- Ausdrucken
- Internen Beitrags-Link kopieren
- Externen Beitrags-Link kopieren
- Beitrag melden
https://administrator.de/forum/freeradius-ad-gruppen-273338.html
[content:273338]
FreeRADIUS AD-Gruppen
ich habe FreeRadius nach dieser Anleitung konfiguriert. Soweit klappt alles.
http://deployingradius.com/documents/configuration/active_directory.htm ...
Jetzt möchte ich, dass sich nur gewisse AD-Gruppen verbinden können.
Kann mir jemand einen Tipp geben, wie ich das konfigurieren kann?
Content-ID: 273338
Url: https://administrator.de/contentid/273338
Ausgedruckt am: 14.11.2024 um 01:11 Uhr
- Kommentarübersicht - Bitte anmelden
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013126
[content:273338#1013126]
Netzwerk Management Server mit Raspberry Pi
und dann natürlich hier:
Netzwerk Management Server mit Raspberry Pi
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013131
[content:273338#1013131]
Aber jetzt sollen sich nur AD-Benutzer anmelden können, welche in bestimmten Gruppen sind.
Und davon hab ich in den beiden Links nichts gelesen.
Oder hab ich was übersehen?
Aber Dank eines Links bei den beiden Seiten bin ich auf den Kommentar gestoßen, dass man "etc/pam.d/common-auth" anpassen muss.
Nur ist das ja nicht für FreeRadius.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013175
[content:273338#1013175]
Ansonsten exkludierst du das nochmal explizit in der users des FreeRadius das keine lokalen Unix User das können !
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013293
[content:273338#1013293]
- keine lokale Linux-Benutzer
- nur AD-Benutzer
- die AD-Benutzer, die dürfen, sind in einer AD-Gruppe
- nur diese AD-Gruppe soll dürfen
Aber wäre dann das in etwa richtig, in der users-Datei von FreeRadius
DEFAULT Ldap-Group != "CN=XX,OU=XZ,DC=XY", Auth-Type := Reject
DEFAULT Auth-Type := LDAP
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013358
[content:273338#1013358]
default auth-type:=ntlm_auth
und die ntlm_auth Datei
entsprechend um die Usergruppe "WLAN" zu erweitern?
--request-nt-key --domain=DOMAIN --group=WLAN.....
Looser
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013632
[content:273338#1013632]
nein, das hab ich noch nicht probiert.
Wie bist du darauf gekommen?
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013668
[content:273338#1013668]
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013938
[content:273338#1013938]
Wenn ich nun mit "radtest -t mschap..." mit richtigen Benutzername und Passwort ausführe, bekomme ich ein: "rad_recv: Access-Reject" mit "MS-CHAP-Error = "\000E=691 R=1"".
Ohne den Einträgen, funktioniert alles.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013957
[content:273338#1013957]
http://serverfault.com/questions/609950/freeradius-mschap
http://lists.freeradius.org/pipermail/freeradius-users/2012-April/05996 ...
https://lists.freeradius.org/pipermail/freeradius-users/2014-February/07 ...
Auszug aus FreeRad Tutorial:
Möchte man statische User in der "users" Datei belassen die NICHT mit mschap authentisiert werden sollen, konfiguriert man diese VOR dem "Default Auth" Eintrag wie z.B.
testuser Cleartext-Password := "testuser", MS-CHAP-Use-NTLM-Auth := No
Das Statement "MS-CHAP-Use-NTLM-Auth := No" schaltet hier die Authentisierung gegen das AD aus so das der User lokal authentisiert wird.
Will man ausschliesslich nur gegen das Windows AD authentisieren, muss man noch die Datei mschap im Verzeichnis /etc/freeradius/modules mit dem nano editieren.
Dort muss im Kommentar Bereich # If ntlm_auth is configured below... die Konfig Zeile:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key......
entkommentiert werden (# davor entfernen) und der korrekte Pfad zur ntlm_auth Datei (hier /usr/bin) eingetragen werden.
Alle mschap Authentisierungen werden dann vom FreeRadius gegen das Windows Active Directory authentisiert !
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1013965
[content:273338#1013965]
freeradius -XXX eingeben und Ausgabe bitte mal posten
Wahrscheinlich hast Du die Änderung in der "/etc/freeradius/modules/mschap" nicht entsprechend angepaßt.
Hier musst Du auch entsprechend um die Gruppe erweitern.
Gruß
Looser
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014058
[content:273338#1014058]
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
- Executing group from file /etc/freeradius/sites-enabled/default
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=user
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-domainl} -> --domain=domain.local
[mschap] mschap1: b0
[mschap] expand: --challenge=%{mschap:Challenge0} -> --challenge=b0cb1de15c8f21f6
[mschap] expand: --nt-response=%{mschap:NT-Response0} -> --nt-response =ac3ac25c9d991195a830170c5e1e99a4135ccbd201127944
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
- Executing group from file /etc/freeradius/sites-enabled/default
[attr_filter.access_reject] expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 72 to 127.0.0.1 port 56169
MS-CHAP-Error = "\000E=691 R=1"
Waking up in 4.9 seconds.
