


If /etc/freeradius/users 

DEFAULT Auth-Type := LDAP, LDAP-Group == «test_group"
DEFAULT Ldap-Group != «test_group", Auth-Type := Reject

Then all users get access regardless of their membership in this group. Why can this happen ?

> 28 мая 2020 г., в 11:32, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> написал(а):
> 
> hanks, Working version of Tttls/pap and ldap module.
> 
> 
> In /etc/freeradius/mods-enabled/eap
> eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = ${max_requests}
> tls-config tls-common {
> 	private_key_file = /etc/freeradius/certs/ssl-cert-snakeoil.key
> 	certificate_file = /etc/freeradius/certs/ssl-cert-snakeoil.pem
> 	ca_file = /etc/freeradius/certs/ca-certificates.crt
> 	dh_file = ${certdir}/dh
> 	ca_path = ${cadir}
> 	cipher_list = "HIGH"
> 	cipher_server_preference = no
> 	ecdh_curve = "prime256v1"
> 	check_crl = no
> 	}
> 	ttls {
>         tls = tls-common
>         default_eap_type = md5
>         copy_request_to_tunnel = no
>         use_tunneled_reply = yes
>         virtual_server = "inner-tunnel"
>         }
> }
> 
> But group access doesn't work.
> 
> In /etc/freeradius/users
> LDAP-Group == "VPN_GROUP"
> DEFAULT Group != "VPN_GROUP", Auth-Type := Reject
> 
> /etc/freeradius/mods-config/files/authorize[1]: Parse error (check) for entry LDAP-Group: Invalid attribute name
> Failed reading /etc/freeradius/mods-config/files/authorize
> /etc/freeradius/mods-enabled/files[9]: Instantiation failed for module «files"
> 
> Is it possible to configure group access in this configuration ?
> 
>> 19 мая 2020 г., в 16:04, Alan DeKok <aland at deployingradius.com> написал(а):
>> 
>> 
>> 
>>> On May 19, 2020, at 7:35 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>> 
>>> Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?
>> 
>> That's a little confused.
>> 
>> Doing MS-CHAP to AD requires ntlm_auth.
>> 
>> If you have PAP, you can do normal LDAP bind to AD.
>> 
>> If you're not using AD, then FreeRADIUS supports all standard encryption types.  But these only work for PAP.  NT hashed passwords also work for MS-CHAP.
>> 
>> Alan DeKok.
>> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list