MSCHAP Authentication and LDAP Group Membership checking

tnt at kalik.net tnt at kalik.net
Fri Sep 5 13:45:52 CEST 2008


You can use mschap:User-Name in ldap configuration just like in
ntlm_auth. Replace Stripped-User-Name with that and both mschap (VPN)
and pap (admin login) requests should work.

Ivanb Kalik
Kalik Informatika ISP


Dana 5/9/2008, "kesm0724" <kevin.smith at emp.shentel.com> piše:

>
>Hello All,
>
>I am very, very new to Freeradius (as well as Radius) ;) - disclaimer.  We
>are trying to move away from using IAS to Freeradius.  We have approx 50
>switches/routers which I have not had a problem with getting to work with
>Freeradius including group checking using LDAP.
>
>The issue I have is getting our Cisco VPN Concentrator to authenticate users
>who are in a certain Active Directory group.  I have configured Samba to
>join our domain - all that is working without issue.  The problem apparently
>is when logging in via the Cisco VPN client:
>
>
>Here is my debug:
>
>ad_recv: Access-Request packet from host 10.2.1.6 port 1059, id=83,
>length=191
>        User-Name = "voila\\webtest"
>        NAS-Port = 1151
>        Service-Type = Framed-User
>        Framed-Protocol = PPP
>        Called-Station-Id = "123.201.6.78"
>        Calling-Station-Id = "123.201.6.76"
>        Tunnel-Client-Endpoint:0 = "123.201.6.76"
>        MS-CHAP-Challenge = 0x0ebafb8a5ab6b2be73f9a983a6a3f5d3
>        MS-CHAP2-Response =
>0x0000db98fa3162973c0f68121500631c0c8d00000000000000005808068d4047ef8a58e79d488a62d41e89128aabd6d88c52
>        NAS-IP-Address = 10.2.1.6
>        NAS-Port-Type = Virtual
>+- entering group authorize
>++[preprocess] returns ok
>        expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/10.2.1.6/auth-detail-20080904
>rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /usr/local/var/log/radius/radacct/10.2.1.6/auth-detail-20080904
>        expand: %t -> Thu Sep  4 17:55:54 2008
>++[auth_log] returns ok
>++[chap] returns noop
>  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>++[mschap] returns ok
>    rlm_realm: No '@' in User-Name = "voila\webtest", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>    rlm_realm: No '"' in User-Name = "voila\webtest", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[ntdomain] returns noop
>++[unix] returns notfound
>rlm_ldap: Entering ldap_groupcmp()
>        expand: dc=voila,dc=com -> dc=voila,dc=com
>WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
>details
>        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
>(sAMAccountName=voila\5cwebtest)
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: performing search in dc=voila,dc=com, with filter
>(sAMAccountName=voila\5cwebtest)
>rlm_ldap: object not found or got ambiguous search result
>rlm_ldap::ldap_groupcmp: search failed
>rlm_ldap: ldap_release_conn: Release Id: 0
>rlm_ldap: Entering ldap_groupcmp()
>        expand: dc=voila,dc=com -> dc=voila,dc=com
>WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
>details
>        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
>(sAMAccountName=voila\5cwebtest)
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: performing search in dc=voila,dc=com, with filter
>(sAMAccountName=voila\5cwebtest)
>rlm_ldap: object not found or got ambiguous search result
>rlm_ldap::ldap_groupcmp: search failed
>rlm_ldap: ldap_release_conn: Release Id: 0
>++[files] returns noop
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for voila\webtest
>WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
>details
>        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
>(sAMAccountName=voila\5cwebtest)
>        expand: dc=voila,dc=com -> dc=voila,dc=com
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: performing search in dc=voila,dc=com, with filter
>(sAMAccountName=voila\5cwebtest)
>rlm_ldap: object not found or got ambiguous search result
>rlm_ldap: search failed
>rlm_ldap: ldap_release_conn: Release Id: 0
>++[ldap] returns notfound
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: WARNING! No "known good" password found for the user.
>Authentication may fail because of this.
>++[pap] returns noop
>  rad_check_password:  Found Auth-Type mschap
>auth: type "MSCHAP"
>+- entering group MS-CHAP
>  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
>  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
>  rlm_mschap: Told to do MS-CHAPv2 for webtest with NT-Password
>        expand: --domain=%{mschap:NT-Domain} -> --domain=voila