Und ja, startet ohne Fehlermeldung und der freeradius-Benutzer hat die Berechtigung.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014062
[content:273338#1014062]
Kontrollier mal Deine Einstellungen wie hier beschrieben.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014064
[content:273338#1014064]
Wenn ich die hier beschriebene Änderungen rückgängig mache, klappt alles, sprich es kann sich jeder AD-Benutzer anmelden (nicht nur über die radtest, sondern auch über Access-Points).
Und die Anleitung bringt mir nicht viel, da ich keine Zertifikate habe.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014068
[content:273338#1014068]
Starte mal mit freradius -XXX statt nur mit -X. Dann siehst Du noch mehr Ausgaben im Debug-Modus.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014149
[content:273338#1014149]
Das ist der Teil von radtest:
Wed Jun 3 16:41:38 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Wed Jun 3 16:41:38 2015 : Info: +- entering group authorize {...}
Wed Jun 3 16:41:38 2015 : Info: ++[preprocess] returns ok
Wed Jun 3 16:41:38 2015 : Info: ++[chap] returns noop
Wed Jun 3 16:41:38 2015 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
Wed Jun 3 16:41:38 2015 : Info: ++[mschap] returns ok
Wed Jun 3 16:41:38 2015 : Info: ++[digest] returns noop
Wed Jun 3 16:41:38 2015 : Info: [suffix] No '@' in User-Name = "user", looking up realm NULL
Wed Jun 3 16:41:38 2015 : Info: [suffix] No such realm "NULL"
Wed Jun 3 16:41:38 2015 : Info: ++[suffix] returns noop
Wed Jun 3 16:41:38 2015 : Info: [eap] No EAP-Message, not doing EAP
Wed Jun 3 16:41:38 2015 : Info: ++[eap] returns noop
Wed Jun 3 16:41:38 2015 : Info: ++[files] returns noop
Wed Jun 3 16:41:38 2015 : Info: ++[expiration] returns noop
Wed Jun 3 16:41:38 2015 : Info: ++[logintime] returns noop
Wed Jun 3 16:41:38 2015 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Jun 3 16:41:38 2015 : Info: ++[pap] returns noop
Wed Jun 3 16:41:38 2015 : Info: Found Auth-Type = MSCHAP
Wed Jun 3 16:41:38 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Wed Jun 3 16:41:38 2015 : Info: +- entering group MS-CHAP {...}
Wed Jun 3 16:41:38 2015 : Info: [mschap] Told to do MS-CHAPv1 with NT-Password
Wed Jun 3 16:41:38 2015 : Info: [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=user
Wed Jun 3 16:41:38 2015 : Info: [mschap] No NT-Domain was found in the User-Name.
Wed Jun 3 16:41:38 2015 : Info: [mschap] expand: %{mschap:NT-Domain} ->
Wed Jun 3 16:41:38 2015 : Info: [mschap] ... expanding second conditional
Wed Jun 3 16:41:38 2015 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-domain} -> --domain=domain
Wed Jun 3 16:41:38 2015 : Info: [mschap] mschap1: 62
Wed Jun 3 16:41:38 2015 : Info: [mschap] expand: --challenge=%{mschap:Challenge0} -> --challenge=62427d04fd995f5e
Wed Jun 3 16:41:38 2015 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response0} -> --nt-response=0d63119fae7f2b1c11091875d8a26d0943c14ccd18e365dd
Wed Jun 3 16:41:38 2015 : Debug: Exec-Program output: Logon failure (0xc000006d)
Wed Jun 3 16:41:38 2015 : Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Wed Jun 3 16:41:38 2015 : Debug: Exec-Program: returned: 1
Wed Jun 3 16:41:38 2015 : Info: [mschap] External script failed.
Wed Jun 3 16:41:38 2015 : Info: [mschap] MS-CHAP-Response is incorrect.
Wed Jun 3 16:41:38 2015 : Info: ++[mschap] returns reject
Wed Jun 3 16:41:38 2015 : Info: Failed to authenticate the user.
Wed Jun 3 16:41:38 2015 : Info: Using Post-Auth-Type Reject
Wed Jun 3 16:41:38 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Wed Jun 3 16:41:38 2015 : Info: +- entering group REJECT {...}
Wed Jun 3 16:41:38 2015 : Info: [attr_filter.access_reject] expand: %{User-Name} -> user
Wed Jun 3 16:41:38 2015 : Debug: attr_filter: Matched entry DEFAULT at line 11
Wed Jun 3 16:41:38 2015 : Info: ++[attr_filter.access_reject] returns updated
Wed Jun 3 16:41:38 2015 : Info: Delaying reject of request 0 for 1 seconds
Wed Jun 3 16:41:38 2015 : Debug: Going to the next request
Wed Jun 3 16:41:38 2015 : Debug: Waking up in 0.9 seconds.
Wed Jun 3 16:41:39 2015 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 50 to 127.0.0.1 port 54733
MS-CHAP-Error = "\000E=691 R=1"
Wed Jun 3 16:41:39 2015 : Debug: Waking up in 4.9 seconds.
Wed Jun 3 16:41:44 2015 : Info: Cleaning up request 0 ID 50 with timestamp +46
Wed Jun 3 16:41:44 2015 : Info: Ready to process requests.
