Freeradius + AD authentication passing Domain+User

Alan Buxey alan.buxey at gmail.com
Wed Jun 21 20:36:38 CEST 2017 

ignore the ntlm_auth module.... you need to just use the mschap method
- enure you have configured the
ntlm_auth string in the mschap module  (or, with latest versions of
freeRADIUS, dont use ntlm_auth at all,
use the native direct winbindd method - much much faster) - then, to
test, dnt use radtest - as thats basic, use
eg eapol_test instead as that will behave like a real client (EAP method) -

your error suggests incorrect password (or rather user/pass
combination issue) - suggest that your AD doesnt like
getting a domain in the username - so just add your domain to the
proxy.conf as a local realm eg

realm domain.com {
}

then ensure that 'Stripped-User-Name' is being used in the ntlm_auth
or winbindd call rather than mschap:User-Name

alan

On 21 June 2017 at 19:12, Alejandro Cabrera Obed <aco1967 at gmail.com> wrote:
> Dear Alan, I'm following your guide "Configuring Authentication with Active
> Directory" (http://deployingradius.com/documents/configuration/active_
> directory.html) in order to analyze my configurations issues.
>
> Please I will show you the most important parts of the tutorial, and I will
> tell you what I put or what I get from the tests, so you can comment below
> if you can:
>
> *1) Configuring Freeradius to use ntlm_auth, in
> /etc/freeradius/modules/ntlm_**auth:*
>
> exec ntlm_auth {
>                 wait = yes
>                 program = "*/usr/bin/ntlm_auth* --request-nt-key
> --domain=*DOMAIN.COM
> <http://DOMAIN.COM>* --username=%{mschap:User-Name}
> --password=%{User-Password}"
>         }
>
> But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not
> the following authenticate sections at all:
>
> authenticate {
>         ...
>         ntlm_auth
>         ...
> }
>
> If I have to put them, what do I have to add in the "..." lines you don't
> specify???
>
> *2) After that, you recommend to use the testing command:*
>
> $ radtest *user* *password* localhost 0 testing123
>
> This user correspond to my domain "DOMAIN.COM", or is a local user in order
> to test the config ???
>
> *3) Configuring Freeradius to use ntlm_auth for MSCHAP*
>
> In /etc/freeradius/modules/mschap file I put:
>
> ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-*DOMAIN.COM
> <http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> After that I start the Freeradius service in debug mode, and I use radtest
> command to send a MSCHAP authentication request. I have Freeradius 2.2.5,
> so I execute:
>
> $ radtest -t mschap bob hello localhost 0 testing123
>
> Is bob/hello a username/password from DOMAIN.COM ???
>
> If I execute this in this way:
>
> Sending Access-Request of id 220 to 127.0.0.1 port 1812
>         User-Name = "alejandro at domain.com <alcabrera at g-bapro.net>"
>         NAS-IP-Address = 192.168.1.250
>         NAS-Port = 0
>         Message-Authenticator = 0x00000000000000000000000000000000
>         MS-CHAP-Challenge = 0xdb6688ffc58b6208
>         MS-CHAP-Response = 0x0001000000000000000000000000
> 0000000000000000000000007cf9df3af3b49e1fa7eb2697b78da21f1e9dde3f44a6493a
> r
> ad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=220,
> length=38
>         MS-CHAP-Error = "\000E=691 R=1"
>
> Please I'll be waiting for your feedback, special thanks !!!
>
> Alejandro
>
> 2017-06-15 14:05 GMT-03:00 Alan DeKok <aland at deployingradius.com>:
>
>>
>> > On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967 at gmail.com>
>> wrote:
>> >
>> > Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi
>> users
>> > from cell phones and notebooks.
>> >
>> > In the case of cell phones, the users type the corresponding usernames
>> and
>> > passwords and after that Freeradius passes it to the AD and everything
>> > works OK.
>>
>>   That's good.
>>
>> > In the case of the notebooks, the Windows users are logged into our DC
>> > domain, then they type the username or username at domain or
>> domain\username
>> > with the corresponding passwords but in theses cases they can't
>> > authenticate against the AD (there is a reject message in the Freradius
>> > log).
>>
>>   So... what is the reject message?
>>
>>   Please post the full debug output as suggested in the FAQ, "man" pages,
>> wiki, and daily on this list.
>>
>> > In case they are not logged into the domain, and they are local users
>> > in the notebooks, if they type just their usernames (without domain) they
>> > authenticate OK.
>>
>>   That's good.
>>
>> > So how can I authenticate Windows users against the AD when they are
>> logged
>> > into the domain??? Do I have to define a special directive in a config
>> file
>> > from freeradius, winbind or samba?
>>
>>   It's not magic.  But it DOES require that you read the debug output.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>
>
>
>
> --
>  //  Alejandro   //
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list