>        expand: --username=%{mschap:User-Name} -> --username=webtest
> mschap2: 0e
>        expand: --challenge=%{mschap:Challenge:-00} ->
>--challenge=dcdc37024aecaec1
>        expand: --nt-response=%{mschap:NT-Response:-00} ->
>--nt-response=5808068d4047ef8a58e79d488a62d41e89128aabd6d88c52
>Exec-Program output: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D
>Exec-Program-Wait: plaintext: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D
>Exec-Program: returned: 0
>rlm_mschap: adding MS-CHAPv2 MPPE keys
>++[mschap] returns ok
>Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76)
>+- entering group post-auth
>++[exec] returns noop
>Sending Access-Accept of id 83 to 10.2.1.6 port 1059
>        MS-CHAP2-Success =
>0x00533d31364230314341364638323331333730333334393432393943303539423539334346434433314336
>        MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0
>        MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae
>        MS-MPPE-Encryption-Policy = 0x00000001
>        MS-MPPE-Encryption-Types = 0x00000006
>Finished request 2.
>Going to the next request
>Waking up in 4.9 seconds.
>Cleaning up request 2 ID 83 with timestamp +888
>Ready to process requests.
>
>It appears that MSCHAP is used to verify the password but LDAP is not
>properly checking the "VPN-Users" AD group....I believe it is not stripping
>the domain portion off correctly as I see the domain name appended to
>(sAMAccountName=voila\5cwebtest)
>
>My users File entries:
>
>(The first entry I would like to be used by the concentrator to search the
>group and if the user is a member allow them access - of course
>authenticating the provided password)
>
>DEFAULT LDAP-Group == "vpn-users"
>        Fall-Through = Yes
>
>This entry is for our network switches/routers - this appears to be working
>without any issue.
>
>DEFAULT LDAP-Group == "Radius-Admin"
>        Service-Type = Login-User,
>        cisco-avpair = "shell:priv-lvl=15",
>        Fall-Through = Yes
>
>If I login from my network devices it performs the ldap searches without
>issue and authenticates/authorizes the user - You can see this below:
>
>rlm_ldap: performing search in dc=voila,dc=com, with filter
>(&(cn=vpn-users)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))))
>rlm_ldap::ldap_groupcmp: User found in group vpn-users
>rlm_ldap: ldap_release_conn: Release Id: 0
>    users: Matched entry DEFAULT at line 178
>rlm_ldap: Entering ldap_groupcmp()
>        expand: dc=voila,dc=com -> dc=voila,dc=com
>        expand:
>(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
>->
>(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: performing search in dc=voila,dc=com, with filter
>(&(cn=Radius-Admin)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))))
>rlm_ldap::ldap_groupcmp: User found in group Radius-Admin
>rlm_ldap: ldap_release_conn: Release Id: 0
>    users: Matched entry DEFAULT at line 181
>++[files] returns ok
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for zkms
>WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
>details
>        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
>(sAMAccountName=zkms)
>        expand: dc=voila,dc=com -> dc=voila,dc=com
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: performing search in dc=voila,dc=com, with filter
>(sAMAccountName=zkms)
>rlm_ldap: looking for check items in directory...
>rlm_ldap: looking for reply items in directory...
>WARNING: No "known good" password was found in LDAP.  Are you sure that the
>user is configured correctly?
>rlm_ldap: user zkms authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>++[ldap] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: WARNING! No "known good" password found for the user.
>Authentication may fail because of this.
>++[pap] returns noop
>  rad_check_password:  Found Auth-Type LDAP
>auth: type "LDAP"
>+- entering group LDAP
>rlm_ldap: - authenticate
>rlm_ldap: login attempt by "zkms" with password "Omitted"
>rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com
>rlm_ldap: (re)connect to control.voila.com:389, authentication 1
>rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to
>control.voila.com:389
>rlm_ldap: waiting for bind result ...
>rlm_ldap: Bind was successful
>rlm_ldap: user zkms authenticated succesfully
>
>
>Thanks in advance for any pointers.....
>
>
>
>--
>View this message in context: http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list