Active Directory AUTHENTICATION with LDAP AUTHORIZATION

Alan Buxey alan.buxey at gmail.com
Wed Aug 16 20:23:32 CEST 2017


hi,


> THIS DEBUG IS THE ONE CORRESPONDING TO JUST ONE ATTEMPT OF AUTHENTICATION,

no its not. you have a machine auth there followed by a user auth -
ensure your client is configured to only do user authentication

> IT'S SO LONG...I APOLOGIZE FOR THIS

thats fine - this is fine - the debug may be long but a lot of it can
be scanned over quickly once you understand
what is going on - visit some sites about PEAP to see the flow - then
look at the conversation that is going on with FreeRADIUS...each
packet
request/reply being part of the conversation....little hello, then EAP
to construct secure tunnel (then lots of those EAP-Message attributes
appear,
then the MSCHAPv2 inside the PEAP (a few more packets) then end of
session, access accept etc.

>         User-Name = "host/host44.d-holomit.com"

machine auth attempt


> Wed Aug 16 12:32:25 2017 : Debug:   [ldap] performing search in
> OU=holomit,DC=d-holomit,DC=com, with filter (sAMAccountName=host/
> host44.d-holomit.com)
> Wed Aug 16 12:32:25 2017 : Debug:   [ldap] object not found
> Wed Aug 16 12:32:25 2017 : Debug: rlm_ldap::ldap_groupcmp: search failed
> Wed Aug 16 12:32:25 2017 : Debug:   [ldap] ldap_release_conn: Release Id: 0

machine not in AD (well, not in THAT location anyway ;-)  )


> Sending Access-Reject of id 188 to 172.22.88.223 port 32769
>         EAP-Message = 0x04050004
>         Message-Authenticator = 0x00000000000000000000000000000000

end of that one.... now the user auth


>         User-Name = "tyard"

user auth


> Wed Aug 16 12:32:37 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
> group cn=wifi,ou=WI-FI,ou=in,ou=services,ou=holomit,dc=d-holomit,dc=com

this user was found - but why are you running ldap in the outer phase?
 anyone can spoof the outer
packet....you only trust the inner-tunnel for EAP...

...and onwards

> Wed Aug 16 12:32:37 2017 : Info: [eap] Continuing tunnel setup.
> Wed Aug 16 12:32:37 2017 : Info: ++[eap] = ok
> Wed Aug 16 12:32:37 2017 : Info: +} # group authorize = ok
> Wed Aug 16 12:32:37 2017 : Info: Found Auth-Type = EAP
> Wed Aug 16 12:32:37 2017 : Info: # Executing group from file
> /etc/freeradius/sites-enabled/default
> Wed Aug 16 12:32:37 2017 : Info: +group authenticate {
> Wed Aug 16 12:32:37 2017 : Info: [eap] Request found, released from the list
> Wed Aug 16 12:32:37 2017 : Info: [eap] EAP/peap
> Wed Aug 16 12:32:37 2017 : Info: [eap] processing type peap
> Wed Aug 16 12:32:37 2017 : Info: [peap] processing EAP-TLS

okay PEAP being started

some delays to responses....did you get a cert prompt? you really need
to configure your client with correct CA and RADIUS server cert..
there are plenty of 802.1X configuration tools

now the MSCHAPv2 in the inner-tunnel

> Wed Aug 16 12:32:43 2017 : Info: [eap] processing type mschapv2
> Wed Aug 16 12:32:43 2017 : Info: [mschapv2] # Executing group from file
> /etc/freeradius/sites-enabled/inner-tunnel
> Wed Aug 16 12:32:43 2017 : Info: [mschapv2] +group MS-CHAP {
> Wed Aug 16 12:32:43 2017 : Info: [mschap] Creating challenge hash with
> username: tyard
> Wed Aug 16 12:32:43 2017 : Info: [mschap] Client is using MS-CHAPv2 for
> tyard, we need NT-Password
> Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> --username=%{mschap:User-Name:-None} -> --username=tyard
> Wed Aug 16 12:32:43 2017 : Info: [mschap] No NT-Domain was found in the
> User-Name.
> Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand: %{mschap:NT-Domain}
> ->
> Wed Aug 16 12:32:43 2017 : Info: [mschap]       ... expanding second
> conditional
> Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> --domain=%{%{mschap:NT-Domain}:-d-holomit} -> --domain=d-holomit
> Wed Aug 16 12:32:43 2017 : Info: [mschap] Creating challenge hash with
> username: tyard
> Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> --challenge=%{mschap:Challenge:-00} -> --challenge=c7e9749f9a9488cc
> Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=1d818e8388886074e15547872eddf3f58cd2da004dcc5817
> Wed Aug 16 12:32:43 2017 : Debug: Exec output: No trusted SAM account
> (0xc000018b)
> Wed Aug 16 12:32:43 2017 : Debug: Exec plaintext: No trusted SAM account
> (0xc000018b)
> Wed Aug 16 12:32:43 2017 : Info: [mschap] Exec: program returned: 1
> Wed Aug 16 12:32:43 2017 : Info: [mschap] External script failed.
> Wed Aug 16 12:32:43 2017 : Info: [mschap] FAILED: MS-CHAP2-Response is
> incorrect

..and from now on its a fail/reject.  cause? the user with the doamin
of "d-holmit" did not have a trusted account in
this AD...is that domain correct? i'd advise against using
%{mschap:NT-Domain}  - the domain provided by the user
in the MSCHAP - and just hardcode it in the ntlm_auth


however. the easiest part here is to just use radtst directly against
the inner-tunnel on the server itself... in inner-tunnel,
by default, you have a listener directive  localhost on port 18120 or
such.  so all you do is use that as your server target
with radtest or such....meaning your mschap request hits inner-tunnel
directly (as if EAP had been set up nicely by the client)..
and thus you can test your policies and inner-tunnel very easily.  at
that point, mschapv2 will be working and you can look
at ldap and what policies/unlang you need there. one bit at a time

alan


More information about the Freeradius-Users mailing list