Active Directory authenticated VPN

Pisch Tamás pischta at gmail.com
Wed Apr 28 09:51:10 CEST 2021


Hi,

I purged my configuration and started it again from the default state. The
system is Debian Bullseye.

dpkg --purge freeradius freeradius-ldap freeradius-krb5 freeradius-common
freeradius-utils freeradius-config

apt install freeradius freeradius-ldap freeradius-krb5 freeradius-common
freeradius-utils freeradius-config

mkdir /var/log/freeradius/radacct

I've created vpn user before.

I started the setup now according to this:

https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto


ntlm_auth --request-nt-key --domain=ad --username=vpn

OK.

setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged

clients.conf:

client localhost {

ipaddr = 127.0.0.1

netmask = 32

secret          = xyz

shortname       = localhost

}

mods-available-mschap:

mschap {

with_ntdomain_hack = yes

...

winbind_username = "%{mschap:User-Name}"

##winbind_domain = "%{mschap:NT-Domain}"

winbind_domain = "ad.ourdomain.hu"

Why "%{mschap:NT-Domain}"doesn't work?

mods-available/eap:

default_eap_type = peap

In tls-config tls-common { :

random_file = /dev/urandom

In the users file:

bob Cleartext-Password := "asdfg", MS-CHAP-Use-NTLM-Auth := 0

Reply-Message := "Hello, %{User-Name}"

Testing:

radtest -x -t mschap vpn "qwert" localhost 0 asdfg

Debug messages:

(3) Received Access-Request Id 205 from 127.0.0.1:54834 to 127.0.0.1:1812
length 129
(3)   User-Name = "vpn"
(3)   NAS-IP-Address = 1.2.3.4
(3)   NAS-Port = 0
(3)   Message-Authenticator = 0xd38e4b9f5882a26aac2b6c434193ce2c
(3)   MS-CHAP-Challenge = 0xf5cbfa7a17cd01a9
(3)   MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000018e5b4331f9534d83e07def8a29c802dfd30a011e2e6224a
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(3)     [mschap] = ok
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "vpn", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: No EAP-Message, not doing EAP
(3)     [eap] = noop
(3)     [files] = noop
(3)     [expiration] = noop
(3)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(3)     [pap] = noop
(3)   } # authorize = ok
(3) Found Auth-Type = mschap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) mschap: Client is using MS-CHAPv1 with NT-Password
(3) mschap: EXPAND %{mschap:User-Name}
(3) mschap:    --> vpn
rlm_mschap (mschap): Reserved connection (7)
(3) mschap: sending authentication request user='vpn' domain='
ad.ourdomain.hu'
rlm_mschap (mschap): Released connection (7)
Need 1 more connections to reach min connections (3)
rlm_mschap (mschap): Opening additional connection (9), 1 of 30 pending
slots used
(3) mschap: Authenticated successfully
(3) mschap: adding MS-CHAPv1 MPPE keys
(3)     [mschap] = ok
(3)   } # authenticate = ok

Why vpn at ad.ourdomain.hu doesn't work?

radtest -x -t mschap vpn at ad.ourdomain.hu "qwert" localhost 0 asdfg

Debug messages:

(4) Received Access-Request Id 203 from 127.0.0.1:34360 to 127.0.0.1:1812
length 145
(4)   User-Name = "vpn at ad.ourdomain.hu"
(4)   NAS-IP-Address = 1.2.3.4
(4)   NAS-Port = 0
(4)   Message-Authenticator = 0x6f31019a0d498b004da273a6cdf4dae3
(4)   MS-CHAP-Challenge = 0x0c602d2a989f07bd
(4)   MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000005fe2f91d70356771e4af8a27ddcfec463f235dfcf04e7e31
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(4)     [mschap] = ok
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "ad.ourdomain.hu" for User-Name = "
vpn at ad.ourdomain.hu"
(4) suffix: No such realm "ad.ourdomain.hu"
(4)     [suffix] = noop
(4) eap: No EAP-Message, not doing EAP
(4)     [eap] = noop
(4)     [files] = noop
(4)     [expiration] = noop
(4)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(4)     [pap] = noop
(4)   } # authorize = ok
(4) Found Auth-Type = mschap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) mschap: Client is using MS-CHAPv1 with NT-Password
(4) mschap: EXPAND %{mschap:User-Name}
(4) mschap:    --> vpn at ad.ourdomain.hu
rlm_mschap (mschap): Closing connection (8): Hit idle_timeout, was idle for
772 seconds
rlm_mschap (mschap): You probably need to lower "min"
rlm_mschap (mschap): Reserved connection (7)
(4) mschap: sending authentication request user='vpn at ad.ourdomain.hu'
domain='ad.ourdomain.hu'
rlm_mschap (mschap): Released connection (7)
Need 1 more connections to reach min connections (3)
rlm_mschap (mschap): Opening additional connection (10), 1 of 30 pending
slots used
(4) mschap: ERROR: The specified account does not exist. [0xC0000064]
(4) mschap: ERROR: MS-CHAP2-Response is incorrect
(4)     [mschap] = reject
(4)   } # authenticate = reject
(4) Failed to authenticate the user


Thanks,

Tamas Pisch.


More information about the Freeradius-Users mailing list