FreeRadius + Windows AD Authentication
Varun Marwah
vmarwah at quark.com
Tue Nov 22 07:34:03 CET 2005
Hi,
I still can face a problem of LDAP users with Dialup access not able to
authenticate through Radius Server.
Attached it the Radiusd.conf file and The Logs.
ldap {
server = "10.91.0.33"
identity =
"cn=radiususer,ou=Users,ou=QMHI,dc=india,dc=quark,dc=com"
password = Quark_123
basedn = "dc=india,dc=quark,dc=com"
filter = "(&(samaccountname=%{user-name}))"
#filter = "(SamAccountName=%u)"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
password_header = "{clear}"
#
# Set:
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
#password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own,
and pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit
hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory
account
# policy check and intruder detection. This will work
*only if*
# FreeRADIUS is configured to build with --with-edir
option.
#
# edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 40
timelimit = 30
net_timeout = 10
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
Logs
rad_recv: Access-Request packet from host 10.91.192.115:3072, id=0,
length=139
User-Name = "INDIA\\vmarwah"
NAS-IP-Address = 10.91.192.115
Called-Station-Id = "0012178026ed"
Calling-Station-Id = "0012f0b442e3"
NAS-Identifier = "0012178026ed"
NAS-Port = 21
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200001201494e4449415c766d6172776168
Message-Authenticator = 0x663d5b4e1e084bb62c6db0268f187847
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "INDIA\vmarwah", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for INDIA\vmarwah
radius_xlat: '(&(samaccountname=INDIA))'
radius_xlat: 'dc=india,dc=quark,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.91.0.33:389, authentication 0
rlm_ldap: bind as
cn=radiususer,ou=Users,ou=QMHI,dc=india,dc=quark,dc=com/Quark_123 to
10.91.0.33:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=india,dc=quark,dc=com, with filter
(&(samaccountname=INDIA))
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 0
modcall: group authorize returns fail for request 0
Finished request 0
Going to the next request
Please help me out to resolve this.............
Thanks & Regards
Varun Marwah
CONFIDENTIALITY NOTICE
This e-mail transmission and any documents, files, or previous e-mail
messages appended or attached to it, may contain information that is
confidential or legally privileged. If you are not the intended
recipient, or a person responsible for delivering it to the intended
recipient, you are hereby notified that any disclosure, copying,
printing, distribution, or use of the information contained or attached
to this transmission is STRICTLY PROHIBITED. If you have received this
transmission in error, please immediately notify the sender by telephone
(+91-172-2299137) or return e-mail message (vmarwah at quark.com) and
delete the original transmission, its attachments, and any copies
without reading or saving in any manner. Thank you.
-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
freeradius-users-request at lists.freeradius.org
Sent: Monday, November 21, 2005 11:45 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 7, Issue 79
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Freeradius - LDAP - Active Directory (Konne)
2. RE: wireless+freeradius+AD (King, Michael)
3. Re: 802.1x machine authentication patch help (Jamie Crawford)
4. tool for testing machine authentication (Norbert Wegener)
5. Re: tool for testing machine authentication (Konne)
6. RE: tool for testing machine authentication (Cris Boisvert)
7. Re: tool for testing machine authentication (Robin Mordasiewicz)
8. Re: tool for testing machine authentication (Konne)
9. Cache with proxy (Romain GAILLEGUE)
10. RE: tool for testing machine authentication (Robin Mordasiewicz)
----------------------------------------------------------------------
Message: 1
Date: Mon, 21 Nov 2005 13:03:52 +0100
From: Konne <bridge_stone at gmx.net>
Subject: Re: Freeradius - LDAP - Active Directory
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4381B7A8.7020303 at gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
hi
i found the problem...
*before*
basedn = "dc=my,dc=dom"
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
*after, now it goes*
basedn = "ou=wireless,dc=my,dc=dom"
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
timeout = 40
timelimit = 30
net_timeout = 10
thx
------------------------------
Message: 2
Date: Mon, 21 Nov 2005 09:50:15 -0500
From: "King, Michael" <MKing at bridgew.edu>
Subject: RE: wireless+freeradius+AD
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID:
<EFB7B6506E9AB147BCC8EF9417E22091046723D4 at EXCH2.campus.bridgew.edu>
Content-Type: text/plain; charset="US-ASCII"
> Oh, excellent. I just joined this list hoping to query the
> members on finding more information on doing
> wireless+activedirectory+freeradius,
> unfortunately I could not find any good postings, or web
> toots/examples.
