Authorize with SQL and/or AD with ntlm_auth

Hi, I want to configure my freeradius to authorize my user with an sql database or if the user isn’t present it would check in AD.

Here is my conf for now.

 

authorize {

      preprocess

      sql

      if (notfound) {

                ntlm_auth

      }

      eap

      expiration

      logintime

}

authenticate {

 

        ntlm_auth

        Auth-Type PAP {

                pap

        }

        Auth-Type CHAP {

                chap

        }  

Auth-Type MS-CHAP {

                mschap

        }

        unix

        eap

}

 

And here is my radiusd.conf

modules {

        exec ntlm_auth {

                wait = no

                program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-intranet} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

        }

$INCLUDE eap.conf

        mschap {

            with_ntdomain_hack = yes

                }

}

 

And here the log with radiusd –X if I try an user who’s in AD.

rlm_sql (sql): sql_set_user escaped user --> 'gchartra'

rlm_sql (sql): Reserving sql socket id: 1

        expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra' ORDER BY id

query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra' ORDER BY id

rlm_sql (sql): Released sql socket id: 1

rlm_sql (sql): User gchartra not found

++[sql] returns notfound

++? if (notfound)

? Evaluating "notfound" -> TRUE

++? if (notfound) -> TRUE

++- entering if (notfound)

        expand: --username=%{mschap:User-Name:-None} -> --username=gchartra

  rlm_mschap: No NT-Domain was found in the User-Name.

        expand: --domain=%{mschap:NT-Domain:-intranet} -> --domain=intranet

  rlm_mschap: No MS-CHAP-Challenge in the request.

        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=00

  rlm_mschap: No MS-CHAP-Response or MS-CHAP2-Response was found in the request.

        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=00

+++[ntlm_auth] returns ok

++- if (notfound) returns ok

  rlm_eap: EAP packet type response id 7 length 90

  rlm_eap: Continuing tunnel setup.

++[eap] returns ok

++[expiration] returns noop

++[logintime] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/peap

  rlm_eap: processing type peap

  rlm_eap_peap: Authenticate

  rlm_eap_tls: processing TLS

  eaptls_verify returned 7

  rlm_eap_tls: Done initial handshake

  eaptls_process returned 7

  rlm_eap_peap: EAPTLS_OK

  rlm_eap_peap: Session established.  Decoding tunneled attributes.

  rlm_eap_peap: EAP type mschapv2

  PEAP: Setting User-Name to gchartra

+- entering group authorize

++[preprocess] returns ok

        expand: %{User-Name} -> gchartra

rlm_sql (sql): sql_set_user escaped user --> 'gchartra'

rlm_sql (sql): Reserving sql socket id: 0

        expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra' ORDER BY id

query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra' ORDER BY id

rlm_sql (sql): Released sql socket id: 0

rlm_sql (sql): User gchartra not found

++[sql] returns notfound

++? if (notfound)

? Evaluating "notfound" -> TRUE

++? if (notfound) -> TRUE

++- entering if (notfound)

        expand: --username=%{mschap:User-Name:-None} -> --username=gchartra

  rlm_mschap: No NT-Domain was found in the User-Name.

        expand: --domain=%{mschap:NT-Domain:-intranet} -> --domain=intranet

  rlm_mschap: No MS-CHAP-Challenge in the request.

        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=00

  rlm_mschap: No MS-CHAP-Response or MS-CHAP2-Response was found in the request.

        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=00

+++[ntlm_auth] returns ok

++- if (notfound) returns ok

  rlm_eap: EAP packet type response id 7 length 67

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[expiration] returns noop

++[logintime] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/mschapv2

  rlm_eap: processing type mschapv2

+- entering group MS-CHAP

  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.

  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.

  rlm_mschap: Told to do MS-CHAPv2 for gchartra with NT-Password

  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.

  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

++[mschap] returns reject

  rlm_eap: Freeing handler

++[eap] returns reject

auth: Failed to validate the user.

  PEAP: Tunneled authentication was rejected.

  rlm_eap_peap: FAILURE

 

So the last part if I understand is when the authentification section is call, he try to authentification with my module ntlm_auth but it fail and I don’t know why.

If in the radius.conf mschap section module I insert the same ntlm_auth line of the exec. The sql don’t work but AD work. If I put nothing in mschap section. The SQL works but not AD. So what I did make wrong

 

Thank

 

----------------------------

Guillaume Chartrand

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.