I have a problem with the authorization by LDAP and Authentication with AD

I Aaaaaahhhhhh iaaaaaahhhhhh at gmail.com
Mon Jul 31 15:45:55 CEST 2017


Hello Matthew,

Thanks for your tip.
This was the solution.

2017-07-31 13:36 GMT+02:00 Matthew Newton <mcn at freeradius.org>:
> On Mon, 2017-07-31 at 12:21 +0200, I Aaaaaahhhhhh wrote:
>> The Radius server is integrated into the Active Directory domain.
>> I would like that only certain users connect to the AD domain.
>> When I connect to the radius server via eapol_test, the authorization
>> by LDAP as well as the AD authentication by AD perfectly.
>> If I want to log on to the AD domain from a Windows 10 client with
>> the
>> same user account, this does not work.
>> C5c5 is prepended to the username.
>
> 5c5c actually. Which is ASCII for "\\".
>
>> A realm with the domain name and the content skip was created in the
>> proxy.conf, as well as the ntdomain entry in the sites-enabeld /
>> default, but the user name still contains C5C5.
>> Here I add the debug content.
>
> Packet 20.
>
> Replace "suffix" in your inner-tunnel with "ntdomain".
>
> Matthew
>
>
>> (20) Received Access-Request Id 93 from 192.168.99.2:56766 to
>> 192.168.99.13:1812 length 282
>> (20)   User-Name = "SEDLMEIER\\iah"
>> (20)   Service-Type = Framed-User
>> (20)   Called-Station-Id = "D8-84-66-1C-A0-C2"
>> (20)   Calling-Station-Id = "74-2B-62-85-F5-5D"
>> (20)   NAS-Identifier = "sed-nw-sw-01.sedlmeier.local"
>> (20)   NAS-Port = 5
>> (20)   NAS-Port-Id = "fe.1.5"
>> (20)   Framed-MTU = 1500
>> (20)   NAS-Port-Type = Ethernet
>> (20)   State = 0xd24e2fefd441361eca7551413078c7bf
>> (20)   EAP-Message =
>> 0x020f00671900170303005c000000000000000243241aa425d6f7c8d71509c3b60a4
>> c6b8db4cad3d64eef888d40802d40c2c86b4500c9bb1901556e079452b3643718c88c
>> db7fe0a50aa320e9d9c7f849290f380b06d9730e79d4e4c2be3e04b14c604a00ccbdd
>> 2
>> (20)   NAS-IP-Address = 0.0.0.0
>> (20)   Message-Authenticator = 0xa846eca9d309e94652e1c58fbaa05dce
>> (20) session-state: No cached attributes
>> (20) # Executing section authorize from file /etc/raddb/sites-
>> enabled/default
>> (20)   authorize {
>> (20)     policy filter_username {
>> (20)       if (&User-Name) {
>> (20)       if (&User-Name)  -> TRUE
>> (20)       if (&User-Name)  {
>> (20)         if (&User-Name =~ / /) {
>> (20)         if (&User-Name =~ / /)  -> FALSE
>> (20)         if (&User-Name =~ /@[^@]*@/ ) {
>> (20)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> (20)         if (&User-Name =~ /\.\./ ) {
>> (20)         if (&User-Name =~ /\.\./ )  -> FALSE
>> (20)         if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))  {
>> (20)         if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))   -> FALSE
>> (20)         if (&User-Name =~ /\.$/)  {
>> (20)         if (&User-Name =~ /\.$/)   -> FALSE
>> (20)         if (&User-Name =~ /@\./)  {
>> (20)         if (&User-Name =~ /@\./)   -> FALSE
>> (20)       } # if (&User-Name)  = notfound
>> (20)     } # policy filter_username = notfound
>> (20)     [preprocess] = ok
>> (20)     [chap] = noop
>> (20)     [mschap] = noop
>> (20)     [digest] = noop
>> (20) suffix: Checking for suffix after "@"
>> (20) suffix: No '@' in User-Name = "SEDLMEIER\iah", looking up realm
>> NULL
>> (20) suffix: No such realm "NULL"
>> (20)     [suffix] = noop
>> (20) ntdomain: Checking for prefix before "\"
>> (20) ntdomain: Looking up realm "SEDLMEIER" for User-Name =
>> "SEDLMEIER\iah"
>> (20) ntdomain: Found realm "SEDLMEIER"
>> (20) ntdomain: Adding Stripped-User-Name = "iah"
>> (20) ntdomain: Adding Realm = "SEDLMEIER"
>> (20) ntdomain: Authentication realm is LOCAL
>> (20)     [ntdomain] = ok
>> (20) eap: Peer sent EAP Response (code 2) ID 15 length 103
>> (20) eap: Continuing tunnel setup
>> (20)     [eap] = ok
>> (20)   } # authorize = ok
>> (20) Found Auth-Type = eap
>> (20) # Executing group from file /etc/raddb/sites-enabled/default
>> (20)   authenticate {
>> (20) eap: Expiring EAP session with state 0xd63550fbd63a4a59