Hi Robin, Welcome to the club.
> I would need to use Microsoft IAS. Is this false ?
Yes, That particular example used Microsoft IAS, but it is not
required.
> Are people
> using Active Directory successfully ?
Yes. Besides myself, there are many people on this list that are.
> I have a linux box that
> is currently acting as a tacacs server while authenticating
> using winbind etc, and was hoping to make it a radius server as well.
You are already 3/4 of the way there, since the trickest part of my
freeradius setup was getting winbind to talk to activedirectory
Depending on your Linux distribution, you will just have to install
freeradius. (Some distributions like Debian require a -disable-shared)
Go thru the radiusd.conf and the eap.conf files, it's clearly commented
on what you need to configure.
You'll see a section marked:
ntlm_auth = "/path/to/ntlm_auth ........(Trimmed)
You might need to modify this to:
ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Don't hesitate to ask questions. There is a good Howto (unfortuantly, I
don't have my bookmarks with me) but some others on the list hopefully
will post it.
------------------------------
Message: 3
Date: Mon, 21 Nov 2005 08:54:11 -0600
From: "Jamie Crawford" <crawford at cmsu1.cmsu.edu>
Subject: Re: 802.1x machine authentication patch help
To: <freeradius-users at lists.freeradius.org>, <samba at lists.samba.org>,
<mgriego at utdallas.edu>
Message-ID: <s3818b53.061 at NETMAIL.CMSU.EDU>
Content-Type: text/plain; charset=US-ASCII
I found my problem. From Andrew Bartlett himself "This is not supported
against NT4. Only Samba 3.0.21rc1 and AD support
this extra flag." To do machine authentication with freeradius, your
workstation (supplicant) and samba server must be a member of a
2000/2003 domain. I had the supplicant and samba server still a member
of the nt4 domain. Once I changed this, it worked great. Were still in
the middle of a migration from nt4 to 2003 and all accounts still
authenticate fine.
Thanks for everyones help!!!!!!
jamie
>>> mgriego at utdallas.edu 11/18/2005 12:16:43 PM >>>
Make sure you used the rlm_MSchap module from the snapshot, not the
rlm_chap module. They're different.
--Mike
Jamie Crawford wrote:
> Hi,
> I am trying to get machine authentication working with freeradius.
I
> have patched the samba code and freeradius code. But am getting
this
> error when the machine tries to authenticate. I patched the
rlm_chap
> module by taking last nights cvs snapshot and copying over the
rlm_chap
> folder overwriting the contents of the same folder in the
> freeradius-1.0.5 release and recompiling. I see that it is trying
to
> pass the username as "host/IS--000031176". I thought the updated
> rlm_mschap was suppposed to strip the "host/" part of the username.
Do
> I need to create a realm to strip the "host/"?
> Any help would be appreciated!!!
> Thanks,
> jamie
>
>
> make clean
>
> ./configure --configure --with-raddbdir=/etc/radius
> --with-logdir=/var/log/radius --disable-snmp --without-rlm_sql
> --without-rlm_ldap --without-rlm_krb5
>
> make
>
> make install
>
> modcall: entering group Auth-Type for request 6
> rlm_mschap: No User-Password configured. Cannot create
LM-Password.
> rlm_mschap: No User-Password configured. Cannot create
NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for host/IS--000031176 with
> NT-Password
> radius_xlat: Running registered xlat function of module mschap for
> string 'User-Name'
> radius_xlat: Running registered xlat function of module mschap for
> string 'Challenge'
> mschap2: d3
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Response'
> radius_xlat: '/usr/bin/ntlm_auth --domain= --request-nt-key
> --username=host/IS--000031176 --challenge=12345ce0768615e
> --nt-response=123456f1011a2f799b5d62e04ba
> d8bb39719fa48c3d11299e'
> Exec-Program: /usr/bin/ntlm_auth --domain= --request-nt-key
> --username=host/IS--000031176 --challenge=123453ce0768615e
> --nt-response=12345f1011a2f799b5d62e04bad8bb39719fa48c3d11299e
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
> rlm_mschap: External script failed.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
------------------------------
Message: 4
Date: Mon, 21 Nov 2005 17:59:14 +0100
From: Norbert Wegener <nw at sbs.de>
Subject: tool for testing machine authentication
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4381FCE2.4070209 at sbs.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Does a tool exist, that lets me test machine account authentication
against an AD?