Und das ist der Startprozess:
Wed Jun 3 16:50:19 2015 : Info: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57
Wed Jun 3 16:50:19 2015 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
Wed Jun 3 16:50:19 2015 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Wed Jun 3 16:50:19 2015 : Info: PARTICULAR PURPOSE.
Wed Jun 3 16:50:19 2015 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Wed Jun 3 16:50:19 2015 : Info: GNU General Public License v2.
Wed Jun 3 16:50:19 2015 : Info: Starting - reading configuration files ...
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/radiusd.conf
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/proxy.conf
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/clients.conf
Wed Jun 3 16:50:19 2015 : Debug: including files in directory /etc/freeradius/modules/
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/soh
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/etc_group
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/ldap
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/counter
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/files
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/unix
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/dynamic_clients
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/redis
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/mschap
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/exec
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/realm
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/ntlm_auth
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/ippool
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/smsotp
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/mschap.save
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/mac2ip
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/detail
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/passwd
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/radutmp
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/preprocess
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/krb5
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/pap
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/pam
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/smbpasswd
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/replicate
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/echo
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/otp
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/rediswho
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/linelog
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/logintime
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/opendirectory
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/expiration
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/wimax
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/checkval
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/expr
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/policy
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/mac2vlan
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/always
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/sradutmp
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/attr_filter
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/inner-eap
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/sql_log
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/detail.example.com
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/cui
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/chap
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/detail.log
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/attr_rewrite
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/digest
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/perl
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/modules/acct_unique
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/eap.conf
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/policy.conf
Wed Jun 3 16:50:19 2015 : Debug: including files in directory /etc/freeradius/sites-enabled/
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/sites-enabled/default
Wed Jun 3 16:50:19 2015 : Debug: including configuration file /etc/freeradius/sites-enabled/inner-tunnel
Wed Jun 3 16:50:19 2015 : Debug: main {
Wed Jun 3 16:50:19 2015 : Debug: user = "freerad"
Wed Jun 3 16:50:19 2015 : Debug: group = "freerad"
Wed Jun 3 16:50:19 2015 : Debug: allow_core_dumps = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: including dictionary file /etc/freeradius/dictionary
Wed Jun 3 16:50:19 2015 : Debug: main {
Wed Jun 3 16:50:19 2015 : Debug: name = "freeradius"
Wed Jun 3 16:50:19 2015 : Debug: prefix = "/usr"
Wed Jun 3 16:50:19 2015 : Debug: localstatedir = "/var"
Wed Jun 3 16:50:19 2015 : Debug: sbindir = "/usr/sbin"
Wed Jun 3 16:50:19 2015 : Debug: logdir = "/var/log/freeradius"
Wed Jun 3 16:50:19 2015 : Debug: run_dir = "/var/run/freeradius"
Wed Jun 3 16:50:19 2015 : Debug: libdir = "/usr/lib/freeradius"
Wed Jun 3 16:50:19 2015 : Debug: radacctdir = "/var/log/freeradius/radacct"
Wed Jun 3 16:50:19 2015 : Debug: hostname_lookups = no
Wed Jun 3 16:50:19 2015 : Debug: max_request_time = 30
Wed Jun 3 16:50:19 2015 : Debug: cleanup_delay = 5
Wed Jun 3 16:50:19 2015 : Debug: max_requests = 1024
Wed Jun 3 16:50:19 2015 : Debug: pidfile = "/var/run/freeradius/freeradius.pid"
Wed Jun 3 16:50:19 2015 : Debug: checkrad = "/usr/sbin/checkrad"
Wed Jun 3 16:50:19 2015 : Debug: debug_level = 0
Wed Jun 3 16:50:19 2015 : Debug: proxy_requests = yes
Wed Jun 3 16:50:19 2015 : Debug: log {
Wed Jun 3 16:50:19 2015 : Debug: stripped_names = no