>> (20) eap: Finished EAP session with state 0xd24e2fefd441361e
>> (20) eap: Previous EAP request found for state 0xd24e2fefd441361e,
>> released from the list
>> (20) eap: Peer sent packet with method EAP PEAP (25)
>> (20) eap: Calling submodule eap_peap to process data
>> (20) eap_peap: Continuing EAP-TLS
>> (20) eap_peap: [eaptls verify] = ok
>> (20) eap_peap: Done initial handshake
>> (20) eap_peap: [eaptls process] = ok
>> (20) eap_peap: Session established.  Decoding tunneled attributes
>> (20) eap_peap: PEAP state phase2
>> (20) eap_peap: EAP method MSCHAPv2 (26)
>> (20) eap_peap: Got tunneled request
>> (20) eap_peap:   EAP-Message =
>> 0x020f00481a020f0043312af06a1435a1a34bfca5dc612d69a1d1000000000000000
>> 0aee7c918d346a026e864b8344642b61250828f7f16106ae4005345444c4d45494552
>> 5c696168
>> (20) eap_peap: Setting User-Name to SEDLMEIER\iah
>> (20) eap_peap: Sending tunneled request to inner-tunnel
>> (20) eap_peap:   EAP-Message =
>> 0x020f00481a020f0043312af06a1435a1a34bfca5dc612d69a1d1000000000000000
>> 0aee7c918d346a026e864b8344642b61250828f7f16106ae4005345444c4d45494552
>> 5c696168
>> (20) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
>> (20) eap_peap:   User-Name = "SEDLMEIER\\iah"
>> (20) eap_peap:   State = 0xd63550fbd63a4a59a7b76b3185c969aa
>> (20) Virtual server inner-tunnel received request
>> (20)   EAP-Message =
>> 0x020f00481a020f0043312af06a1435a1a34bfca5dc612d69a1d1000000000000000
>> 0aee7c918d346a026e864b8344642b61250828f7f16106ae4005345444c4d45494552
>> 5c696168
>> (20)   FreeRADIUS-Proxied-To = 127.0.0.1
>> (20)   User-Name = "SEDLMEIER\\iah"
>> (20)   State = 0xd63550fbd63a4a59a7b76b3185c969aa
>> (20) WARNING: Outer and inner identities are the same.  User privacy
>> is compromised.
>> (20) server inner-tunnel {
>> (20)   session-state: No cached attributes
>> (20)   # Executing section authorize from file
>> /etc/raddb/sites-enabled/inner-tunnel
>> (20)     authorize {
>> (20)       policy filter_username {
>> (20)         if (&User-Name) {
>> (20)         if (&User-Name)  -> TRUE
>> (20)         if (&User-Name)  {
>> (20)           if (&User-Name =~ / /) {
>> (20)           if (&User-Name =~ / /)  -> FALSE
>> (20)           if (&User-Name =~ /@[^@]*@/ ) {
>> (20)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> (20)           if (&User-Name =~ /\.\./ ) {
>> (20)           if (&User-Name =~ /\.\./ )  -> FALSE
>> (20)           if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))  {
>> (20)           if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))   -> FALSE
>> (20)           if (&User-Name =~ /\.$/)  {
>> (20)           if (&User-Name =~ /\.$/)   -> FALSE
>> (20)           if (&User-Name =~ /@\./)  {
>> (20)           if (&User-Name =~ /@\./)   -> FALSE
>> (20)         } # if (&User-Name)  = notfound
>> (20)       } # policy filter_username = notfound
>> (20)       [chap] = noop
>> (20)       [mschap] = noop
>> (20) suffix: Checking for suffix after "@"
>> (20) suffix: No '@' in User-Name = "SEDLMEIER\iah", looking up realm
>> NULL
>> (20) suffix: No such realm "NULL"
>> (20)       [suffix] = noop
>> (20)       update control {
>> (20)         &Proxy-To-Realm := LOCAL
>> (20)       } # update control = noop
>> (20) eap: Peer sent EAP Response (code 2) ID 15 length 72
>> (20) eap: No EAP Start, assuming it's an on-going EAP conversation
>> (20)       [eap] = updated
>> (20) files: Searching for user in group "CN=Radius
>> lokal,OU=lokale,OU=Gruppen,OU=spezielle
>> Konten,OU=Mitarbeiter,DC=sedlmeier,DC=local"
>> rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle
>> for 61 seconds
>> rlm_ldap (ldap): Reserved connection (0)
>> (20) files: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-
>> Name}})
>> (20) files:    --> (samaccountname=SEDLMEIER\5c5ciah)
>> (20) files: Performing search in
>> "OU=Mitarbeiter,DC=sedlmeier,DC=local" with filter
>> "(samaccountname=SEDLMEIER\5c5ciah)", scope "sub"
>> (20) files: Waiting for search result...
