NEW Package: freeRADIUS 2.x
-
Hi,
I have just removed the old package and installed the current one 2.1.12 pkg v1.4.2
The configuration has been kept back, but now I cannot login properly.This is the log :
Tue Jan 3 21:52:49 2012 : Auth: Login incorrect: [$MYUSER/<via auth-type="EAP">] (from client pfsenselocal port 0 cli B4-07-F9-E5-9F-81)</via>
I have also tried to reset the username and pass but It did not work.
It was fine before upgrading though.
Thanks
-
Hi,
I have just removed the old package and installed the current one 2.1.12 pkg v1.4.2
The configuration has been kept back, but now I cannot login properly.This is the log :
Tue Jan 3 21:52:49 2012 : Auth: Login incorrect: [$MYUSER/<via auth-type="EAP">] (from client pfsenselocal port 0 cli B4-07-F9-E5-9F-81)</via>
I have also tried to reset the username and pass but It did not work.
It was fine before upgrading though.
Thanks
Which pkg version did you use before ?
Do you user certificates or just username/password ?
Do you connect from a windows client ?Can you post output of "users" file ? (View Config -> users)
-
Hi thanks for you quick reply :-)
I used the 1.4.0 I think, I did upgrade yesterday if I am not wrong. Today I found there was a new update so I have upgraded straightaway as I have never had any problems in the past to upgrade to the very next version.
I use only username and password, not any certificate at the moment, but it's something I will look into.
I am using my android mobile phone gingerbread v. 2.3.6 ( used to work yesterday ).
The config file is :
/usr/local/etc/raddb/users
"myuser" Cleartext-Password := "mypass", Simultaneous-Use := "3"
-
Is this the only output in syslog according freeradius ?
Cann you stop freeradius service in GUI, SSH to your machine and start radiusd in debug mode.
Just type in:radiusd -X
This is a capital X
Then the last lines of the output should be
"Ready to process requests"Then try to connect with your client/phone and post the output of freeradius when the client tries to connect.
-
nope, that is the output of catting users.
But what I noticed something weird:1)I can connect if I choose TLS instead of PEAP.
2)then if I disconnect and use PEAP again it does work ( guess it does not do any further check as if successfully logged in minutes agoBut If I reboot the pfsense box and try to connect using PEAP first it won't work.
This is from my laptop, which is a ubuntu oneiric 32bit using ralink chipset.
$ cat /var/log/radius.log
Tue Jan 3 23:50:19 2012 : Info: Loaded virtual server <default>Tue Jan 3 23:50:19 2012 : Info: Loaded virtual server soh-server
Tue Jan 3 23:50:19 2012 : Info: Ready to process requests.
Tue Jan 3 23:50:20 2012 : Info: Signalled to terminate
Tue Jan 3 23:50:20 2012 : Info: Exiting normally.
Tue Jan 3 23:50:28 2012 : Info: Loaded virtual server <default>Tue Jan 3 23:50:28 2012 : Info: Loaded virtual server soh-server
Tue Jan 3 23:50:28 2012 : Info: Ready to process requests.
Tue Jan 3 23:51:02 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:02 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:09 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:09 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:14 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:14 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:18 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:18 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:22 2012 : Auth: Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:22 2012 : Auth: Login incorrect: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)
Tue Jan 3 23:51:43 2012 : Auth: Login OK: [gettons/<via auth-type="mschap">] (from client wifi-ap port 0 via TLS tunnel)
Tue Jan 3 23:51:43 2012 : Auth: Login OK: [gettons/<via auth-type="EAP">] (from client wifi-ap port 0 cli E0-CA-94-36-3E-68)</via></via></via></no></via></no></via></no></via></no></via></no></default></default> -
Nachtfalke,
I've just uploaded freeradius2 and openldap-sasl.
-
@gettons
Not sure if this is an problem of freeradius or a configuration "problem" of your AP or freeradius-EAP setup.
The package offers the default settings which are in the eap.conf file. I am unsure what you have to change as I need to read the docs and wikis on freeradius first.You could try with "copy reply to tunnel".
You further did not post the output of what "radiusd -X" is showing. radius.log and system.log do not offer all "errors".
