Freeradius + AD authentication passing Domain+User

Alan DeKok aland at deployingradius.com
Fri Jun 16 18:50:38 CEST 2017 

On Jun 16, 2017, at 12:43 PM, Alejandro Cabrera Obed <aco1967 at gmail.com> wrote:
> ]]
> But I need to say something before showing the logs: the WiFi notebook
> clients are Windows 7 and 10, the users logged into them are domain users,
> and we want to use these users in order to connect AUTOMATICALLY to our
> WiFi network. This means that we need the user to automatically connect to
> wifi network without type user or user at domain or domain\user, just type the
> corresponding password to the domain user from the notebook.

  You don't control how the Windows machines work.  You have to live with how they *actually* work.

  When the Windows machines are provisioned properly, they will prompt the user for name/password once, and then cache it.  Or, the name and password can be provisioned automatically.

  If login fails, Windows will show a prompt containing the user name, and prompt for a password.

> The log is this:
> 
> rad_recv: Access-Request packet from host 192.168.1.250 port 32769, id=59,
> length=412
>        User-Name = "host/NB100.domain.com"
>        Calling-Station-Id = "24:0a:64:33:43:c7"
>        Called-Station-Id = "44:ad:d9:0e:dd:40:Test-radius"
>        NAS-Port = 13
>        Cisco-AVPair = "audit-session-id=ac1f0c62000000685943ee2e"
>        NAS-IP-Address = 192.168.1.250
>        NAS-Identifier = "WLC"
>        Airespace-Wlan-Id = 2
>        Service-Type = Framed-User
>        Framed-MTU = 1300
>        NAS-Port-Type = Wireless-802.11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "5"
>        EAP-Message =
> 0x020700901580000000861603010046100000424104df31414042b0d244a7712595d396618c2b2b1bed913f71b10c4b86a308500b9979452bec950cf5c175adc2a421f3e1379d4f2bdb2e1bb7fc14eeb78e6dd1baa114030100010116030100307c89f3e96ccb753fc640b7610548d56f0c3ed30a73e291c63eb7085a430189922680bb69c7cbd567500b05c63bb76c8d
>        State = 0xf7161b91f3110e7694cf1c709482b6fc
>        Message-Authenticator = 0xc0000c50748336541b27a2a07c1cf909
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "host/NB100.domain.com", looking up realm
> NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 7 length 144
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
>  TLS Length 134
> [ttls] Length Included
> [ttls] eaptls_verify returned 11
> [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
> [ttls]     TLS_accept: unknown state
> [ttls]     TLS_accept: unknown state
> [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [ttls] <<< TLS 1.0 Handshake [length 0010], Finished
> [ttls]     TLS_accept: unknown state
> [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [ttls]     TLS_accept: unknown state
> [ttls] >>> TLS 1.0 Handshake [length 0010], Finished
> [ttls]     TLS_accept: unknown state
> [ttls]     TLS_accept: unknown state
> [ttls]     (other): SSL negotiation finished successfully
> SSL Connection Established
> [ttls] eaptls_process returned 13
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 59 to 192.168.1.250 port 32769
>        EAP-Message =
> 0x0108004515800000003b1403010001011603010030ec57aa02d394d0e82f3c4e7e7615f5c9d454c1b7a187db4110a6e4bf4279e4470958bf3a061fadfe3b0bd9eb3778c688
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0xf7161b91f21e0e7694cf1c709482b6fc
> Finished request 6.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 54 with timestamp +511
> Cleaning up request 2 ID 55 with timestamp +511
> Cleaning up request 3 ID 56 with timestamp +511
> Cleaning up request 4 ID 57 with timestamp +511
> Cleaning up request 5 ID 58 with timestamp +511
> Cleaning up request 6 ID 59 with timestamp +511
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0xf7161b91f21e0e76 did not finish!
> WARNING: !! Please read
> http://wiki.freeradius.org/guide/Certificate_Compatibility

 So... read that web page and follow it's instructions on how to fix the problem.

> 
> [sql] User DOMAIN.COM\\alejandro not found
> ++[sql] = notfound
> ++[expiration] = noop
> ++[logintime] = noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.

  The user isn't found in the SQL database.  That's why it's failing.

  If you want to have "DOMAIN.COM" treated as a local domain / realm, go read raddb/proxy.conf.  Set the domain as a LOCAL realm.

  And read raddb/sites-enabled/default.  Look for "ntdomain".  It tells you how to set up NT domains for login.

  Alan DeKok.

More information about the Freeradius-Users mailing list