Wed Jun 3 16:50:19 2015 : Debug: auth = no
Wed Jun 3 16:50:19 2015 : Debug: auth_badpass = no
Wed Jun 3 16:50:19 2015 : Debug: auth_goodpass = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: security {
Wed Jun 3 16:50:19 2015 : Debug: max_attributes = 200
Wed Jun 3 16:50:19 2015 : Debug: reject_delay = 1
Wed Jun 3 16:50:19 2015 : Debug: status_server = yes
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: radiusd: #### Loading Realms and Home Servers ####
Wed Jun 3 16:50:19 2015 : Debug: proxy server {
Wed Jun 3 16:50:19 2015 : Debug: retry_delay = 5
Wed Jun 3 16:50:19 2015 : Debug: retry_count = 3
Wed Jun 3 16:50:19 2015 : Debug: default_fallback = no
Wed Jun 3 16:50:19 2015 : Debug: dead_time = 120
Wed Jun 3 16:50:19 2015 : Debug: wake_all_if_all_dead = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: home_server localhost {
Wed Jun 3 16:50:19 2015 : Debug: ipaddr = 127.0.0.1
Wed Jun 3 16:50:19 2015 : Debug: port = 1812
Wed Jun 3 16:50:19 2015 : Debug: type = "auth"
Wed Jun 3 16:50:19 2015 : Debug: secret = "testing123"
Wed Jun 3 16:50:19 2015 : Debug: response_window = 20
Wed Jun 3 16:50:19 2015 : Debug: max_outstanding = 65536
Wed Jun 3 16:50:19 2015 : Debug: require_message_authenticator = yes
Wed Jun 3 16:50:19 2015 : Debug: zombie_period = 40
Wed Jun 3 16:50:19 2015 : Debug: status_check = "status-server"
Wed Jun 3 16:50:19 2015 : Debug: ping_interval = 30
Wed Jun 3 16:50:19 2015 : Debug: check_interval = 30
Wed Jun 3 16:50:19 2015 : Debug: num_answers_to_alive = 3
Wed Jun 3 16:50:19 2015 : Debug: num_pings_to_alive = 3
Wed Jun 3 16:50:19 2015 : Debug: revive_interval = 120
Wed Jun 3 16:50:19 2015 : Debug: status_check_timeout = 4
Wed Jun 3 16:50:19 2015 : Debug: coa {
Wed Jun 3 16:50:19 2015 : Debug: irt = 2
Wed Jun 3 16:50:19 2015 : Debug: mrt = 16
Wed Jun 3 16:50:19 2015 : Debug: mrc = 5
Wed Jun 3 16:50:19 2015 : Debug: mrd = 30
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: home_server_pool my_auth_failover {
Wed Jun 3 16:50:19 2015 : Debug: type = fail-over
Wed Jun 3 16:50:19 2015 : Debug: home_server = localhost
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: realm example.com {
Wed Jun 3 16:50:19 2015 : Debug: auth_pool = my_auth_failover
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: realm LOCAL {
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: radiusd: #### Loading Clients ####
Wed Jun 3 16:50:19 2015 : Debug: client localhost {
Wed Jun 3 16:50:19 2015 : Debug: ipaddr = 127.0.0.1
Wed Jun 3 16:50:19 2015 : Debug: require_message_authenticator = no
Wed Jun 3 16:50:19 2015 : Debug: secret = "testing123"
Wed Jun 3 16:50:19 2015 : Debug: nastype = "other"
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: radiusd: #### Instantiating modules ####
Wed Jun 3 16:50:19 2015 : Debug: instantiate {
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_exec, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_exec
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
Wed Jun 3 16:50:19 2015 : Debug: exec {
Wed Jun 3 16:50:19 2015 : Debug: wait = no
Wed Jun 3 16:50:19 2015 : Debug: input_pairs = "request"
Wed Jun 3 16:50:19 2015 : Debug: shell_escape = yes
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_expr, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_expr
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_expiration, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_expiration
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
Wed Jun 3 16:50:19 2015 : Debug: expiration {
Wed Jun 3 16:50:19 2015 : Debug: reply-message = "Password Has Expired "
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_logintime, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_logintime
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
Wed Jun 3 16:50:19 2015 : Debug: logintime {
Wed Jun 3 16:50:19 2015 : Debug: reply-message = "You are calling outside your allowed timespan "
Wed Jun 3 16:50:19 2015 : Debug: minimum-timeout = 60
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: radiusd: #### Loading Virtual Servers ####
Wed Jun 3 16:50:19 2015 : Debug: server { # from file /etc/freeradius/radiusd.conf
Wed Jun 3 16:50:19 2015 : Debug: modules {
Wed Jun 3 16:50:19 2015 : Debug: Module: Creating Auth-Type = ntlm_auth
Wed Jun 3 16:50:19 2015 : Debug: Module: Creating Auth-Type = digest
Wed Jun 3 16:50:19 2015 : Debug: Module: Creating Post-Auth-Type = REJECT
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking authenticate {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth
Wed Jun 3 16:50:19 2015 : Debug: exec ntlm_auth {
Wed Jun 3 16:50:19 2015 : Debug: wait = yes
Wed Jun 3 16:50:19 2015 : Debug: program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain --group=wlan --username=%{mschap:User-Name} --password=%{User-Password}"
Wed Jun 3 16:50:19 2015 : Debug: input_pairs = "request"
Wed Jun 3 16:50:19 2015 : Debug: shell_escape = yes
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_pap, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_pap
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
Wed Jun 3 16:50:19 2015 : Debug: pap {
Wed Jun 3 16:50:19 2015 : Debug: encryption_scheme = "auto"
Wed Jun 3 16:50:19 2015 : Debug: auto_header = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_chap, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_chap
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_mschap, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_mschap
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
Wed Jun 3 16:50:19 2015 : Debug: mschap {
Wed Jun 3 16:50:19 2015 : Debug: use_mppe = yes
Wed Jun 3 16:50:19 2015 : Debug: require_encryption = no
Wed Jun 3 16:50:19 2015 : Debug: require_strong = no