@marcelloc,
I will test the i386 package as far as I get some time. It is late now in middle europe :P
You will get my feedback tomorrow morning. -
This should work by default as far as I know for now. The CISCO SG300-28 switch for example is sending the MAC address in username and password, all small letters without whitespace.
So you take a look on the user's guide and check the format the MAC address is sent.If the PCs MAC address is for example:
00:11:AA:BC:DE:FFThan the username and password in freeradius users should be:
0011aabcdeffPlease post back if you could try this and if it is working or not.
I am on vacation until 09 january 2012 and do not have the chance to test this all on a real switch and environment.
This is on my "todo" list - to check all features I added just from How-To's in real ;-)I'm afraid I can't test this as our switches don't support 802.1x mac authentication, only port based. (With the Calling-Station-ID attribute) but by looking to the Mac-Auth info on the freeradius website it looks very easy to implement both a user auth and if that should fail, try the Calling-Station-ID for mac-auth.
In that way also switches that won't support 802.1x mac auth could be supported.
I'll test this out tomorrow if I can modify your config file a bit to make this work.
-
@sander
Yes, of course, you are welcome! :-)
freeRADIUS offers so much options and I really do not know all of them or used them. So it is really great if someone could help and test things :-)@marcelloc
I tested the package you compiled on i386
It is working as well as the amd64 but a little bit better ;o)freeradius-2.1.12.tbz is now installing the dependencies "postgresql" and "mysql-client" on its own.
I then copied the missing files from your "ldd" folder to /usr/local/lib/ and installed the "openldap-client" which automatically installed the "cyrus-sasl" dependency.The tests I did above with amd64 (mysql, postgresql, ldap) had the same (positiv) result as on i386. :D
Ok, now I will try to find out how to use a wireless-AP with WPA/WPA2-Enterprise and PEAP and EAP-MSCHAPv2 on a Windows XP client and why it isn't working as expected by gettons.
-
Updates pkg v1.4.3
-
changed: service name and description (Services)
-
fixed: EAP-PEAP - there were problems when starting "soh" server. (eap)
-
Added: ability to change if MS Statement of Health should be enabled in EAP-PEAP or not. (eap)
@gettons
I tried with an Windows XP Client and an D-Link DIR-300 with DD-WRT firmware. Enabled WPA2 Enterprise on AP, added the AP-IP as NAS/Client on freeRADIUS server with same "shared secret".
Added a user "test" with password "test".I had to import the "ca.der" from freeradius on the Windows XP Client and import it there and choose it in the network connections. This is how it is described here (german how-to) with many pictures:
http://www.administrator.de/index.php?content=142241For my Windows XP Client the authentication is working with PEAP and MSCHAPv2.
The first time I connect I have to enter my user credentials (a windows window pops up where I enter username and password) - then I got connected. I got output in syslog if it works or not.When I connect the second time then I do NOT need to enter username and password again.
Hope this will solve your problem. Feedback appreciated :-)
-
-
I did some more tests and there are two possibilities.
If you disable "Check Server certificates" (see attachment) than you can connect just with the username. Then you do not need to import anything fromm freeradius server on the client.The other possibility is that you ENABLE "Check Server Certificates" (see other attachment) and then you will be promted to accept the CA or not. If you accept then this cert will be added to your cert store. In Windows XP you can check this from here:
Start -> run -> certmgr.msc
There you find - I think it is the second from top (in german: "Stammzertifizierungsstelle"). There you should find the CA you accepted.
![PEAP check cert.JPG](/public/imported_attachments/1/PEAP check cert.JPG)
![PEAP check cert.JPG_thumb](/public/imported_attachments/1/PEAP check cert.JPG_thumb) -
thank you very much Nachtfalke.
I will try these settings later as I am not home now.But just to clarify: my problem was with ubuntu and android, I have not tested with win 7 yet. But I will surely do.
Thanks again, will get back to you asap
-
thank you very much Nachtfalke.
I will try these settings later as I am not home now.But just to clarify: my problem was with ubuntu and android, I have not tested with win 7 yet. But I will surely do.
Thanks again, will get back to you asap
Hi,
I think this was not OS dependent but I got some problems with the old pkg v1.4.2, too. I tried with Windows XP and WLAN because this is the only equipment I can use at the moment (I am on vacation).
