Radius + Active directory + Cisco

1. Radius + Active directory + Cisco

Robson
enemy100

(usa Ubuntu)

Enviado em 12/03/2009 - 13:55h

ola,
estou a meses com um problemaço

quero autenticar meu usuario do AD no cisco, sinto q estou quase conseguindo, mas ta dando o seguinte erro:

na saida do radiusd -X aparece:


rad_recv: Access-Request packet from host 10.3.0.251 port 1645, id=8, length=81
User-Name = "robson.gomes"
User-Password = "senha"
NAS-Port = 227
NAS-Port-Type = Virtual
Calling-Station-Id = "10.3.17.1"
NAS-IP-Address = 10.3.0.251
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[ldap] performing user authorization for robson.gomes
[ldap] expand: (uid=%u) -> (uid=robson.gomes)
[ldap] expand: cn=consultasldap,dc=timlig -> cn=consultasldap,dc=timlig
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=consultasldap,dc=timlig, with filter (uid=robson.gomes)
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect (rlm_ldap: User not found): [robson.gomes/senha] (from client CRHQT02 port 227 cli 10.3.17.1)
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 8 to 10.3.0.251 port 1645
Waking up in 4.9 seconds.
Cleaning up request 4 ID 8 with timestamp +1258
Ready to process requests.


configurei o AD pra aceitar consultas anonimas, ai no linux na saida do comando de busca do ldap aparece bonitinho o grupo, usuario e tal:

# ldapsearch -h lab-timlig.timlig -b 'cn=consultasldap,dc=timlig' -x -LLL 'objectclass=*'

dn: CN=consultasldap,DC=TIMLIG
objectClass: top
objectClass: group
cn: consultasldap
member: CN=akuma,CN=Users,DC=TIMLIG
member: CN=robson.gomes,CN=Users,DC=TIMLIG
member: CN=Administrator,CN=Users,DC=TIMLIG
distinguishedName: CN=consultasldap,DC=TIMLIG
instanceType: 4
whenCreated: 20090212183602.0Z
whenChanged: 20090312160706.0Z
uSNCreated: 16978
memberOf: CN=Administrators,CN=Builtin,DC=TIMLIG
uSNChanged: 36981
name: consultasldap
objectGUID:: 0DSRV9graUK4s+pehWkbSQ==
objectSid:: AQUAAAAAAAUVAAAAX9pXiXweRAg+2/pLXAQAAA==
adminCount: 1
sAMAccountName: consultasldap
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=TIMLIG

criei um grupo chamado ''consultasldap'' e dentro deste grupo estao os usuarios q podem ser autenticar.


no meu radiusd.conf a parte de MODULES ta assim:

ldap {
server = lab-timlig.timlig
# identity = "cn=consultasldap,dc=timlig"
password = q1w2e3
basedn = "cn=consultasldap,dc=timlig"
filter = "(uid=%u)"
# filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# filter = "(&(objectClass=inetOrgPerson)(uid=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=person)"
dictionary_mapping = /usr/local/src/etc/raddb/ldap.attrmap
start_tls = no
# coloque yes se deseja usar tls para criptografar
# os dados nas conexõcom o LDAP e
# configure e descomente os valores abaixo
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"

# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"

dictionary_mapping = /usr/local/src/etc/raddb/ldap.attrmap
# define o arquivo de mapas de atributos
# do seu diretorio
ldap_connections_number = 5

# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames) (member=%{Ldap-UserDn})) (&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes

}

# Sessãauthentication
# responsál por conferir o tipo de autenticaç usado
authenticate {
# Auth-Type PAP {
# pap
# }
# Auth-Type CHAP {
# chap
# }
# Auth-Type MS-CHAP {
# mschap
# }
# digest
# pam
# unix
Auth-Type LDAP {
ldap
}
# eap
}


# SessãPre-accounting. Decide qual tipo de contabilidade usar
preacct {
preprocess
# acct_unique
# home server as authentication requests.
# IPASS
# suffix
# ntdomain

#
# Read the 'acct_users' file
# files
}

# Sessao Accounting. Registra dados de contabilidade
accounting {
# detail
# daily
# unix
# radutmp
# sradutmp
# main_pool
# sql
# pgsql-voip
}


# Controle de sessã# quando se faz o controle de sessãpara
# evitar conexõsimultâas (impede o
# nome de usuáo de se conectar varias vezes de
# locais diferentes ao mesmo tempo com o mesmo login)
session {
radutmp
# sql
}


post-auth {
# main_pool
# reply_log
# sql
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}

pre-proxy {
# attr_rewrite
# pre_proxy_log
}

post-proxy {
# post_proxy_log
# attr_rewrite
# attr_filter
eap
}
# fim radiusd.conf



NO users ta assim:

DEFAULT Auth-Type := LDAP
#Service-Type = Login
#User-Profile = "cn=consultasldap,dc=timlig"


no cisco ta configurado assim:


aaa authentication attempts login 2
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common




vcs podem me ajudar????

meu radius só fica dizendo q tem usuario invalido..





  


2. Re: Radius + Active directory + Cisco

Amilar Sales Alves
Slackwarez

(usa Slackware)

Enviado em 04/06/2012 - 11:22h

Olá, conseguiu alguma coisa?

Estou precisando implementar em minha rede, autenticação no WIFI através do AD em routers Cisco...



3. Radius autenticando no AD

Robson
enemy100

(usa Ubuntu)

Enviado em 04/06/2012 - 16:07h

cara, eu consegui sim, vou fazer o seguinte, assim que possivel, ainda hove vou lhe enviar ou add aqui o tutorial que eu fiz de como fazer o radius buscar o user no add e autenticar para entrar no cisco, ai depois vc da um feedback ok?
abs..






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts