In our test lab we are working on using FreeRADIUS to authenticate users against their AD credentials.  We loaded FreeRADIUS on a Fedora 10.  We loaded SAMBA and it works.  We loaded freeradius-2.1.3-1.fc10.i386. 

 

We followed the http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO.  We booted an XP workstation and logged in.  It never got a DHCP address and failed authentication.

 

I noticed a message,

[suffix] No '@' in User-Name = "DOM002\DW68406A", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

 

In the smb.conf file we configured the workgroup to be the netbios name of the domain DOM002.  Should that have been the IP name, fm.testdomain.com?

 

Below is the output from the radius –X.

 

FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec  8 2008 at 15:31:31

Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License v2.

Starting - reading configuration files ...

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/modules/

including configuration file /etc/raddb/modules/smbpasswd

including configuration file /etc/raddb/modules/inner-eap

including configuration file /etc/raddb/modules/etc_group

including configuration file /etc/raddb/modules/checkval

including configuration file /etc/raddb/modules/policy

including configuration file /etc/raddb/modules/logintime

including configuration file /etc/raddb/modules/preprocess

including configuration file /etc/raddb/modules/attr_filter

including configuration file /etc/raddb/modules/always

including configuration file /etc/raddb/modules/pam

including configuration file /etc/raddb/modules/sqlcounter_expire_on_login

including configuration file /etc/raddb/modules/mac2ip

including configuration file /etc/raddb/modules/acct_unique

including configuration file /etc/raddb/modules/expr

including configuration file /etc/raddb/modules/sradutmp

including configuration file /etc/raddb/modules/pap

including configuration file /etc/raddb/modules/exec

including configuration file /etc/raddb/modules/detail.example.com

including configuration file /etc/raddb/modules/attr_rewrite

including configuration file /etc/raddb/modules/detail.log

including configuration file /etc/raddb/modules/wimax

including configuration file /etc/raddb/modules/detail

including configuration file /etc/raddb/modules/radutmp

including configuration file /etc/raddb/modules/unix

including configuration file /etc/raddb/modules/files

including configuration file /etc/raddb/modules/expiration

including configuration file /etc/raddb/modules/sql_log

including configuration file /etc/raddb/modules/echo

including configuration file /etc/raddb/modules/realm

including configuration file /etc/raddb/modules/counter

including configuration file /etc/raddb/modules/mschap

including configuration file /etc/raddb/modules/digest

including configuration file /etc/raddb/modules/ippool

including configuration file /etc/raddb/modules/perl

including configuration file /etc/raddb/modules/mac2vlan

including configuration file /etc/raddb/modules/linelog

including configuration file /etc/raddb/modules/chap

including configuration file /etc/raddb/modules/passwd

including configuration file /etc/raddb/eap.conf

including configuration file /etc/raddb/policy.conf

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/control-socket

including configuration file /etc/raddb/sites-enabled/default

including configuration file /etc/raddb/sites-enabled/inner-tunnel

group = radiusd

user = radiusd

including dictionary file /etc/raddb/dictionary

main {

                prefix = "/usr"

                localstatedir = "/var"

                logdir = "/var/log/radius"

                libdir = "/usr/lib/freeradius"

                radacctdir = "/var/log/radius/radacct"

                hostname_lookups = no

                max_request_time = 30

                cleanup_delay = 5

                max_requests = 1024

                allow_core_dumps = no

                pidfile = "/var/run/radiusd/radiusd.pid"

                checkrad = "/usr/sbin/checkrad"

                debug_level = 0

                proxy_requests = yes

 log {

                stripped_names = no

                auth = no

                auth_badpass = no

                auth_goodpass = no

 }

 security {

                max_attributes = 200

                reject_delay = 1

                status_server = yes

 }

}

 client 172.18.134.248 {

                require_message_authenticator = no

                secret = "testing123"

                shortname = "172.18.134.248"

                nastype = "other"

 }

 client localhost {

                ipaddr = 127.0.0.1

                require_message_authenticator = no

                secret = "testing123"

                nastype = "other"