Not sure why, but my patch was merged some hours ago but there is still the old pkg version available. So you will have enough time :D
-
@gettons
Not sure if this is an problem of freeradius or a configuration "problem" of your AP or freeradius-EAP setup.
The package offers the default settings which are in the eap.conf file. I am unsure what you have to change as I need to read the docs and wikis on freeradius first.You could try with "copy reply to tunnel".
You further did not post the output of what "radiusd -X" is showing. radius.log and system.log do not offer all "errors".
@Nachfalke
This is the output of radiusd -X once I try to connect with my android mobile phone.
Again, it might be useful for you to know. With the previous version of your package it used to work fine. What I did was just to uninstall the package and install it again. I also rebooted in between just to be double sure.The log is http://pastebin.com/XAsPjDSD It;s quite long and I didn't want to mess the thread
-
@gettons
Not sure if this is an problem of freeradius or a configuration "problem" of your AP or freeradius-EAP setup.
The package offers the default settings which are in the eap.conf file. I am unsure what you have to change as I need to read the docs and wikis on freeradius first.You could try with "copy reply to tunnel".
You further did not post the output of what "radiusd -X" is showing. radius.log and system.log do not offer all "errors".
@Nachfalke
This is the output of radiusd -X once I try to connect with my android mobile phone.
Again, it might be useful for you to know. With the previous version of your package it used to work fine. What I did was just to uninstall the package and install it again. I also rebooted in between just to be double sure.The log is http://pastebin.com/XAsPjDSD It;s quite long and I didn't want to mess the thread
Hi,
the reason why I asked you between which version the error comes up was to find out what I changed and what could cause the problem.
I think I could reproduce your problem with my hardware and it is pointing to the "soh" server.Lines ~470
[peap] server soh { No such virtual server "soh" Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel) [peap] } # server soh [peap] Got SoH reply [peap] SoH was rejected [peap] FAILURE</no>
You could try the following until the pfsense server offers the new version:
- SSH to your pfsense
- Kill radiusd service
- edit /usr/local/etc/raddb/eap.conf
- scroll down where you find these two lines:
soh = yes soh_virtual_server = "soh-server"
Delete these lines, save the file and restart freeradius FROM CONSOLE
/usr/local/sbin/etc/rc.d/radiusd onestart
Then it should work.
-
It does work like a charm now!
Thanks.So, is this small modification something you will be including in the next freeradius package or not ? Or something which has to stay there for other purposes?
-
It does work like a charm now!
Thanks.So, is this small modification something you will be including in the next freeradius package or not ? Or something which has to stay there for other purposes?
As you could read in my last pkg Updates post here on the forum ;o)
I have included that. You now can choose if you want to enable or disable the SoH server and - thats the main part - I correctet the servername from "soh" which was wrong to "soh-server" which is correct.So it shpuld work with and without but in future you will have the decision ;-)
-
This is great stuff!
-
Updates pkg v1.4.3:
-
Added: GUI to configure FreeRADIUS2 with LDAP. This will only work if we can use the new binaries.
-
Updated: FreeRADIUS 2.x package documentation on http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
-
-
Nice one!
One more question for you if you don't mind: are the settings for freeradius2 package kept in xml files within the OS?
cause I noticed if you reinstall the package after you removed it does keep old settings. Is there a quick way to purge the config? -
Nice one!
One more question for you if you don't mind: are the settings for freeradius2 package kept in xml files within the OS?
cause I noticed if you reinstall the package after you removed it does keep old settings. Is there a quick way to purge the config?Yes, all settings, users, clients are saved in the config. The only thing which is NOT stored there are the CA and certs which you created with the freeradius cert-manager. If you use the pfsense cert-manager then these are saved in the config, too.
To cleanup the config from old freeradius entries there are two ways:
1.) Diagnostics -> Backup/Restore -> Backup the config.xml and then delete the freeradius2 entries and restore the config. A reboot is needed.
2.) SSH to your pfsense and edit /config/config.xml and delete the freeradius2 entries. A reboot is needed. -
@gettons
Not sure if this is an problem of freeradius or a configuration "problem" of your AP or freeradius-EAP setup.
The package offers the default settings which are in the eap.conf file. I am unsure what you have to change as I need to read the docs and wikis on freeradius first.You could try with "copy reply to tunnel".
