allow both /etc/freeradius/users and LDAP authentification : DETAILLED

Alan Buxey alan.buxey at gmail.com
Thu Mar 29 17:41:13 CEST 2018


The windows client isn't configured correctly. It's doing machine auth and
using wrong CA

What you are trying to do is achievable

alan

On Thu, 29 Mar 2018, 15:55 jean-francois MONI, <
jean-francois.moni at u-bordeaux.fr> wrote:

> Hi,
> sorry for my first email wich was a bit short.
> Here is a new one with what I'd like to achieve, my conf and the server
> output.
> Thanks to everyone involved in helping me !
> :)
>
> 1. WHAT I'D LIKE TO ACHIEVE :
> I'd like to allow authentification for our visitors by using the USERS
> file at the same time.
> WHen I add a local user, i receive an EAP/TLS error.
> First, I'd like to know if if it's even possible to do so.
>
> 2. MY SERVER CONFIGURATION
> /etc/freeradius/radiusd.conf
>
> max_requests = 38400
> auth = yes
> auth_badpass = yes
> auth_badpass = yes
>
> /etc/freeradius/clients.conf
>
> ## RESEAU WIFI
> client IP/24 {
>          secret = secretpwd
>          shortname = brocaneurocampuswifi
>
> /etc/freeradius/users
>
> ## CREATION COMPTE TEST
> test    Cleartext-Password := "test"
>          Reply-Message = "Hello, %{User-Name}"
>
> /etc/freeradius/modules/ntlm_auth
>
> exec ntlm_auth {
>          wait = yes
>          program = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name} --password=%{User-Password}"
> }
>
>
> /etc/freeradius/sites-enabled/default and
> /etc/freeradius/sites-enabled/inner-tunnel
>
> authenticate {
>
>          ntlm_auth
>      ...
>      }
>
> /etc/freeradius/users
>
> #DEFAULT Auth-Type = ntlm_auth
>
>
> freerad
>
> service freeradius stop
> usermod -a -G winbindd_priv freerad
> chown root:winbindd_priv /var/lib/samba/winbindd_privileged/
> service freeradius start
>
>
> /etc/freeradius/modules/mschap
>
> with_ntdomain_hack = yes
> ...
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN_NAME
> --username=%{mschap:User-Name} --password=%{User-Password}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00} "
>
> /etc/freeradius/eap.conf
>
> default_eap_type = peap
> ...
> default_eap_type = mschapv2
>
> 3. MY SERVER DEBUG WHEN I TRY TO CONNECT WITH AN ACCOUNT OF THE users
> files.
> (Connection with LDAP auth works fine on laptops, iphones, android phones)
>
>
> Ready to process requests.
> rad_recv: Access-Request packet from host xx.xx.xx.1 port 59771, id=108,
> length=364
>          User-Name = "host/HOSTNAME.DOMAIN"
>          Chargeable-User-Identity = "\001"
>          Location-Capable = Civix-Location
>          Calling-Station-Id = "MACADDR"
>          Called-Station-Id = "MACADDR:SSID"
>          NAS-Port = 8
>          Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx"
>          Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111"
>          Cisco-AVPair = "mDNS=true"
>          NAS-IP-Address = IP
>          NAS-Identifier = "CiscoWLC"
>          Airespace-Wlan-Id = 11
>          Service-Type = Framed-User
>          Framed-MTU = 1300
>          NAS-Port-Type = Wireless-802.11
>          Tunnel-Type:0 = VLAN
>          Tunnel-Medium-Type:0 = IEEE-802
>          Tunnel-Private-Group-Id:0 = "152"
>          EAP-Message = 0x00000000000000000000000000000000aaaaaaaaaaa
>          Message-Authenticator = 0x000000000000000000000
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm
> NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 2 length 38
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 108 to IP port 59771
>          EAP-Message = 0x010300061920
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x11111111111111111111111111111111111111111
> Finished request 34.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host IP port 59771, id=109, length=510
>          User-Name = "host/HOSTNAME.DOMAIN"
>          Chargeable-User-Identity = "\001"
>          Location-Capable = Civix-Location
>          Calling-Station-Id = "MACADDR"
>          Called-Station-Id = "MACADDR:SSID"
>          NAS-Port = 8
>          Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx"
>          Acct-Session-Id = ""
>          Cisco-AVPair = "mDNS=true"
>          NAS-IP-Address = 172.31.10.1
>          NAS-Identifier = "CiscoWLC"
>          Airespace-Wlan-Id = 11
>          Service-Type = Framed-User
>          Framed-MTU = 1300
>          NAS-Port-Type = Wireless-802.11
>          Tunnel-Type:0 = VLAN
>          Tunnel-Medium-Type:0 = IEEE-802
>          Tunnel-Private-Group-Id:0 = "152"
>          EAP-Message = 0x00000000000000000000000000000000
>          State =
>          Message-Authenticator =
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm
> NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 3 length 166
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>    TLS Length 156
