freeradius with Active Directory via winbind or MAC address access

Vieri rentorbuy at yahoo.com
Wed Nov 29 15:04:17 CET 2017 

Hi,

I would like to allow access when user authentication is approved by AD through winbind, OR when the MAC address is in a local file.

I'm trying to follow this guide:

https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind

but also this other guide:

https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x

My software versions:
freeradius-3.0.14
samba-4.5.10

Samba/winbind works fine:
# ntlm_auth --username=user --domain=DOMAIN
Password:
NT_STATUS_OK: Success (0x0)

freeradius build.log looks good:
checking for wbclient.h in /usr/include/samba-4.0/... yes
checking for wbcCtxAuthenticateUserEx in -lwbclient... yes

# grep winbind_ /etc/raddb/mods-available/mschap | grep -v ^#
winbind_username = "%{mschap:User-Name}"
winbind_domain = "DOMAIN"

# tail -n 6 /etc/raddb/clients.conf
client 10.215.144.92 {
ipv4addr = 10.215.144.92
secret      = testrad
shortname   = testsys
require_message_authenticator = no
}

>From 10.215.144.92:
# radtest -t mschap user password 10.215.144.91 0 testrad
Sent Access-Request Id 181 from 0.0.0.0:39653 to 10.215.144.91:1812 length 132
User-Name = "user"
MS-CHAP-Password = "password"
NAS-IP-Address = 10.215.144.92
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "user"
MS-CHAP-Challenge = 0x5e0a69983fa65564
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005b82652f1e38b465daebf5a3fb1a2697b12af97676f7c721
Received Access-Reject Id 181 from 10.215.144.91:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

Radius log:
(0) Received Access-Request Id 181 from 10.215.144.92:39653 to 10.215.144.91:1812 length 132
(0)   User-Name = "user"
(0)   NAS-IP-Address = 10.215.144.92
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x1905f61891b983253895b1d8d33976d8
(0)   MS-CHAP-Challenge = 0x5e0a69983fa65564
(0)   MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005b82652f1e38b465daebf5a3fb1a2697b12af97676f7c721
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     policy rewrite_calling_station_id {
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy rewrite_calling_station_id = noop
(0)     if (!EAP-Message) {
(0)     if (!EAP-Message)  -> TRUE
(0)     if (!EAP-Message)  {
(0) authorized_macs: EXPAND %{Calling-Station-ID}
(0) authorized_macs:    -->
(0)       [authorized_macs] = noop
(0)       if (!ok) {
(0)       if (!ok)  -> TRUE
(0)       if (!ok)  {
(0)         [reject] = reject
(0)       } # if (!ok)  = reject
(0)     } # if (!EAP-Message)  = reject
(0)   } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> user
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 181 from 10.215.144.91:1812 to 10.215.144.92:39653 length 20

# grep user /etc/raddb/radiusd.conf | grep -v '#'
user = radius

I cannot find any subdir named 'winbindd_privileged':
# ls /var/lock/samba/
brlock.tdb            mutex.tdb                  smbXsrv_session_global.tdb
g_lock.tdb            names.tdb                  smbXsrv_tcon_global.tdb
gencache_notrans.tdb  printer_list.tdb           smbXsrv_version_global.tdb
leases.tdb            serverid.tdb               smb_krb5
locking.tdb           smbXsrv_client_global.tdb  smbd_cleanupd.tdb
msg.lock              smbXsrv_open_global.tdb

Why is my radtest above not getting an Access-Accept?

Thanks,

Vieri

More information about the Freeradius-Users mailing list