You further did not post the output of what "radiusd -X" is showing. radius.log and system.log do not offer all "errors".
@Nachfalke
This is the output of radiusd -X once I try to connect with my android mobile phone.
Again, it might be useful for you to know. With the previous version of your package it used to work fine. What I did was just to uninstall the package and install it again. I also rebooted in between just to be double sure.The log is http://pastebin.com/XAsPjDSD It;s quite long and I didn't want to mess the thread
Hi,
the reason why I asked you between which version the error comes up was to find out what I changed and what could cause the problem.
I think I could reproduce your problem with my hardware and it is pointing to the "soh" server.Lines ~470
[peap] server soh { No such virtual server "soh" Invalid user: [gettons/<no user-password="" attribute="">] (from client wifi-ap port 0 via TLS tunnel) [peap] } # server soh [peap] Got SoH reply [peap] SoH was rejected [peap] FAILURE</no>
You could try the following until the pfsense server offers the new version:
- SSH to your pfsense
- Kill radiusd service
- edit /usr/local/etc/raddb/eap.conf
- scroll down where you find these two lines:
soh = yes soh_virtual_server = "soh-server"
Delete these lines, save the file and restart freeradius FROM CONSOLE
/usr/local/sbin/etc/rc.d/radiusd onestart
Then it should work.
Although It worked, after a reboot the changes I made in /usr/local/etc/raddb/eap.conf get reverted.
-
That is the behaviour of files which are configured by GUI. They will be overwritten in many situations.
You have to wait until the freeradius pkg 1.4.3 or higher is available. There is nothing I can do now - you could ask the pfsense developers why the repo isn't syncing. -
Updates pkg v1.4.4:
- Added: LDAP GUI -> We need to wait until we can use the freeradius2 package compiled with the missing dependencies and modules (rlm_ldap) but the GUI is working
Updates pkg v1.4.5:
-
Added: Ability to do use first 802.1X auth and if this fails check the Access-Request against a plain mac auth file (authorized_macs). This will help us if we use a NAS which does not support converting the mac address into a "username/password"-802.1X like Access-Request.
-
Added: Plain MAC Auth entries could now be synced with XMLRPC
-
TO-DO: Check/Test how we could place check and reply-items the beste way in authorized_macs.
-
Updated: Documentation on docs.pfsense.org
-
Hi,
Very useful package!!! Thanks a lot!
My question is:-
Does this package support Mysql now? Actually I can see the option in the PF Menu but it seems not working.
-
I would like to create a Hotspot by using this package + Captive Portal + MySQL + DDWRT Router. (eg:http://www.wiwiz.com/)
It would be great appreciated if there is any references for setting these matters?
Sorry for the poor English.
Thanks again for any reply! -
-
Hi,
Very useful package!!! Thanks a lot!
My question is:-
Does this package support Mysql now? Actually I can see the option in the PF Menu but it seems not working.
-
I would like to create a Hotspot by using this package + Captive Portal + MySQL + DDWRT Router. (eg:http://www.wiwiz.com/)
It would be great appreciated if there is any references for setting these matters?
Sorry for the poor English.
Thanks again for any reply!Hi,
-
LDAP and SQL isn't supported at the moment. The GUI is ready but we first have to compile freeradius with MySQL, PostgreSQL and LDAP support. This takes some time but it will be supported in the - hopefully - near future.
-
I didn't use that but as far as I know the CaptivePortal in pfsense supports connecting to a RADIUS. An if this package has MySQL support this should be possible for you to realize.
-
-
Hi,
Very useful package!!! Thanks a lot!
My question is:-
Does this package support Mysql now? Actually I can see the option in the PF Menu but it seems not working.
-
I would like to create a Hotspot by using this package + Captive Portal + MySQL + DDWRT Router. (eg:http://www.wiwiz.com/)
It would be great appreciated if there is any references for setting these matters?
Sorry for the poor English.
Thanks again for any reply!Hi,
-
LDAP and SQL isn't supported at the moment. The GUI is ready but we first have to compile freeradius with MySQL, PostgreSQL and LDAP support. This takes some time but it will be supported in the - hopefully - near future.
-
I didn't use that but as far as I know the CaptivePortal in pfsense supports connecting to a RADIUS. An if this package has MySQL support this should be possible for you to realize.
Thanks for the quick reply!