>> (20) files: Search returned no results
>> rlm_ldap (ldap): Released connection (0)
>> Need 7 more connections to reach 10 spares
>> rlm_ldap (ldap): Opening additional connection (8), 1 of 29 pending
>> slots used
>> rlm_ldap (ldap): Connecting to ldap://sed-vm-dc-
>> 01.sedlmeier.local:389
>> rlm_ldap (ldap): Waiting for bind result...
>> rlm_ldap (ldap): Bind successful
>> (20) files: users: Matched entry DEFAULT at line 48
>> (20)       [files] = ok
>> rlm_ldap (ldap): Reserved connection (7)
>> (20) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-
>> Name}})
>> (20) ldap:    --> (samaccountname=SEDLMEIER\5c5ciah)
>> (20) ldap: Performing search in
>> "OU=Mitarbeiter,DC=sedlmeier,DC=local"
>> with filter "(samaccountname=SEDLMEIER\5c5ciah)", scope "sub"
>> (20) ldap: Waiting for search result...
>> (20) ldap: Search returned no results
>> rlm_ldap (ldap): Released connection (7)
>> (20)       [ldap] = notfound
>> (20)       [expiration] = noop
>> (20)       [logintime] = noop
>> (20) pap: WARNING: Auth-Type already set.  Not setting to PAP
>> (20)       [pap] = noop
>> (20)     } # authorize = updated
>> (20)   Found Auth-Type = Reject
>> (20)   Auth-Type = Reject, rejecting user
>> (20)   Failed to authenticate the user
>> (20)   Using Post-Auth-Type Reject
>> (20)   # Executing group from file /etc/raddb/sites-enabled/inner-
>> tunnel
>> (20)     Post-Auth-Type REJECT {
>> (20) attr_filter.access_reject: EXPAND %{User-Name}
>> (20) attr_filter.access_reject:    --> SEDLMEIER\\iah
>> (20) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> (20)       [attr_filter.access_reject] = updated
>> (20)       update outer.session-state {
>> (20)         No attributes updated
>> (20)       } # update outer.session-state = noop
>> (20)     } # Post-Auth-Type REJECT = updated
>> (20) } # server inner-tunnel
>> (20) Virtual server sending reply
>> (20) eap_peap: Got tunneled reply code 3
>> (20) eap_peap: Got tunneled reply RADIUS code 3
>> (20) eap_peap: Tunneled authentication was rejected
>> (20) eap_peap: FAILURE
>> (20) eap: Sending EAP Request (code 1) ID 16 length 46
>> (20) eap: EAP session adding &reply:State = 0xd24e2fefd55e361e
>> (20)     [eap] = handled
>> (20)   } # authenticate = handled
>> (20) Using Post-Auth-Type Challenge
>> (20) # Executing group from file /etc/raddb/sites-enabled/default
>> (20)   Challenge { ... } # empty sub-section is ignored
>> (20) Sent Access-Challenge Id 93 from 192.168.99.13:1812 to
>> 192.168.99.2:56766 length 0
>> (20)   EAP-Message =
>> 0x0110002e1900170303002343321548245ec020494ccfac9bdaeb65e6d6b730b817a
>> d0e5a713d9147d8907ee86758
>> (20)   Message-Authenticator = 0x00000000000000000000000000000000
>> (20)   State = 0xd24e2fefd55e361eca7551413078c7bf
>> (20) Finished request
>> Waking up in 0.8 seconds.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list