Hi all,
I have been trying to get the YubiRadius 3.5 virtual appliance to work and not having much luck. I am currently using YubiRadius 3.0 which is working perfectly but decided it was time to upgrade. With 3.5 I can install the virtual machine and add the domain however can not get it to authenticate users..
First I found two problems with the setup - not sure the best place to report these if anyone knows a better way please let me know:
The user import seems to only import users if they belong to a group under the Base DN I enter. for example if I enter "ou=users, dc=example, dc=com" and all my groups are in "ou=groups, dc=example, dc=com" nothing is imported even if all my users are in the "users" OU. If I enter the Base DN as "dc=example, dc=com" then all users are imported. It might be worth changing point 3g on page 27 of the guide to read "...hierarchy under which the users
and groups are located..."
When I deploy the appliance the time is always off by 5.5 hours from the hardware clock - which will prevent the AD password being accepted. Not sure if this is due to my VMWare infrastructure or in the image itself - it will cause a lot of frustration for people if its not just me!
Now to the problems I'm still stuck on.
When I do the import from the Base DN "dc=example, dc=com" the users tab in the Webmin module lists all the GROUPS from my AD, and I can then click on those to see the users. This is despite the fact that I have "(objectClass=person)" in the filter box of the import. I have tried other options like filtering to a specific group but that has no effect. Whatever I do I can not get just users (as shown in the screenshots) to import. Not sure if this is how 3.5 is intended to work but for my domain (SBS 2003) I have more groups than users which makes things a bit messy.
My main problem is that I can assign a yubikey to a user however the test page always returns access-reject:
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=70, length=20
I can successfully validate the OTP on the troubleshooting page, I know the password is working because I used it to import the users from AD, I've changed the AD password so it does not include any special chars and is only 9 char long.
The Radius log shows this which so far I have not been able to decipher (despite what I suspect is a big hint in No "Known good" password...):
Code:
Ready to process requests.
Waking up in 0.9 seconds.
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
[<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
++[files] returns noop
[ldap] Setting Auth-Type = LDAP
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
++[ldap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> yubitest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Thread 2 waiting to be assigned a request
Sending delayed reject for request 1
Waking up in 4.9 seconds.
Cleaning up request 1 ID 165 with timestamp +127
Ready to process requests.
Any hints or suggestions greatly appreciated.
Cheers,
Neal Harrington
Login
FAQ
Search
I'm going to see if I can hack it to return an IP address for VPN clients back to my Netscreen firewall now.