Wed Jun 3 16:50:19 2015 : Debug: with_ntdomain_hack = no
Wed Jun 3 16:50:19 2015 : Debug: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --group=wlan --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-domain} --challenge=%{mschap:Challenge0} --nt-response=%{mschap:NT-Response0}"
Wed Jun 3 16:50:19 2015 : Debug: allow_retry = yes
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_digest, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_digest
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_unix, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_unix
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
Wed Jun 3 16:50:19 2015 : Debug: unix {
Wed Jun 3 16:50:19 2015 : Debug: radwtmp = "/var/log/freeradius/radwtmp"
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_eap, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_eap
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
Wed Jun 3 16:50:19 2015 : Debug: eap {
Wed Jun 3 16:50:19 2015 : Debug: default_eap_type = "md5"
Wed Jun 3 16:50:19 2015 : Debug: timer_expire = 60
Wed Jun 3 16:50:19 2015 : Debug: ignore_unknown_eap_types = no
Wed Jun 3 16:50:19 2015 : Debug: cisco_accounting_username_bug = no
Wed Jun 3 16:50:19 2015 : Debug: max_sessions = 4096
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to sub-module rlm_eap_md5
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating eap-md5
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to sub-module rlm_eap_leap
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating eap-leap
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to sub-module rlm_eap_gtc
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating eap-gtc
Wed Jun 3 16:50:19 2015 : Debug: gtc {
Wed Jun 3 16:50:19 2015 : Debug: challenge = "Password: "
Wed Jun 3 16:50:19 2015 : Debug: auth_type = "PAP"
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to sub-module rlm_eap_tls
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating eap-tls
Wed Jun 3 16:50:19 2015 : Debug: tls {
Wed Jun 3 16:50:19 2015 : Debug: rsa_key_exchange = no
Wed Jun 3 16:50:19 2015 : Debug: dh_key_exchange = yes
Wed Jun 3 16:50:19 2015 : Debug: rsa_key_length = 512
Wed Jun 3 16:50:19 2015 : Debug: dh_key_length = 512
Wed Jun 3 16:50:19 2015 : Debug: verify_depth = 0
Wed Jun 3 16:50:19 2015 : Debug: CA_path = "/etc/freeradius/certs"
Wed Jun 3 16:50:19 2015 : Debug: pem_file_type = yes
Wed Jun 3 16:50:19 2015 : Debug: private_key_file = "/etc/freeradius/certs/server.key"
Wed Jun 3 16:50:19 2015 : Debug: certificate_file = "/etc/freeradius/certs/server.pem"
Wed Jun 3 16:50:19 2015 : Debug: CA_file = "/etc/freeradius/certs/ca.pem"
Wed Jun 3 16:50:19 2015 : Debug: private_key_password = "whatever"
Wed Jun 3 16:50:19 2015 : Debug: dh_file = "/etc/freeradius/certs/dh"
Wed Jun 3 16:50:19 2015 : Debug: random_file = "/dev/urandom"
Wed Jun 3 16:50:19 2015 : Debug: fragment_size = 1024
Wed Jun 3 16:50:19 2015 : Debug: include_length = yes
Wed Jun 3 16:50:19 2015 : Debug: check_crl = no
Wed Jun 3 16:50:19 2015 : Debug: cipher_list = "DEFAULT"
Wed Jun 3 16:50:19 2015 : Debug: make_cert_command = "/etc/freeradius/certs/bootstrap"
Wed Jun 3 16:50:19 2015 : Debug: ecdh_curve = "prime256v1"
Wed Jun 3 16:50:19 2015 : Debug: cache {
Wed Jun 3 16:50:19 2015 : Debug: enable = no
Wed Jun 3 16:50:19 2015 : Debug: lifetime = 24
Wed Jun 3 16:50:19 2015 : Debug: max_entries = 255
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: verify {
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: ocsp {
Wed Jun 3 16:50:19 2015 : Debug: enable = no
Wed Jun 3 16:50:19 2015 : Debug: override_cert_url = yes
Wed Jun 3 16:50:19 2015 : Debug: url = "http://127.0.0.1/ocsp/"
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to sub-module rlm_eap_ttls
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating eap-ttls
Wed Jun 3 16:50:19 2015 : Debug: ttls {
Wed Jun 3 16:50:19 2015 : Debug: default_eap_type = "md5"
Wed Jun 3 16:50:19 2015 : Debug: copy_request_to_tunnel = no
Wed Jun 3 16:50:19 2015 : Debug: use_tunneled_reply = no
Wed Jun 3 16:50:19 2015 : Debug: virtual_server = "inner-tunnel"
Wed Jun 3 16:50:19 2015 : Debug: include_length = yes
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to sub-module rlm_eap_peap
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating eap-peap
Wed Jun 3 16:50:19 2015 : Debug: peap {
Wed Jun 3 16:50:19 2015 : Debug: default_eap_type = "mschapv2"
Wed Jun 3 16:50:19 2015 : Debug: copy_request_to_tunnel = no
Wed Jun 3 16:50:19 2015 : Debug: use_tunneled_reply = no
Wed Jun 3 16:50:19 2015 : Debug: proxy_tunneled_request_as_eap = yes
Wed Jun 3 16:50:19 2015 : Debug: virtual_server = "inner-tunnel"
Wed Jun 3 16:50:19 2015 : Debug: soh = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to sub-module rlm_eap_mschapv2
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating eap-mschapv2
Wed Jun 3 16:50:19 2015 : Debug: mschapv2 {
Wed Jun 3 16:50:19 2015 : Debug: with_ntdomain_hack = no
Wed Jun 3 16:50:19 2015 : Debug: send_error = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking authorize {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_preprocess, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_preprocess
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
Wed Jun 3 16:50:19 2015 : Debug: preprocess {
Wed Jun 3 16:50:19 2015 : Debug: huntgroups = "/etc/freeradius/huntgroups"
Wed Jun 3 16:50:19 2015 : Debug: hints = "/etc/freeradius/hints"
Wed Jun 3 16:50:19 2015 : Debug: with_ascend_hack = no
Wed Jun 3 16:50:19 2015 : Debug: ascend_channels_per_line = 23
Wed Jun 3 16:50:19 2015 : Debug: with_ntdomain_hack = no
Wed Jun 3 16:50:19 2015 : Debug: with_specialix_jetstream_hack = no