 }

radiusd: #### Loading Realms and Home Servers ####

 proxy server {

                retry_delay = 5

                retry_count = 3

                default_fallback = no

                dead_time = 120

                wake_all_if_all_dead = no

 }

 home_server localhost {

                ipaddr = 127.0.0.1

                port = 1812

                type = "auth"

                secret = "testing123"

                response_window = 20

                max_outstanding = 65536

                zombie_period = 40

                status_check = "status-server"

                ping_interval = 30

                check_interval = 30

                num_answers_to_alive = 3

                num_pings_to_alive = 3

                revive_interval = 120

                status_check_timeout = 4

 }

 home_server_pool my_auth_failover {

                type = fail-over

                home_server = localhost

 }

 realm example.com {

                auth_pool = my_auth_failover

 }

 realm LOCAL {

 }

radiusd: #### Instantiating modules ####

 instantiate {

 Module: Linked to module rlm_exec

 Module: Instantiating exec

  exec {

                wait = no

                input_pairs = "request"

                shell_escape = yes

  }

 Module: Linked to module rlm_expr

 Module: Instantiating expr

 Module: Linked to module rlm_expiration

 Module: Instantiating expiration

  expiration {

                reply-message = "Password Has Expired  "

  }

 Module: Linked to module rlm_logintime

 Module: Instantiating logintime

  logintime {

                reply-message = "You are calling outside your allowed timespan  "

                minimum-timeout = 60

  }

 }

radiusd: #### Loading Virtual Servers ####

server inner-tunnel {

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Linked to module rlm_pap

 Module: Instantiating pap

  pap {

                encryption_scheme = "auto"

                auto_header = no

  }

 Module: Linked to module rlm_chap

 Module: Instantiating chap

 Module: Linked to module rlm_mschap

 Module: Instantiating mschap

  mschap {

                use_mppe = yes

                require_encryption = no

                require_strong = no

                with_ntdomain_hack = no

  }

 Module: Linked to module rlm_unix

 Module: Instantiating unix

  unix {

                radwtmp = "/var/log/radius/radwtmp"

  }

 Module: Linked to module rlm_eap

 Module: Instantiating eap

  eap {

                default_eap_type = "peap"

                timer_expire = 60

                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

                max_sessions = 2048

  }

 Module: Linked to sub-module rlm_eap_md5

 Module: Instantiating eap-md5

 Module: Linked to sub-module rlm_eap_leap

 Module: Instantiating eap-leap

 Module: Linked to sub-module rlm_eap_gtc

 Module: Instantiating eap-gtc

   gtc {

                challenge = "Password: "

                auth_type = "PAP"

   }

 Module: Linked to sub-module rlm_eap_tls

 Module: Instantiating eap-tls

   tls {

                rsa_key_exchange = no

                dh_key_exchange = yes

                rsa_key_length = 512

                dh_key_length = 512

                verify_depth = 0

                pem_file_type = yes

                private_key_file = "/etc/raddb/certs/server.pem"

                certificate_file = "/etc/raddb/certs/server.pem"

                CA_file = "/etc/raddb/certs/ca.pem"

                private_key_password = "whatever"

                dh_file = "/etc/raddb/certs/dh"

                random_file = "/etc/raddb/certs/random"

                fragment_size = 1024

                include_length = yes

                check_crl = no

                cipher_list = "DEFAULT"

                make_cert_command = "/etc/raddb/certs/bootstrap"

    cache {

                enable = no

                lifetime = 24

                max_entries = 255

    }

   }

 Module: Linked to sub-module rlm_eap_ttls

 Module: Instantiating eap-ttls

   ttls {

                default_eap_type = "peap"

                copy_request_to_tunnel = no

                use_tunneled_reply = no

                virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_peap

 Module: Instantiating eap-peap

   peap {

                default_eap_type = "mschapv2"

                copy_request_to_tunnel = no

                use_tunneled_reply = no

                proxy_tunneled_request_as_eap = yes

                virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_mschapv2

 Module: Instantiating eap-mschapv2

   mschapv2 {

                with_ntdomain_hack = no

   }

 Module: Checking authorize {...} for more modules to load

 Module: Linked to module rlm_realm

 Module: Instantiating suffix

  realm suffix {

                format = "suffix"

                delimiter = "@"

                ignore_default = no

                ignore_null = no

  }

 Module: Linked to module rlm_files

 Module: Instantiating files

  files {

                usersfile = "/etc/raddb/users"

                acctusersfile = "/etc/raddb/acct_users"

                preproxy_usersfile = "/etc/raddb/preproxy_users"

                compat = "no"