Something like an equivalent to radtest?
Thanks
Norbert Wegener
------------------------------
Message: 5
Date: Mon, 21 Nov 2005 18:11:31 +0100
From: Konne <bridge_stone at gmx.net>
Subject: Re: tool for testing machine authentication
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4381FFC3.3010701 at gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi Norbert,
i use the programm NTRadTest... on Windows machine
and start freeradius with "freeradius -X", for debug
bye
Norbert Wegener schrieb:
> Does a tool exist, that lets me test machine account authentication
> against an AD?
> Something like an equivalent to radtest?
> Thanks
> Norbert Wegener
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
------------------------------
Message: 6
Date: Mon, 21 Nov 2005 12:15:10 -0500
From: "Cris Boisvert" <cris at usai.net>
Subject: RE: tool for testing machine authentication
To: "'FreeRadius users mailing list'"
<freeradius-users at lists.freeradius.org>
Message-ID: <000901c5eebf$22103960$064da8c0 at systemadmin>
Content-Type: text/plain; charset="us-ascii"
NTRADPING
It's a windows tool that does exactly what your looking for.
-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
Norbert
Wegener
Sent: Monday, November 21, 2005 11:59 AM
To: FreeRadius users mailing list
Subject: tool for testing machine authentication
Does a tool exist, that lets me test machine account authentication
against
an AD?
Something like an equivalent to radtest?
Thanks
Norbert Wegener
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.4/176 - Release Date:
11/20/2005
------------------------------
Message: 7
Date: Mon, 21 Nov 2005 12:13:30 -0500 (EST)
From: Robin Mordasiewicz <rmordasiewicz at samuelmanutech.com>
Subject: Re: tool for testing machine authentication
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID:
<Pine.LNX.4.58.0511211212510.20094 at smtcorms02.samuelmanutech.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 21 Nov 2005, Konne wrote:
> Hi Norbert,
>
> i use the programm NTRadTest... on Windows machine
> and start freeradius with "freeradius -X", for debug
>
i just did a google on NTRadTest, but found nothing. Where can I
download
NTRadTest
------------------------------
Message: 8
Date: Mon, 21 Nov 2005 18:23:14 +0100
From: Konne <bridge_stone at gmx.net>
Subject: Re: tool for testing machine authentication
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <43820282.8080104 at gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
hi
sorry it was my bug it must be NTRADPING
sorry
Robin Mordasiewicz schrieb:
>On Mon, 21 Nov 2005, Konne wrote:
>
>
>
>>Hi Norbert,
>>
>>i use the programm NTRadTest... on Windows machine
>>and start freeradius with "freeradius -X", for debug
>>
>>
>>
>i just did a google on NTRadTest, but found nothing. Where can I
download
>NTRadTest
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
>
>
------------------------------
Message: 9
Date: Mon, 21 Nov 2005 18:55:13 +0100
From: Romain GAILLEGUE <rgaillegue at wallix.com>
Subject: Cache with proxy
To: freeradius-users at lists.freeradius.org
Message-ID: <1132595713.20382.7.camel at winxp>
Content-Type: text/plain
Hi,
I have recently installed two freeradius servers one in server mode with
MySQL authentication and an other in proxy mod.
But sometime the connexion between the two servers is broken. I would
like to know if it's possible to have a cache on the proxy ?
Thanks
Romain
------------------------------
Message: 10
Date: Mon, 21 Nov 2005 12:57:53 -0500 (EST)
From: Robin Mordasiewicz <rmordasiewicz at samuelmanutech.com>
Subject: RE: tool for testing machine authentication
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID:
<Pine.LNX.4.58.0511211256420.20094 at smtcorms02.samuelmanutech.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 21 Nov 2005, Cris Boisvert wrote:
> NTRADPING
>
> It's a windows tool that does exactly what your looking for.
>
ok that seems to work.
I can authenticate using a local unix account.
Now I need to find documentation on how to connect my freeradius to AD
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 7, Issue 79
***********************************************
More information about the Freeradius-Users
mailing list