Wed Jun 3 16:50:19 2015 : Debug: with_cisco_vsa_hack = no
Wed Jun 3 16:50:19 2015 : Debug: with_alvarion_vsa_hack = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_realm, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_realm
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
Wed Jun 3 16:50:19 2015 : Debug: realm suffix {
Wed Jun 3 16:50:19 2015 : Debug: format = "suffix"
Wed Jun 3 16:50:19 2015 : Debug: delimiter = "@"
Wed Jun 3 16:50:19 2015 : Debug: ignore_default = no
Wed Jun 3 16:50:19 2015 : Debug: ignore_null = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_files, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_files
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "files" from file /etc/freeradius/modules/files
Wed Jun 3 16:50:19 2015 : Debug: files {
Wed Jun 3 16:50:19 2015 : Debug: usersfile = "/etc/freeradius/users"
Wed Jun 3 16:50:19 2015 : Debug: acctusersfile = "/etc/freeradius/acct_users"
Wed Jun 3 16:50:19 2015 : Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users"
Wed Jun 3 16:50:19 2015 : Debug: compat = "no"
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking preacct {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_acct_unique, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_acct_unique
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
Wed Jun 3 16:50:19 2015 : Debug: acct_unique {
Wed Jun 3 16:50:19 2015 : Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking accounting {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_detail, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_detail
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
Wed Jun 3 16:50:19 2015 : Debug: detail {
Wed Jun 3 16:50:19 2015 : Debug: detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
Wed Jun 3 16:50:19 2015 : Debug: header = "%t"
Wed Jun 3 16:50:19 2015 : Debug: detailperm = 384
Wed Jun 3 16:50:19 2015 : Debug: dirperm = 493
Wed Jun 3 16:50:19 2015 : Debug: locking = no
Wed Jun 3 16:50:19 2015 : Debug: log_packet_header = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_radutmp, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_radutmp
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
Wed Jun 3 16:50:19 2015 : Debug: radutmp {
Wed Jun 3 16:50:19 2015 : Debug: filename = "/var/log/freeradius/radutmp"
Wed Jun 3 16:50:19 2015 : Debug: username = "%{User-Name}"
Wed Jun 3 16:50:19 2015 : Debug: case_sensitive = yes
Wed Jun 3 16:50:19 2015 : Debug: check_with_nas = yes
Wed Jun 3 16:50:19 2015 : Debug: perm = 384
Wed Jun 3 16:50:19 2015 : Debug: callerid = yes
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: (Loaded rlm_attr_filter, checking if it's valid)
Wed Jun 3 16:50:19 2015 : Debug: Module: Linked to module rlm_attr_filter
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
Wed Jun 3 16:50:19 2015 : Debug: attr_filter attr_filter.accounting_response {
Wed Jun 3 16:50:19 2015 : Debug: attrsfile = "/etc/freeradius/attrs.accounting_response"
Wed Jun 3 16:50:19 2015 : Debug: key = "%{User-Name}"
Wed Jun 3 16:50:19 2015 : Debug: relaxed = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking session {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking post-proxy {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking post-auth {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
Wed Jun 3 16:50:19 2015 : Debug: attr_filter attr_filter.access_reject {
Wed Jun 3 16:50:19 2015 : Debug: attrsfile = "/etc/freeradius/attrs.access_reject"
Wed Jun 3 16:50:19 2015 : Debug: key = "%{User-Name}"
Wed Jun 3 16:50:19 2015 : Debug: relaxed = no
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: } # modules
Wed Jun 3 16:50:19 2015 : Debug: } # server
Wed Jun 3 16:50:19 2015 : Debug: server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
Wed Jun 3 16:50:19 2015 : Debug: modules {
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking authenticate {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking authorize {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking session {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking post-proxy {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: Module: Checking post-auth {...} for more modules to load
Wed Jun 3 16:50:19 2015 : Debug: } # modules
Wed Jun 3 16:50:19 2015 : Debug: } # server
Wed Jun 3 16:50:19 2015 : Debug: radiusd: #### Opening IP addresses and Ports ####
Wed Jun 3 16:50:19 2015 : Debug: listen {
Wed Jun 3 16:50:19 2015 : Debug: type = "auth"
Wed Jun 3 16:50:19 2015 : Debug: ipaddr = *
Wed Jun 3 16:50:19 2015 : Debug: port = 0
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: listen {
Wed Jun 3 16:50:19 2015 : Debug: type = "acct"
Wed Jun 3 16:50:19 2015 : Debug: ipaddr = *
Wed Jun 3 16:50:19 2015 : Debug: port = 0
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Debug: listen {
Wed Jun 3 16:50:19 2015 : Debug: type = "auth"
Wed Jun 3 16:50:19 2015 : Debug: ipaddr = 127.0.0.1
Wed Jun 3 16:50:19 2015 : Debug: port = 18120
Wed Jun 3 16:50:19 2015 : Debug: }
Wed Jun 3 16:50:19 2015 : Info: ... adding new socket proxy address * port 51294
Wed Jun 3 16:50:19 2015 : Debug: Listening on authentication address * port 1812
Wed Jun 3 16:50:19 2015 : Debug: Listening on accounting address * port 1813
Wed Jun 3 16:50:19 2015 : Debug: Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Wed Jun 3 16:50:19 2015 : Debug: Listening on proxy address * port 1814
Wed Jun 3 16:50:19 2015 : Info: Ready to process requests.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014163
[content:273338#1014163]
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014248
[content:273338#1014248]
Ein Radius Zertifikat it immer zwingend, denn so prüft der Client die Gültigkeit des Radius Servers.