  }

 Module: Checking session {...} for more modules to load

 Module: Linked to module rlm_radutmp

 Module: Instantiating radutmp

  radutmp {

                filename = "/var/log/radius/radutmp"

                username = "%{User-Name}"

                case_sensitive = yes

                check_with_nas = yes

                perm = 384

                callerid = yes

  }

 Module: Checking post-proxy {...} for more modules to load

 Module: Checking post-auth {...} for more modules to load

 Module: Linked to module rlm_attr_filter

 Module: Instantiating attr_filter.access_reject

  attr_filter attr_filter.access_reject {

                attrsfile = "/etc/raddb/attrs.access_reject"

                key = "%{User-Name}"

  }

 }

}

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Checking authorize {...} for more modules to load

 Module: Linked to module rlm_preprocess

 Module: Instantiating preprocess

  preprocess {

                huntgroups = "/etc/raddb/huntgroups"

                hints = "/etc/raddb/hints"

                with_ascend_hack = no

                ascend_channels_per_line = 23

                with_ntdomain_hack = no

                with_specialix_jetstream_hack = no

                with_cisco_vsa_hack = no

                with_alvarion_vsa_hack = no

  }

 Module: Checking preacct {...} for more modules to load

 Module: Linked to module rlm_acct_unique

 Module: Instantiating acct_unique

  acct_unique {

                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"

  }

 Module: Checking accounting {...} for more modules to load

 Module: Linked to module rlm_detail

 Module: Instantiating detail

  detail {

                detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"

                header = "%t"

                detailperm = 384

                dirperm = 493

                locking = no

                log_packet_header = no

  }

 Module: Instantiating attr_filter.accounting_response

  attr_filter attr_filter.accounting_response {

                attrsfile = "/etc/raddb/attrs.accounting_response"

                key = "%{User-Name}"

  }

 Module: Checking session {...} for more modules to load

 Module: Checking post-proxy {...} for more modules to load

 Module: Checking post-auth {...} for more modules to load

 }

radiusd: #### Opening IP addresses and Ports ####

listen {

                type = "auth"

                ipaddr = *

                port = 0

}

listen {

                type = "acct"

                ipaddr = *

                port = 0

}

listen {

                type = "control"

 listen {

                socket = "/var/run/radiusd/radiusd.sock"

 }

}

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on command file /var/run/radiusd/radiusd.sock

Listening on proxy address * port 1814

Ready to process requests.

rad_recv: Access-Request packet from host 172.18.134.248 port 1812, id=83, length=333

                Framed-MTU = 1480

                NAS-IP-Address = 172.18.134.248

                NAS-Identifier = "IDM test 5406"

                User-Name = "DOM002\\DW68406A"

                Service-Type = Framed-User

                Framed-Protocol = PPP

                NAS-Port = 6

                NAS-Port-Type = Ethernet

                NAS-Port-Id = "A6"

                Called-Station-Id = "00-21-f7-6e-02-00"

                Calling-Station-Id = "00-1e-4f-b0-27-10"

                Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"

                Tunnel-Type:0 = VLAN

                Tunnel-Medium-Type:0 = IEEE-802

                Tunnel-Private-Group-Id:0 = "999"

                EAP-Message = 0x0204001401444f4d3030325c4457363834303641

                Message-Authenticator = 0xb42d28522d0b20c06178f6ca7e7a45aa

                MS-RAS-Vendor = 11

                HP-Attr-255 = 0x011a0000000b28

                HP-Attr-255 = 0x011a0000000b2e

                HP-Attr-255 = 0x011a0000000b3d

                HP-Attr-255 = 0x0138

                HP-Attr-255 = 0x013a

                HP-Attr-255 = 0x0140

                HP-Attr-255 = 0x0141

                HP-Attr-255 = 0x0151

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "DOM002\DW68406A", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 4 length 20

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

[files] users: Matched entry DEFAULT at line 172

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type tls

[tls] Initiate

[tls] Start returned 1

++[eap] returns handled

Sending Access-Challenge of id 83 to 172.18.134.248 port 1812

                Framed-Protocol = PPP

                Framed-Compression = Van-Jacobson-TCP-IP

                EAP-Message = 0x010500061920

                Message-Authenticator = 0x00000000000000000000000000000000

                State = 0xc651d6b8c654cf27ba01eec66aff3857

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 172.18.134.248 port 1812, id=84, length=411

                Framed-MTU = 1480

                NAS-IP-Address = 172.18.134.248

                NAS-Identifier = "IDM test 5406"

