Authenticate users via AD and checking group membership:SOLVED
Godfrey Peart
grpeart at googlemail.com
Sun Jan 18 23:21:28 CET 2009
I would like to say thanks to the forum, my problem was solved
for information this is what I had to configure to get it all working
my only bit of concern was a warning message:
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
but I'll check that out later.
Make sure everything else is working fine via your AD + ntlm_auth
I added additional items to the ldap attributes file /etc/raddb/ldap.attrmap
ldap.attrmap-file amendments
#added Tunnel attributes 17-01-09
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
replyItem Tunnel-Type radiusTunnelType
#I added the Ldap-Group attribute to the top of my users file
/etc/raddb/users
#I have two groups configured on my test AD, and will search both
DEFAULT Ldap-Group == "dmwc-m"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = videoNet,
Tunnel-type = VLAN
DEFAULT Ldap-Group == "dmwc-s"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = staff,
Tunnel-type = VLAN
## I have cisco kit so use the name of the vlan not it's vlan number##
## My amendements to /etc/raddb/modules/ldap
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "10.10.6.131"
#identity = "cn=admin,o=My Org,c=UA"
identity = "cn=Administrator,cn=users,dc=MYDOMAIN,dc=co,dc=uk"
password = yourADpassword
basedn = "cn=users,dc=MYDOMAIN,dc=co,dc=uk"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
# Group membership checking. Disabled by default.
groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
* ##My groupmembership differs from the example due to the way AD names
it's objects##*
groupmembership_filter =
"(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))"
##My groupmembership_attribute differs from the example due to the way
AD names it's objects##
*##If you see my ldapsearch from the earlier post you'll know why##*
# groupmembership_attribute = radiusGroupName
groupmembership_attribute = memberOf
#ldap_debug = 0x0028
#I wanted to see more detail from the ldap function so enabled debug##
ldap_debug = 0xFFFF
}
I changed nothing else in this file, since I'm testing so not using
LDAPS
## The only change in /etc/raddb/sites-enabled/default was uncomment the
ldap section
## I left the authenticate section well alone, it stopped EAP when I started
LDAP bit of it
authorize {
chap
mschap
eap {
ok = return
}
# I have users in a SQL database, don't want AD messing it up#
sql
if (ok) {
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}
# I uncommented the ldap section##
ldap
files
expiration
logintime
pap
}
## The only change in /etc/raddb/sites-enabled/inner-tunnel was uncomment
the ldap section
authorize {
authorize {
chap
mschap
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
sql
if (ok) {
update control {
MS-CHAP-Use-NTLM-Auth :=No
}
}
# I uncommented the ldap section##
ldap
# Read the 'users' file
files
expiration
logintime
pap
}
This is an edited output from the radius debug
[ldap] performing user authorization for radman02
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) ->
(&(sAMAccountName=radman02))
[ldap] expand: cn=users,dc=crosstalk,dc=co,dc=uk ->
cn=users,dc=crosstalk,dc=co,dc=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=users,dc=crosstalk,dc=co,dc=uk, with
filter (&(sAMAccountName=radman02))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user radman02 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: cn=users,dc=crosstalk,dc=co,dc=uk ->
cn=users,dc=crosstalk,dc=co,dc=uk
[files] expand:
(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))
-> (|(&(objectClass=group)(member=))(&(objectClass=top)(
uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=users,dc=crosstalk,dc=co,dc=uk, with
filter
(&(cn=dmwc-m)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=radman02,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (objectclass=*)
rlm_ldap: performing search in CN=DMWC-S,CN=Users,DC=crosstalk,DC=co,DC=uk,
with filter (cn=dmwc-m)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::groupcmp: Group dmwc-m not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files] expand: cn=users,dc=crosstalk,dc=co,dc=uk ->
cn=users,dc=crosstalk,dc=co,dc=uk
[files] expand:
(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))
-> (|(&(objectClass=group)(member=))(&(objectClass=top)(
uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=users,dc=crosstalk,dc=co,dc=uk, with
filter
(&(cn=dmwc-s)(|(&(objectClass=group)(member=))(&(objectClass=top)(uniquemember=))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=radman02,CN=Users,DC=crosstalk,DC=co,DC=uk, with filter (objectclass=*)
