Freeradius + AD authentication passing Domain+User

Alejandro Cabrera Obed aco1967 at gmail.com
Fri Jun 16 18:43:14 CEST 2017


Dear Alan and people, thanks for your response. Below I show you the log
from Freeradius in debug mode.

But I need to say something before showing the logs: the WiFi notebook
clients are Windows 7 and 10, the users logged into them are domain users,
and we want to use these users in order to connect AUTOMATICALLY to our
WiFi network. This means that we need the user to automatically connect to
wifi network without type user or user at domain or domain\user, just type the
corresponding password to the domain user from the notebook.

The log is this:

rad_recv: Access-Request packet from host 192.168.1.250 port 32769, id=59,
length=412
        User-Name = "host/NB100.domain.com"
        Calling-Station-Id = "24:0a:64:33:43:c7"
        Called-Station-Id = "44:ad:d9:0e:dd:40:Test-radius"
        NAS-Port = 13
        Cisco-AVPair = "audit-session-id=ac1f0c62000000685943ee2e"
        NAS-IP-Address = 192.168.1.250
        NAS-Identifier = "WLC"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "5"
        EAP-Message =
0x020700901580000000861603010046100000424104df31414042b0d244a7712595d396618c2b2b1bed913f71b10c4b86a308500b9979452bec950cf5c175adc2a421f3e1379d4f2bdb2e1bb7fc14eeb78e6dd1baa114030100010116030100307c89f3e96ccb753fc640b7610548d56f0c3ed30a73e291c63eb7085a430189922680bb69c7cbd567500b05c63bb76c8d
        State = 0xf7161b91f3110e7694cf1c709482b6fc
        Message-Authenticator = 0xc0000c50748336541b27a2a07c1cf909
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "host/NB100.domain.com", looking up realm
NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: unknown state
[ttls]     TLS_accept: unknown state
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 59 to 192.168.1.250 port 32769
        EAP-Message =
0x0108004515800000003b1403010001011603010030ec57aa02d394d0e82f3c4e7e7615f5c9d454c1b7a187db4110a6e4bf4279e4470958bf3a061fadfe3b0bd9eb3778c688
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf7161b91f21e0e7694cf1c709482b6fc
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 54 with timestamp +511
Cleaning up request 2 ID 55 with timestamp +511
Cleaning up request 3 ID 56 with timestamp +511
Cleaning up request 4 ID 57 with timestamp +511
Cleaning up request 5 ID 58 with timestamp +511
Cleaning up request 6 ID 59 with timestamp +511
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf7161b91f21e0e76 did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/guide/Certificate_Compatibility

rad_recv: Access-Request packet from host 192.168.1.250 port 32769, id=60,
length=258
        User-Name = "DOMAIN.COM\\alejandro"
        Calling-Station-Id = "24:0a:64:33:43:c7"
        Called-Station-Id = "44:ad:d9:0e:dd:40:Test-radius"
        NAS-Port = 13
        Cisco-AVPair = "audit-session-id=ac1f0c62000000685943ee2e"
        NAS-IP-Address = 192.168.1.250
        NAS-Identifier = "WLC"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "5"
        EAP-Message = 0x0202001501472d424150524f5c616261726c697a61
        Message-Authenticator = 0x6909a617235e3ada0db90748d81e7ddd
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "DOMAIN\alejandro", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[sql]   expand: %{User-Name} -> DOMAIN.COM\\alejandro
[sql] sql_set_user escaped user --> 'DOMAIN.COM\\alejandro'
rlm_sql (sql): Reserving sql socket id: 1
[sql]   expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM radcheck
      WHERE username = 'DOMAIN=5C=5C=5C=5Calejandro'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'DOMAIN=5C=5C=5C=5Calejandro'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
[sql] User DOMAIN.COM\\alejandro not found
++[sql] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 60 to 192.168.1.250 port 32769
        EAP-Message = 0x010300061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x92095a79920a4f103a071bb9e5e9a7b2
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.

Special thanks !!!

Alejandro

2017-06-15 14:05 GMT-03:00 Alan DeKok <aland at deployingradius.com>:

>
> > On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967 at gmail.com>
> wrote:
> >
> > Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi
> users
> > from cell phones and notebooks.
> >
> > In the case of cell phones, the users type the corresponding usernames
> and
> > passwords and after that Freeradius passes it to the AD and everything
> > works OK.
>
>   That's good.
>
> > In the case of the notebooks, the Windows users are logged into our DC
> > domain, then they type the username or username at domain or
> domain\username
> > with the corresponding passwords but in theses cases they can't
> > authenticate against the AD (there is a reject message in the Freradius
> > log).
>
>   So... what is the reject message?
>
>   Please post the full debug output as suggested in the FAQ, "man" pages,
> wiki, and daily on this list.
>
> > In case they are not logged into the domain, and they are local users
> > in the notebooks, if they type just their usernames (without domain) they
> > authenticate OK.
>
>   That's good.
>
> > So how can I authenticate Windows users against the AD when they are
> logged
> > into the domain??? Do I have to define a special directive in a config
> file
> > from freeradius, winbind or samba?
>
>   It's not magic.  But it DOES require that you read the debug output.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html




-- 
 //  Alejandro   //


More information about the Freeradius-Users mailing list