Ohne dieses Zertifikat ist eine Radius Authentisierung quasi Blödsinn, denn dann kann jeder einen paralellen Radius auf einem Raspberry Pi ins Netz hängen den die Clients dann akzeptieren würden.
Dort würde man alle User erlauben und schon hat man den ganzen Unsinn ausgehebelt.
Du verwechselst hier sicher User Zertifikate mit dem Radius Server Zertifikat. Letzteres sollte man immer zwingend haben. User Zertifikate muss man nicht haben. Das meinst du vermutlich oder ??
Kritisch auch die Fehlermeldungen:
[mschap] Told to do MS-CHAPv1 with NT-Password
Wed Jun 3 16:41:38 2015 : Info: [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=user
Wed Jun 3 16:41:38 2015 : Info: [mschap] No NT-Domain was found in the User-Name.
Wed Jun 3 16:41:38 2015 : Info: [mschap] expand: %{mschap:NT-Domain} ->
Wed Jun 3 16:41:38 2015 : Info: [mschap] ... expanding second conditional
Wed Jun 3 16:41:38 2015 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-domain} -> --domain=domain
Normal ist eingentlich CHAPv2 und der fehlende Domainnamen sagt das dort ggf. vergessen wurde das "NT Doamin hack" Feature auszukommentieren in den Radius Settings der Conf Datei ?
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014286
[content:273338#1014286]
Und NT Doamin hack ist auskommentiert.
Wie kann ich CHAPv2 aktivieren?
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014289
[content:273338#1014289]
default_eap_type = mschapv2
Guckst du hier:
https://kupschke.net/2013/10/11/freeradius-mit-eap-peap-und-ldap-zur-sic ...
und hier:
http://deployingradius.com/documents/configuration/active_directory.htm ...
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integratio ...
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014294
[content:273338#1014294]
Wenn ich das "group" Attribut rausnehmen gehts, mit gehts nicht.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014391
[content:273338#1014391]
Debug: Exec-Program output: Logon failure (0xc000006d)
Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Debug: Exec-Program: returned: 1
Info: [mschap] External script failed.
Info: [mschap] MS-CHAP-Response is incorrect.
Info: ++[mschap] returns reject
Info: Failed to authenticate the user.
Was ja zeigt das irgendwas mit dem Script ist was die mschap anfrage an den AD stellt.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014396
[content:273338#1014396]
Aber ich finde den Fehler einfach nicht.
Hat jemand zufällig die gleiche Konstellation, so dass ich die Konfig-Dateien mal vergleichen könnte?
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014398
[content:273338#1014398]
ntlm_auth --request-nt-key --domain=WINDOMAIN --username=testuser --password=test123
Was kommt dabei raus ?
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014401
[content:273338#1014401]
NT_STATUS_OK: Success (0x0)
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014408
[content:273338#1014408]
wbinfo –g
aus? Listet er Deine AD-Gruppen alle auf?
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014409
[content:273338#1014409]
Kann dann nur sein das der irgendwie schon den falschen Usernamen an den NTLM Auth falsch übergibt.
Sieh doch einfach mit dem Wireshark Sniffer mal in das Paket rein was dort mitgeschickt wird vom Authenticator an den FreeRadius.
wbinfo –g ist auch nochmal ein guter Punkt !
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014410
[content:273338#1014410]
Wobei ich grade gemerkt habe, dass es trotz --group=... auch mit Benutzer geht, die nicht in der Gruppe sind.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014420
[content:273338#1014420]
FreeRADIUS Active Directory PEAP-MSCHAPv2 mit LDAP Gruppenfilter
https://blog.fem.tu-ilmenau.de/archives/652-Radius-mit-LDAP-und-Gruppen. ...
Findet man aber auch in 2 Minuten sprechen mit Tante Google.....
