Hello Matthew, Thanks for your tip. This was the solution. 2017-07-31 13:36 GMT+02:00 Matthew Newton <mcn@freeradius.org>:
On Mon, 2017-07-31 at 12:21 +0200, I Aaaaaahhhhhh wrote:
The Radius server is integrated into the Active Directory domain. I would like that only certain users connect to the AD domain. When I connect to the radius server via eapol_test, the authorization by LDAP as well as the AD authentication by AD perfectly. If I want to log on to the AD domain from a Windows 10 client with the same user account, this does not work. C5c5 is prepended to the username.
5c5c actually. Which is ASCII for "\\".
A realm with the domain name and the content skip was created in the proxy.conf, as well as the ntdomain entry in the sites-enabeld / default, but the user name still contains C5C5. Here I add the debug content.
Packet 20.
Replace "suffix" in your inner-tunnel with "ntdomain".
Matthew
(20) Received Access-Request Id 93 from 192.168.99.2:56766 to 192.168.99.13:1812 length 282 (20) User-Name = "SEDLMEIER\\iah" (20) Service-Type = Framed-User (20) Called-Station-Id = "D8-84-66-1C-A0-C2" (20) Calling-Station-Id = "74-2B-62-85-F5-5D" (20) NAS-Identifier = "sed-nw-sw-01.sedlmeier.local" (20) NAS-Port = 5 (20) NAS-Port-Id = "fe.1.5" (20) Framed-MTU = 1500 (20) NAS-Port-Type = Ethernet (20) State = 0xd24e2fefd441361eca7551413078c7bf (20) EAP-Message = 0x020f00671900170303005c000000000000000243241aa425d6f7c8d71509c3b60a4 c6b8db4cad3d64eef888d40802d40c2c86b4500c9bb1901556e079452b3643718c88c db7fe0a50aa320e9d9c7f849290f380b06d9730e79d4e4c2be3e04b14c604a00ccbdd 2 (20) NAS-IP-Address = 0.0.0.0 (20) Message-Authenticator = 0xa846eca9d309e94652e1c58fbaa05dce (20) session-state: No cached attributes (20) # Executing section authorize from file /etc/raddb/sites- enabled/default (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [preprocess] = ok (20) [chap] = noop (20) [mschap] = noop (20) [digest] = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "SEDLMEIER\iah", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) ntdomain: Checking for prefix before "\" (20) ntdomain: Looking up realm "SEDLMEIER" for User-Name = "SEDLMEIER\iah" (20) ntdomain: Found realm "SEDLMEIER" (20) ntdomain: Adding Stripped-User-Name = "iah" (20) ntdomain: Adding Realm = "SEDLMEIER" (20) ntdomain: Authentication realm is LOCAL (20) [ntdomain] = ok (20) eap: Peer sent EAP Response (code 2) ID 15 length 103 (20) eap: Continuing tunnel setup (20) [eap] = ok (20) } # authorize = ok (20) Found Auth-Type = eap (20) # Executing group from file /etc/raddb/sites-enabled/default (20) authenticate { (20) eap: Expiring EAP session with state 0xd63550fbd63a4a59 (20) eap: Finished EAP session with state 0xd24e2fefd441361e (20) eap: Previous EAP request found for state 0xd24e2fefd441361e, released from the list (20) eap: Peer sent packet with method EAP PEAP (25) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: Continuing EAP-TLS (20) eap_peap: [eaptls verify] = ok (20) eap_peap: Done initial handshake (20) eap_peap: [eaptls process] = ok (20) eap_peap: Session established. Decoding tunneled attributes (20) eap_peap: PEAP state phase2 (20) eap_peap: EAP method MSCHAPv2 (26) (20) eap_peap: Got tunneled request (20) eap_peap: EAP-Message = 0x020f00481a020f0043312af06a1435a1a34bfca5dc612d69a1d1000000000000000 0aee7c918d346a026e864b8344642b61250828f7f16106ae4005345444c4d45494552 5c696168 (20) eap_peap: Setting User-Name to SEDLMEIER\iah (20) eap_peap: Sending tunneled request to inner-tunnel (20) eap_peap: EAP-Message = 0x020f00481a020f0043312af06a1435a1a34bfca5dc612d69a1d1000000000000000 0aee7c918d346a026e864b8344642b61250828f7f16106ae4005345444c4d45494552 5c696168 (20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (20) eap_peap: User-Name = "SEDLMEIER\\iah" (20) eap_peap: State = 0xd63550fbd63a4a59a7b76b3185c969aa (20) Virtual server inner-tunnel received request (20) EAP-Message = 0x020f00481a020f0043312af06a1435a1a34bfca5dc612d69a1d1000000000000000 0aee7c918d346a026e864b8344642b61250828f7f16106ae4005345444c4d45494552 5c696168 (20) FreeRADIUS-Proxied-To = 127.0.0.1 (20) User-Name = "SEDLMEIER\\iah" (20) State = 0xd63550fbd63a4a59a7b76b3185c969aa (20) WARNING: Outer and inner identities are the same. User privacy is compromised. (20) server inner-tunnel { (20) session-state: No cached attributes (20) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [chap] = noop (20) [mschap] = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "SEDLMEIER\iah", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) update control { (20) &Proxy-To-Realm := LOCAL (20) } # update control = noop (20) eap: Peer sent EAP Response (code 2) ID 15 length 72 (20) eap: No EAP Start, assuming it's an on-going EAP conversation (20) [eap] = updated (20) files: Searching for user in group "CN=Radius lokal,OU=lokale,OU=Gruppen,OU=spezielle Konten,OU=Mitarbeiter,DC=sedlmeier,DC=local" rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 61 seconds rlm_ldap (ldap): Reserved connection (0) (20) files: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User- Name}}) (20) files: --> (samaccountname=SEDLMEIER\5c5ciah) (20) files: Performing search in "OU=Mitarbeiter,DC=sedlmeier,DC=local" with filter "(samaccountname=SEDLMEIER\5c5ciah)", scope "sub" (20) files: Waiting for search result... (20) files: Search returned no results rlm_ldap (ldap): Released connection (0) Need 7 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (8), 1 of 29 pending slots used rlm_ldap (ldap): Connecting to ldap://sed-vm-dc- 01.sedlmeier.local:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (20) files: users: Matched entry DEFAULT at line 48 (20) [files] = ok rlm_ldap (ldap): Reserved connection (7) (20) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User- Name}}) (20) ldap: --> (samaccountname=SEDLMEIER\5c5ciah) (20) ldap: Performing search in "OU=Mitarbeiter,DC=sedlmeier,DC=local" with filter "(samaccountname=SEDLMEIER\5c5ciah)", scope "sub" (20) ldap: Waiting for search result... (20) ldap: Search returned no results rlm_ldap (ldap): Released connection (7) (20) [ldap] = notfound (20) [expiration] = noop (20) [logintime] = noop (20) pap: WARNING: Auth-Type already set. Not setting to PAP (20) [pap] = noop (20) } # authorize = updated (20) Found Auth-Type = Reject (20) Auth-Type = Reject, rejecting user (20) Failed to authenticate the user (20) Using Post-Auth-Type Reject (20) # Executing group from file /etc/raddb/sites-enabled/inner- tunnel (20) Post-Auth-Type REJECT { (20) attr_filter.access_reject: EXPAND %{User-Name} (20) attr_filter.access_reject: --> SEDLMEIER\\iah (20) attr_filter.access_reject: Matched entry DEFAULT at line 11 (20) [attr_filter.access_reject] = updated (20) update outer.session-state { (20) No attributes updated (20) } # update outer.session-state = noop (20) } # Post-Auth-Type REJECT = updated (20) } # server inner-tunnel (20) Virtual server sending reply (20) eap_peap: Got tunneled reply code 3 (20) eap_peap: Got tunneled reply RADIUS code 3 (20) eap_peap: Tunneled authentication was rejected (20) eap_peap: FAILURE (20) eap: Sending EAP Request (code 1) ID 16 length 46 (20) eap: EAP session adding &reply:State = 0xd24e2fefd55e361e (20) [eap] = handled (20) } # authenticate = handled (20) Using Post-Auth-Type Challenge (20) # Executing group from file /etc/raddb/sites-enabled/default (20) Challenge { ... } # empty sub-section is ignored (20) Sent Access-Challenge Id 93 from 192.168.99.13:1812 to 192.168.99.2:56766 length 0 (20) EAP-Message = 0x0110002e1900170303002343321548245ec020494ccfac9bdaeb65e6d6b730b817a d0e5a713d9147d8907ee86758 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0xd24e2fefd55e361eca7551413078c7bf (20) Finished request Waking up in 0.8 seconds.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html