Freeradius 3.x with LDAP authentication
Adam Cage
adamcage27 at gmail.com
Wed Aug 16 16:05:18 CEST 2017
Dear Alan and people, I'm near the solution of my problem but I'm still
having a problem.
Following the Alan Dekok tutorial about Authentication with Active
Directory with ntlm_auth and mschap, everything work OK. In this case, I
have no LDAP support at all, no authorization, just authentication. At this
point I success because I obtain an ACCEP-ACCEPT response packet, let's see:
$ radtest -t mschap adam 1234abcd localhost 0 testing123
Sending Access-Request of id 233 to 127.0.0.1 port 1812
User-Name = "adam"
NAS-IP-Address = 10.10.10.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0x9c705e7afe5513e7
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000008319855335ab46ea32fd6382fb68640c6c27a0e929182371
rad_recv: *Access-Accept* packet from host 127.0.0.1 port 1812, id=233,
length=84
MS-CHAP-MPPE-Keys =
0x0000000000000000997c9fae0cc86f9d48d2cbb81915e1630000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
But the problem comes when I setup the LDAP support to Authorization when
checking if user is or not in a given group with the Ldap-Group attribute.
As I said previously, after configured ldap module and
/etc/sites-available/default and inner-tunnel with LDAP for authorization,
I execute the same radtest command "radtest -t mschap adam 1234abcd
localhost 0 testing123" and this is the freeradius debug output when it
fail:
rad_recv: Access-Request packet from host 127.0.0.1 port 35229, id=117,
length=135
User-Name = "adam"
NAS-IP-Address = 10.10.10.1
NAS-Port = 0
Message-Authenticator = 0x38de9478053289444c4ad85736b70bfd
MS-CHAP-Challenge = 0xb4d7849d65d481d0
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000000fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
Wed Aug 16 10:51:56 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Wed Aug 16 10:51:56 2017 : Info: +group authorize {
Wed Aug 16 10:51:56 2017 : Info: ++[preprocess] = ok
Wed Aug 16 10:51:56 2017 : Info: ++[chap] = noop
Wed Aug 16 10:51:56 2017 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type = mschap'
Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = ok
Wed Aug 16 10:51:56 2017 : Info: ++[digest] = noop
Wed Aug 16 10:51:56 2017 : Info: [suffix] No '@' in User-Name = "adam",
looking up realm NULL
Wed Aug 16 10:51:56 2017 : Info: [suffix] No such realm "NULL"
Wed Aug 16 10:51:56 2017 : Info: ++[suffix] = noop
Wed Aug 16 10:51:56 2017 : Info: [eap] No EAP-Message, not doing EAP
Wed Aug 16 10:51:56 2017 : Info: ++[eap] = noop
Wed Aug 16 10:51:56 2017 : Debug: [ldap] Entering ldap_groupcmp()
Wed Aug 16 10:51:56 2017 : Info: [files] expand:
OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
Wed Aug 16 10:51:56 2017 : Info: [files] expand:
%{Stripped-User-Name} ->
Wed Aug 16 10:51:56 2017 : Info: [files] ... expanding second
conditional
Wed Aug 16 10:51:56 2017 : Info: [files] expand: %{User-Name} -> adam
Wed Aug 16 10:51:56 2017 : Info: [files] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] attempting LDAP reconnection
Wed Aug 16 10:51:56 2017 : Debug: [ldap] (re)connect to
mitwpdcs01.company.com:389, authentication 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] bind as cn=wspsf,ou=Proxy para
Apps,ou=Internos,ou=Servicios,ou=users,dc=company,dc=com/wP67yh345 to
mitwpdcs01.company.com:389
Wed Aug 16 10:51:56 2017 : Debug: [ldap] waiting for bind result ...
Wed Aug 16 10:51:56 2017 : Debug: [ldap] Bind was successful
Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 10:51:56 2017 : Info: [files] expand:
(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dusers\2cOU\2cDC\3dcompany\2cDC\3dcom)))
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
cn=group1,ou=wifi,dc=company,dc=com, with filter
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dUsers\2cOU\3dcompany\2cDC\3dcom)))
Wed Aug 16 10:51:56 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
group cn=group1,ou=wifi,dc=company,dc=com
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 10:51:56 2017 : Info: [files] users: Matched entry DEFAULT at
line 207
Wed Aug 16 10:51:56 2017 : Info: ++[files] = ok
Wed Aug 16 10:51:56 2017 : Info: [ldap] performing user authorization for
adam
Wed Aug 16 10:51:56 2017 : Info: [ldap] expand:
%{Stripped-User-Name} ->
Wed Aug 16 10:51:56 2017 : Info: [ldap] ... expanding second
conditional
Wed Aug 16 10:51:56 2017 : Info: [ldap] expand: %{User-Name} -> adam
Wed Aug 16 10:51:56 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Info: [ldap] expand:
OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Info: [ldap] No default NMAS login sequence
Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for check items in
directory...
Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for reply items in
directory...
Wed Aug 16 10:51:56 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 10:51:56 2017 : Info: ++[ldap] = ok
Wed Aug 16 10:51:56 2017 : Info: ++[expiration] = noop
Wed Aug 16 10:51:56 2017 : Info: ++[logintime] = noop
Wed Aug 16 10:51:56 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Wed Aug 16 10:51:56 2017 : Info: ++[pap] = noop
Wed Aug 16 10:51:56 2017 : Info: +} # group authorize = ok
Wed Aug 16 10:51:56 2017 : Info: Found Auth-Type = MSCHAP
Wed Aug 16 10:51:56 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Aug 16 10:51:56 2017 : Info: +group MS-CHAP {
Wed Aug 16 10:51:56 2017 : Info: [mschap] Client is using MS-CHAPv1 with
NT-Password
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
--username=%{mschap:User-Name:-None} -> --username=adam
Wed Aug 16 10:51:56 2017 : Info: [mschap] No NT-Domain was found in the
User-Name.
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand: %{mschap:NT-Domain}
->
Wed Aug 16 10:51:56 2017 : Info: [mschap] ... expanding second
conditional
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
--domain=%{%{mschap:NT-Domain}:-company} -> --domain=company
Wed Aug 16 10:51:56 2017 : Info: [mschap] mschap1: b4
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=b4d7849d65d481d0
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account *
(0xc000018b)
Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM account*
(0xc000018b)
Wed Aug 16 10:51:56 2017 : Info: [mschap] Exec: program returned: 1
Wed Aug 16 10:51:56 2017 : Info: [mschap] External script failed.
Wed Aug 16 10:51:56 2017 : Info: [mschap] MS-CHAP-Response is incorrect.
Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = reject
Wed Aug 16 10:51:56 2017 : Info: +} # group MS-CHAP = reject
Wed Aug 16 10:51:56 2017 : Info: Failed to authenticate the user.
Wed Aug 16 10:51:56 2017 : Info: Using Post-Auth-Type REJECT
Wed Aug 16 10:51:56 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Aug 16 10:51:56 2017 : Info: +group REJECT {
Wed Aug 16 10:51:56 2017 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> adam
Wed Aug 16 10:51:56 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Aug 16 10:51:56 2017 : Info: ++[attr_filter.access_reject] = updated
Wed Aug 16 10:51:56 2017 : Info: +} # group REJECT = updated
Wed Aug 16 10:51:56 2017 : Info: Delaying reject of request 3 for 1 seconds
Wed Aug 16 10:51:56 2017 : Debug: Going to the next request
Wed Aug 16 10:51:56 2017 : Debug: Waking up in 0.8 seconds.
Wed Aug 16 10:51:57 2017 : Info: Sending delayed reject for request 3
Sending Access-Reject of id 117 to 127.0.0.1 port 35229
MS-CHAP-Error = "\000E=691 R=1"
Can you tell me why mschap auth is ok without LDAP support and it's wrong
with LDAP support???
Thanks a lot again.
ADAM
2017-08-15 13:41 GMT-03:00 Alan DeKok <aland at deployingradius.com>:
> On Aug 15, 2017, at 5:58 PM, Adam Cage <adamcage27 at gmail.com> wrote:
> >
> > Dear all, finally I have followed as you said: Authentication with samba,
> > winbind, ntlm_auth and Authorization with LDAP, but I fails. I post my
> main
> > config LDAP files and the debug output in order to get your help please:
>
> Please don't post configuration files. We ask for the debug output for
> a reason: it's all we need.
>
> > */etc/freeradius/users:*
> >
> > DEFAULT Ldap-Group == "cn=group1,ou=wifi,dc=company,dc=com"
> > Service-Type = Login-User
> >
> > DEFAULT Auth-Type := Reject
>
> You're not telling the server how to authenticate the user.
>
> > $ radtest adam 1234abcd 127.0.0.1 0 testing123
>
> Which is just a PAP request...
>
> > And I fail, this is the debug output:
> ...
> > Tue Aug 15 12:38:27 2017 : Debug: WARNING: No "known good" password was
> > found in LDAP. Are you sure that the user is configured correctly?
>
> That's just Active Directory not supplying the password...
>
> > Tue Aug 15 12:38:27 2017 : Info: *ERROR: No authenticate method
> (Auth-Type)
> > found for the request: Rejecting the user*
> > Tue Aug 15 12:38:27 2017 : Info: Failed to authenticate the user.
>
> And you haven't told the server how to authenticate the user.
>
> Follow the guide on deployingradius.com. It *will* work.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list