Looking forward to the update version:)
-
-
zlyzwy,
If you know how to handle with packages at console and want to help on testing these new features, follow Nachtfalke posts on how to update to test version
http://forum.pfsense.org/index.php/topic,43675.msg232220.html#msg232220
http://forum.pfsense.org/index.php/topic,43675.msg232312.html#msg232312
-
Updates pkg v1.4.6:
- Fixed: When Plain MAC Auth is enabled we are now able to not only check against EAP-X but against all other modules. The MAC check is now before all other checks and if it fails it proceeds with the rest.
-
Updates pkg v1.4.7:
-
Added: extended features for MySQL, PostgreSQL, LDAP, Kerberos support
-
Changed: Path to new packages and its dependencies
-
Updated: FreeRADIUS 2.x package documentation on doc.pfsense.org
And the oscar goes to:
marcelloc
Thank you for compiling freeradius2 with the extended features and hosting the packages! -
-
I'm trying to get LDAP working but I'm getting the following output:
[ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [USER/PASSW]
Does anyone know why this is happening? When I manually do an ldap search with another program with the same user I do get a result back.
-
Hello!
So Nachtfalke and marcelloc, thank you for great job!I've done the same job about two weeks ago and I regret now not sharing my work :/
I've compiled ldap, kerberos modules (don't needed mysql and other db's).So now to make AD integration possible it is necessary to have Samba and Kerberos packages.
why?
simple version, maybe little mixed up. samba has winbind, which allow kerberos to authenticate in windows domain.
winbind has module ntlm_auth which can ask server about the user, but we have to be member of domain.so what am I doing is tryin' to compile Samba 3 for Pfsense, next Kerberos and will post here about results
-
I'm trying to get LDAP working but I'm getting the following output:
[ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [USER/PASSW]
Does anyone know why this is happening? When I manually do an ldap search with another program with the same user I do get a result back.
you didn't give anything about your config, but I'll try guess:
If you have MS AD try to filter:
(sAMAccountName=%{mschap:User-Name})
otherwise maybe:
(uid=%{mschap:User-Name})I don't know if you have your Identity configured properly, show it for us
-
Hi,
Sorry, its indeed MS AD (2008R2). I already tried with the sAMAccountName but didn't had the MSCHAP in it, tried it again, but still no luck:
radtest nas PASSW localhost 1 testpass
[ldap] performing user authorization for nas [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=nas) [ldap] expand: o=intersui,c=local -> o=intersui,c=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.10.1.1:389, authentication 0 [ldap] bind as WDSINST/***** to 10.10.1.1:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=intersui,c=local, with filter (sAMAccountName=nas) [ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [nas/****] (from client pfsense2 port 1)
Base Filter: (objectclass=*)
Filter: (sAMAccountName=%{mschap:User-Name})
Basedn: o=intersui,c=local -
Hi,
Sorry, its indeed MS AD (2008R2). I already tried with the sAMAccountName but didn't had the MSCHAP in it, tried it again, but still no luck:
radtest nas PASSW localhost 1 testpass
[ldap] performing user authorization for nas [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=nas) [ldap] expand: o=intersui,c=local -> o=intersui,c=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.10.1.1:389, authentication 0 [ldap] bind as WDSINST/***** to 10.10.1.1:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=intersui,c=local, with filter (sAMAccountName=nas) [ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [nas/****] (from client pfsense2 port 1)
Base Filter: (objectclass=*)
Filter: (sAMAccountName=%{mschap:User-Name})
Basedn: o=intersui,c=localchange basedn to
basedn: cn=Users,dc=intersui,dc=local
as far as I know if you want filter sAMAccountName you have to use Microsoft style, so dc, dc ;) -
That did the trick :) BUT he still doesn't give me an accept message:
++[files] returns noop [ldap] performing user authorization for nas [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=nas) [ldap] expand: ou=Accounts,dc=intersui,dc=local -> ou=Accounts,dc=intersui,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Accounts,dc=intersui,dc=local, with filter (sAMAccountName=nas) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user nas authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] returns noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [nas/*****] (from client pfsense2 port 1) Using Post-Auth-Type Reject
On Google this gives me lots of results but not really a solution. (The DN bind user is Administrator, so its not a permission issue - found some posts refering to this)
Also "set_auth_type = yes/no" as mentioned on Google doesn't help.