rlm_ldap: performing search in CN=DMWC-S,CN=Users,DC=crosstalk,DC=co,DC=uk,
with filter (cn=dmwc-s)
rlm_ldap::ldap_groupcmp: User found in group dmwc-s
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 7
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "staff"
Tunnel-Type:0 = VLAN
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "radman02"
[peap] Got tunneled reply RADIUS code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "staff"
Tunnel-Type:0 = VLAN
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "radman02"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 149 to 10.10.3.29 port 1645
EAP-Message =
0x010c002b19001703010020728cf1296a7fbd29a4fbdd91f4eb91f41556edff389bd508e76784386de2a70a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1092235a199e3a66f6b5d4d498ec03a0
Finished request 10.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.10.3.29 port 1645, id=150,
length=222
User-Name = "radman02"
Framed-MTU = 1400
Called-Station-Id = "0021.55ac.f2d2"
Calling-Station-Id = "0013.498d.a61f"
Service-Type = Login-User
Message-Authenticator = 0xad3bca4d90af3e257cb1d6e093ce61b4
EAP-Message =
0x020c005019001703010020ed5d9b0cbdb88826957605ccde2fc1e9c6665da024547d82af4f555fafffad1c1703010020efd0be4bf53aa8c267d8f19e58f80f8bd907076fc9e236e910f4aff6b3
4f3027
NAS-Port-Type = Wireless-802.11
NAS-Port = 4380
NAS-Port-Id = "4380"
State = 0x1092235a199e3a66f6b5d4d498ec03a0
NAS-IP-Address = 10.10.3.29
NAS-Identifier = "THEO"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "radman02", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> radman02
[sql] sql_set_user escaped user --> 'radman02'
[sql] expand: %{User-Password} ->
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES
( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO
radpostauth (us
ername, pass, reply, authdate) VALUES
( 'radman02',
'', 'Access-Accept', '
2009-01-18 22:01:43')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'radman02', '',
'Access-Accept', '2009-01-18 22:01:43')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 150 to 10.10.3.29 port 1645
MS-MPPE-Recv-Key =
0x5624be3ba66dd23cd25917c57661775be5c44b565056f613bed23f4c00734d99
MS-MPPE-Send-Key =
0x6aed0e4c2a8dceafd68d6647931ec43eaa0b5ba7b9048c50b70702b86f9e6e59
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "radman02"
Finished request 11.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Accounting-Request packet from host 10.10.3.29 port 1646, id=31,
length=223
Acct-Session-Id = "000010F0"
Called-Station-Id = "0021.55ac.f2d2"
Calling-Station-Id = "0013.498d.a61f"
Cisco-AVPair = "ssid=metnet01"
Cisco-AVPair = "vlan-id=40"
Cisco-AVPair = "nas-location=unspecified"
User-Name = "radman02"
Cisco-AVPair = "connect-progress=Call Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
NAS-Port = 4380
NAS-Port-Id = "4380"
Service-Type = Framed-User
NAS-IP-Address = 10.10.3.29
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 4380,Client-IP-Address =
10.10.3.29,NAS-IP-Address = 10.10.3.29,Acct-Session-Id =
"000010F0",User-Name = "radman02"'
[acct_unique] Acct-Unique-Session-ID = "bca4df300dada0d6".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "radman02", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.10.3.29/detail-20090118
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/10.10.3.29/detail-20090118
[detail] expand: %t -> Sun Jan 18 22:01:43 2009
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> radman02
++[radutmp] returns ok
[sql] expand: %{User-Name} -> radman02
[sql] sql_set_user escaped user --> 'radman02'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct
(acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctstoptime,
acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutput
octets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acct
stopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{
NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S',
NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}',
'', '0', '0', '%
{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> radman02
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 31 to 10.10.3.29 port 1646
Finished request 12.
Cleaning up request 12 ID 31 with timestamp +12
Going to the next request
Waking up in 4.5 seconds.
Cleaning up request 1 ID 140 with timestamp +12
Cleaning up request 2 ID 141 with timestamp +12
Cleaning up request 3 ID 142 with timestamp +12
Cleaning up request 4 ID 143 with timestamp +12
Cleaning up request 5 ID 144 with timestamp +12
Waking up in 0.1 seconds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090118/3a1b7c45/attachment.html>
More information about the Freeradius-Users
mailing list