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap]     (other): before/accept initialization
> [peap]     TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0097], ClientHello
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 02e4], Certificate
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap]     TLS_accept: unknown state
> [peap]     TLS_accept: unknown state
> [peap]     TLS_accept: Need to read more data: unknown state
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 109 to 172.31.10.1 port 59771
>          EAP-Message = 0x00000000000000000000000000000000
>          EAP-Message = 0x00000000000000000000000000000000
>          EAP-Message = 0x00000000000000000000000000000000
>          EAP-Message = 0x00000000000000000000000000000000
>          EAP-Message = 0xbcfe187aaa8a11b59a0d6a57
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0xd8dcb87ed9d8a1265676698e87672627
> Finished request 35.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 172.31.10.1 port 59771,
> id=110, length=350
>          User-Name = "host/HOSTNAME.DOMAIN"
>          Chargeable-User-Identity = "\001"
>          Location-Capable = Civix-Location
>          Calling-Station-Id = "MACADDR"
>          Called-Station-Id = "MACADDR:SSID"
>          NAS-Port = 8
>          Cisco-AVPair = "audit-session-id=00000000000"
>          Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111"
>          Cisco-AVPair = "mDNS=true"
>          NAS-IP-Address = 172.31.10.1
>          NAS-Identifier = "CiscoWLC"
>          Airespace-Wlan-Id = 11
>          Service-Type = Framed-User
>          Framed-MTU = 1300
>          NAS-Port-Type = Wireless-802.11
>          Tunnel-Type:0 = VLAN
>          Tunnel-Medium-Type:0 = IEEE-802
>          Tunnel-Private-Group-Id:0 = "152"
>          EAP-Message = 0x020400061900
>          State = 0xd8dcb87ed9d8a1265676698e87672627
>          Message-Authenticator = 0x84bbb2c96c1d5b5500daa8aa4c6e83f9
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm
> NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 4 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 110 to IP port 59771
>          EAP-Message = 0x00000000000000000000000000000000
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x00000000000000000000000000000000
> Finished request 36.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 172.31.10.1 port 59771,
> id=111, length=361
>          User-Name = "host/HOSTNAME.DOMAIN"
>          Chargeable-User-Identity = "\001"
>          Location-Capable = Civix-Location
>          Calling-Station-Id = "MACADDR"
>          Called-Station-Id = "MACADDR:SSID"
>          NAS-Port = 8
>          Cisco-AVPair = "audit-session-id=010a1fac007199dcc0f9bc5a"
>          Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111"
>          Cisco-AVPair = "mDNS=true"
>          NAS-IP-Address = 172.31.10.1
>          NAS-Identifier = "CiscoWLC"
>          Airespace-Wlan-Id = 11
>          Service-Type = Framed-User
>          Framed-MTU = 1300
>          NAS-Port-Type = Wireless-802.11
>          Tunnel-Type:0 = VLAN
>          Tunnel-Medium-Type:0 = IEEE-802
>          Tunnel-Private-Group-Id:0 = "152"
>          EAP-Message = 0x000000000000000000000
>          State = 0x000000000000000000000
>          Message-Authenticator = 0x55471ef471cea67863dcad3682750cef
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm
> NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 5 length 17
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>    TLS Length 7
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
>      TLS_accept: failed in unknown state
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> TLS receive handshake failed during operation
> [peap] eaptls_process returned 4
> [peap] EAPTLS_OTHERS
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> Failed to authenticate the user.
> Login incorrect (TLS Alert read:fatal:unknown CA):
> [host/HOSTNAME.DOMAIN/<via Auth-Type = EAP>] (from client client_name
> port 8 cli MACADDR)
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject]     expand: %{User-Name} ->
> host/HOSTNAME.DOMAIN
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 37 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 37
> Sending Access-Reject of id 111 to 172.31.10.1 port 59771
>          EAP-Message = 0x04050004
>          Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> Cleaning up request 34 ID 108 with timestamp +113
> Cleaning up request 35 ID 109 with timestamp +113
> Cleaning up request 36 ID 110 with timestamp +114
> Waking up in 1.0 seconds.
> Cleaning up request 37 ID 111 with timestamp +114
> Ready to process requests.
>
> --
> Jean-François MONI
> Technicien Informatique
> Centre Broca Nouvelle-Aquitaine
> 146 rue Léo Saignat
> 33076 Bordeaux Cedex
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list