Suchbegriff: freeradius bestimmte AD Gruppe zulassen
Thank god it's friday...
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014441
[content:273338#1014441]
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014568
[content:273338#1014568]
Aber wie muss dann die mschap-Datei angepasst werden?
Wenn ich das mit LDAP mache, bekomme ich dann trotz richtigem Passwort ein LDAP login failed
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1014617
[content:273338#1014617]
Wenn das funktioniert dann die Gruppe Option einfügen.
- Internen Kommentar-Link kopieren
- Externen Kommentar-Link kopieren
- Zum Anfang der Kommentare
https://administrator.de/forum/freeradius-ad-gruppen-273338.html#comment-1016584
[content:273338#1016584]
Bin ein bisschen weiter gekommen.
Der Bind funktioniert, aber danach siehts wieder schlecht aus.
Mon Jun 15 14:17:35 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Mon Jun 15 14:17:35 2015 : Info: +- entering group authorize {...}
Mon Jun 15 14:17:35 2015 : Info: ++[preprocess] returns ok
Mon Jun 15 14:17:35 2015 : Info: ++[chap] returns noop
Mon Jun 15 14:17:35 2015 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
Mon Jun 15 14:17:35 2015 : Info: ++[mschap] returns ok
Mon Jun 15 14:17:35 2015 : Info: ++[digest] returns noop
Mon Jun 15 14:17:35 2015 : Info: [suffix] No '@' in User-Name = "user", looking up realm NULL
Mon Jun 15 14:17:35 2015 : Info: [suffix] No such realm "NULL"
Mon Jun 15 14:17:35 2015 : Info: ++[suffix] returns noop
Mon Jun 15 14:17:35 2015 : Info: [eap] No EAP-Message, not doing EAP
Mon Jun 15 14:17:35 2015 : Info: ++[eap] returns noop
Mon Jun 15 14:17:35 2015 : Info: [files] users: Matched entry DEFAULT at line 1
Mon Jun 15 14:17:35 2015 : Info: ++[files] returns ok
Mon Jun 15 14:17:35 2015 : Info: [ldap] performing user authorization for user
Mon Jun 15 14:17:35 2015 : Info: [ldap] expand: %{Stripped-User-Name} ->
Mon Jun 15 14:17:35 2015 : Info: [ldap] ... expanding second conditional
Mon Jun 15 14:17:35 2015 : Info: [ldap] expand: %{User-Name} -> user
Mon Jun 15 14:17:35 2015 : Info: [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=user)
Mon Jun 15 14:17:35 2015 : Info: [ldap] expand: CN=WLAN,OU=Gruppen,DC=domäne,DC=de -> CN=WLAN,OU=Gruppen,DC=domäne,DC=de
Mon Jun 15 14:17:35 2015 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Mon Jun 15 14:17:35 2015 : Debug: [ldap] ldap_get_conn: Got Id: 0
Mon Jun 15 14:17:35 2015 : Debug: [ldap] performing search in CN=WLAN,OU=Gruppen,DC=domäne,DC=de, with filter (sAMAccountName=user)
Mon Jun 15 14:17:35 2015 : Debug: [ldap] object not found
Mon Jun 15 14:17:35 2015 : Info: [ldap] search failed
Mon Jun 15 14:17:35 2015 : Debug: [ldap] ldap_release_conn: Release Id: 0
Mon Jun 15 14:17:35 2015 : Info: ++[ldap] returns notfound
Mon Jun 15 14:17:35 2015 : Info: ++[expiration] returns noop
Mon Jun 15 14:17:35 2015 : Info: ++[logintime] returns noop
Mon Jun 15 14:17:35 2015 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Mon Jun 15 14:17:35 2015 : Info: ++[pap] returns noop
Mon Jun 15 14:31:06 2015 : Info: Found Auth-Type = ntlm_auth
Mon Jun 15 14:31:06 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Jun 15 14:31:06 2015 : Info: +- entering group authenticate {...}
Mon Jun 15 14:31:06 2015 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=user
Mon Jun 15 14:31:06 2015 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=password
Mon Jun 15 14:31:06 2015 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
Mon Jun 15 14:31:06 2015 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Mon Jun 15 14:31:06 2015 : Debug: Exec-Program: returned: 0
Mon Jun 15 14:31:06 2015 : Info: ++[ntlm_auth] returns ok
Mon Jun 15 14:31:06 2015 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default
Mon Jun 15 14:31:06 2015 : Info: +- entering group post-auth {...}
Mon Jun 15 14:31:06 2015 : Info: ++[exec] returns noop
Sending Access-Accept of id 240 to 127.0.0.1 port 33081
Mon Jun 15 14:31:06 2015 : Info: Finished request 9.
Mon Jun 15 14:31:06 2015 : Debug: Going to the next request
Mon Jun 15 14:31:06 2015 : Debug: Waking up in 4.9 seconds.
Mon Jun 15 14:31:11 2015 : Info: Cleaning up request 9 ID 240 with timestamp +1892
Mon Jun 15 14:31:11 2015 : Info: Ready to process requests.
Also NTLM geht immer noch, nur die LDAP-Suche schlägt fehl und dann kann sich jeder Benutzer anmelden