-
Thank you very much for your feedback. I read about the samba and winbind "problematic" to use an Active Directory with freeradius. But I am not sure at all now - I thought that Win Server 2003 and higher has LDAP compatibility but you first have to enable something on Windows Server. But I am not sure on that and I do not find the documentation…
freeradius2 has an "rlm_smb" module but this is still experimental. This is the excerpt of the makefile:
# No SMB option yet; rlm_smb is still unbuildable .ifdef(WITH_SMB) LIB_DEPENDS= smbclient.0:${PORTSDIR}/net/samba-libsmbclient CONFIGURE_ARGS+=--with-rlm_smb CONFIGURE_ARGS+=--with-rlm-smb-lib-dir=${LOCALBASE}/lib CONFIGURE_ARGS+=--with-rlm-smb-include-dir=${LOCALBASE}/include PLIST_SUB+= SMB="" .else CONFIGURE_ARGS+=--without-rlm_smb PLIST_SUB+= SMB="@comment " .endif # SMB module is still experimental .if defined(WITH_SMB) && !defined(WITH_EXPERIMENTAL) WITH_EXPERIMENTAL= yes .endif
The third thing I read about here in the forum is/was that someone had installed samba on pfsense but it breaks the hole system.
@pszafer:
You wrote you worked on freeradius2 (compiling) in the past. Did you use it on pfsense and how did you get it work with LDAP and/or AD ?
If there are samba binaries which don't breake the system I am sure we can add these to freeradius2 package and the create a GUI to edit the smb.conf. That shouldn't be to hard if we know the command lines. -
@sandern
in /usr/local/etc/raddb/sites-enabled/default
you have authentication sectionso far we've got plaint text password and this is our problem, we need nt-domain hash.
you could try comment line with unix auth
and uncomment Auth-Type LDAP, but this will propably cause other errors.
I've done this before so linux users with pap auth were authenticated succesfully, but trully I remove this and backuped in wrong place (it's gone) so I can't easy come back to this, but I don't want to.@Nachtfalke
AD is compatible with LDAP in way we wanted to.
We need Kerberos to get ticket to get authenticated - http://www.google.pl/imgres?q=kerberos+eap&um=1&hl=pl&authuser=0&biw=1920&bih=913&tbm=isch&tbnid=4SMvBpPK_Big9M:&imgrefurl=http://anil-identity.blogspot.com/2009_02_01_archive.html&docid=xeW3QfB9c27wtM&imgurl=http://identitymeme.org/wp-content/uploads/2009/02/krbandweb-opps_06-700x366.png&w=700&h=366&ei=gUcLT5qpEcmq-AaFwL20AQ&zoom=1&iact=hc&vpx=1506&vpy=159&dur=1520&hovh=162&hovw=311&tx=119&ty=97&sig=107427534317749718724&page=1&tbnh=86&tbnw=164&start=0&ndsp=53&ved=1t:429,r:8,s:0To get Kerberos working with AD we need get winbind (which is in Samba packet). Winbind is service allows to get authenticated over Windows PDC.
rlm_smb is something worth to try and interesting.About Samba compiling, I think someone could try to use samba as file sharing server so firewall would be messed up.
I wanted to use Samba only for purpose to authenticate user and I think it is possible ;)Two weeks ago I've bought new netgear router to my workplace, upgraded to OpenWRT and wanted to authenticate wifi via 802.1x.
As Domain Controller shouldn't be used for this for security reasons I decided to do it on pfsense router. Didn't search forum what's going on with this packet, didn't see this in GUI so recompiled freeradius on freebsd virtual machine and added necessary libraries for that.
I've come here because I was exhausted for tryin' ntlm_auth to work. Squid package has some ntlm_auth without samba, so I assumed it is possible. Now I think my assumption was wrong :POkay, now I'm reading about rlm_smb, maybe do something with that.
–------------------
one weird thing, in dd-wrt it is for 5 years and it is still experimental? am I missing something? -
I wanted to use Samba only for purpose to authenticate user and I think it is possible
Only if you do it by hand, installing freebsd packages.Samba as a pfSense package is really not a good idea for firewall.
-
in freebsd packages there are no security=ads. Unfortunately we need only this from samba :/