                User-Name = "DOM002\\DW68406A"

                Service-Type = Framed-User

                Framed-Protocol = PPP

                NAS-Port = 6

                NAS-Port-Type = Ethernet

                NAS-Port-Id = "A6"

                Called-Station-Id = "00-21-f7-6e-02-00"

                Calling-Station-Id = "00-1e-4f-b0-27-10"

                Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"

                Tunnel-Type:0 = VLAN

                Tunnel-Medium-Type:0 = IEEE-802

                Tunnel-Private-Group-Id:0 = "999"

                State = 0xc651d6b8c654cf27ba01eec66aff3857

                EAP-Message = 0x0205005019800000004616030100410100003d03014a00a4e6275cb2018565ad9e287d82f60ac726ef17efadae0c24cb245b56bef200001600040005000a000900640062000300060013001200630100

                Message-Authenticator = 0x63a1081298f73e7c4143818242a8e5e8

                MS-RAS-Vendor = 11

                HP-Attr-255 = 0x011a0000000b28

                HP-Attr-255 = 0x011a0000000b2e

                HP-Attr-255 = 0x011a0000000b3d

                HP-Attr-255 = 0x0138

                HP-Attr-255 = 0x013a

                HP-Attr-255 = 0x0140

                HP-Attr-255 = 0x0141

                HP-Attr-255 = 0x0151

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "DOM002\DW68406A", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 5 length 80

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

  TLS Length 70

[peap] Length Included

[peap] eaptls_verify returned 11

[peap]     (other): before/accept initialization

[peap]     TLS_accept: before/accept initialization

[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello 

[peap]     TLS_accept: SSLv3 read client hello A

[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello 

[peap]     TLS_accept: SSLv3 write server hello A

[peap] >>> TLS 1.0 Handshake [length 085e], Certificate 

[peap]     TLS_accept: SSLv3 write certificate A

[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone 

[peap]     TLS_accept: SSLv3 write server done A

[peap]     TLS_accept: SSLv3 flush data

[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode 

[peap] eaptls_process returned 13

[peap] EAPTLS_HANDLED

++[eap] returns handled

Sending Access-Challenge of id 84 to 172.18.134.248 port 1812

                EAP-Message = 0x0106040019c00000089b160301002a0200002603014a00a4ed4a3e2ac1489de523e4a75a46e342f93f08ce07266c3706baacc75b0c00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479

                EAP-Message = 0x301e170d3039303530343232323232355a170d3130303530343232323232355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba09d960ea3260af04d8e598747c45e986dd96a5610168a17aa1ba2199a9e310798230b2dcaf50afc0595f55e73e3e3a16d97a37aea0691b33be6441224e

                EAP-Message = 0xaa3e7ae28ec352d3742165a53e86eb01206a2c6d981e4e6661390980a8daca354de1f6f53d8da2f70dbf2db7a74ed5bf8f9cb40e9a1c305ea5ee832fbe947dd74253a174a477555a3963ec96c366153d35643f5915691e07178b78008614d49ebbeb77cd51d80cf522a6cbfe42c7df2e251a888d09d410e8204e25387be968b997511e3fc554e0ac6376f51c8ef421015b8adc9203ecd801c7177992620ad8594b91e3fc06345fb33768c95c5484e7b581edf539554d855032505f682befca5fcfa70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100540f0cbea4618045f3

                EAP-Message = 0xe10753d45f4fedd23906f32490b1fc7b1ac0ef87e6e7690fc0c1d5d5f1ca10a985ee95c3a5eba0639baf2ef068c25c0bceae385b261488a0b973c8094a7dc72b55923387eae276cbb2b44e662cb12e27026bf9f906fa55f73771d21d5bfbc18157295030934a02bd175784ab036acb5679cbe232060028ac93e910551a3006dcc84c89905f2e549fdbe29730816b8edf06020ab951fe62b03ce46428488e54243793ac5c375142b79f439a77f5b8bd521633683884d72e5374e66181b73d1b221f80cb9db794221945c56bf7d34d2d0bbb5296e4e995a15175baed922bc922ea17ded14cee86a358782aeab2354f107fba4f4d6bea609b0004ab308204

                EAP-Message = 0xa73082038fa0030201020209

                Message-Authenticator = 0x00000000000000000000000000000000

                State = 0xc651d6b8c757cf27ba01eec66aff3857

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

 

 

Thanks,

Mike Davies

 



This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.