Dear, I've tried to understand what you said and I've made some changes: * I've deleted the the content of /etc/freeradius/users corresponding to ldap-group attribute * I've added the ldap-group clauses in /etc/freeradius/sites-available/default and inner-tunnel, as you said. I have not the ultimate clause yet, so the clause is a noop if users belong to the Group1 group: Authorize { ... if (LDAP-Group == Group1) { noop } else { reject } } * Restart freeradius in debug mode, and execute the command below in order to check the inner tunnel behaviour: $ radtest -t mschap adam 1234abcd localhost:18120 0 testing123 But I fail again... Here I show you the log for success test (Alan Dekok's guide exactly without LDAP authorization) and after that the log for failure test (adding LDAP support as described above), in order to confirm that mschap in the success test does not have the "NOT TRUSTED SAM ACCOUNT" error appearing in the failure case, being the same AD in both cases: 1) SUCCESS: Wed Aug 16 12:17:15 2017 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 16 12:17:15 2017 : Info: +group authorize { Wed Aug 16 12:17:15 2017 : Info: ++[chap] = noop Wed Aug 16 12:17:15 2017 : Info: ++[mschap] = noop Wed Aug 16 12:17:15 2017 : Info: [suffix] No '@' in User-Name = "adam", looking up realm NULL Wed Aug 16 12:17:15 2017 : Info: [suffix] No such realm "NULL" Wed Aug 16 12:17:15 2017 : Info: ++[suffix] = noop Wed Aug 16 12:17:15 2017 : Info: ++update control { Wed Aug 16 12:17:15 2017 : Info: ++} # update control = noop Wed Aug 16 12:17:15 2017 : Info: [eap] EAP packet type response id 8 length 69 Wed Aug 16 12:17:15 2017 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Aug 16 12:17:15 2017 : Info: ++[eap] = updated Wed Aug 16 12:17:15 2017 : Info: ++[files] = noop Wed Aug 16 12:17:15 2017 : Info: ++[expiration] = noop Wed Aug 16 12:17:15 2017 : Info: ++[logintime] = noop Wed Aug 16 12:17:15 2017 : Info: ++[pap] = noop Wed Aug 16 12:17:15 2017 : Info: +} # group authorize = updated Wed Aug 16 12:17:15 2017 : Info: Found Auth-Type = EAP Wed Aug 16 12:17:15 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 16 12:17:15 2017 : Info: +group authenticate { Wed Aug 16 12:17:15 2017 : Info: [eap] Request found, released from the list Wed Aug 16 12:17:15 2017 : Info: [eap] EAP/mschapv2 Wed Aug 16 12:17:15 2017 : Info: [eap] processing type mschapv2 Wed Aug 16 12:17:15 2017 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 16 12:17:15 2017 : Info: [mschapv2] +group MS-CHAP { Wed Aug 16 12:17:15 2017 : Info: [mschap] Creating challenge hash with username: adam Wed Aug 16 12:17:15 2017 : Info: [mschap] Client is using MS-CHAPv2 for adam, we need NT-Password Wed Aug 16 12:17:15 2017 : Info: [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=adam Wed Aug 16 12:17:15 2017 : Info: [mschap] No NT-Domain was found in the User-Name. Wed Aug 16 12:17:15 2017 : Info: [mschap] expand: %{mschap:NT-Domain} -> Wed Aug 16 12:17:15 2017 : Info: [mschap] ... expanding second conditional Wed Aug 16 12:17:15 2017 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-D-HOLOMIT} -> --domain= Wed Aug 16 12:17:15 2017 : Info: [mschap] Creating challenge hash with username: adam Wed Aug 16 12:17:15 2017 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=845cda3e640fcd8a Wed Aug 16 12:17:15 2017 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=23b6b6f4e5bc4601f0f7ddeaec6876cf596fdeac5c26f359 Wed Aug 16 12:17:16 2017 : *Debug: Exec output: NT_KEY: E10EE54A9C762F08F75E4008F93F109E* Wed Aug 16 12:17:16 2017 : *Debug: Exec plaintext: NT_KEY: E10EE54A9C762F08F75E4008F93F109E* Wed Aug 16 12:17:16 2017 : Info: [mschap] Exec: program returned: 0 Wed Aug 16 12:17:16 2017 : Info: [mschap] adding MS-CHAPv2 MPPE keys Wed Aug 16 12:17:16 2017 : Info: ++[mschap] = ok Wed Aug 16 12:17:16 2017 : Info: +} # group MS-CHAP = ok Wed Aug 16 12:17:16 2017 : Debug: MSCHAP Success Wed Aug 16 12:17:16 2017 : Info: ++[eap] = handled Wed Aug 16 12:17:16 2017 : Info: +} # group authenticate = handled 2) FAILURE rad_recv: Access-Request packet from host 127.0.0.1 port 56467, id=90, length=135 User-Name = "adam" NAS-IP-Address = 172.22.88.223 NAS-Port = 0 Message-Authenticator = 0xb38b49322db530f2191b85452fdf0195 MS-CHAP-Challenge = 0xe1248c7251ea7e63 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000d594e0a1673248f8e3a3b358381b78ed47891d8cd0fea851 Wed Aug 16 22:21:45 2017 : Info: server inner-tunnel { Wed Aug 16 22:21:45 2017 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 16 22:21:45 2017 : Info: +group authorize { Wed Aug 16 22:21:45 2017 : Info: ++[chap] = noop Wed Aug 16 22:21:45 2017 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' Wed Aug 16 22:21:45 2017 : Info: ++[mschap] = ok Wed Aug 16 22:21:45 2017 : Info: [suffix] No '@' in User-Name = "adam", looking up realm NULL Wed Aug 16 22:21:45 2017 : Info: [suffix] No such realm "NULL" Wed Aug 16 22:21:45 2017 : Info: ++[suffix] = noop Wed Aug 16 22:21:45 2017 : Info: ++update control { Wed Aug 16 22:21:45 2017 : Info: ++} # update control = noop Wed Aug 16 22:21:45 2017 : Info: [eap] No EAP-Message, not doing EAP Wed Aug 16 22:21:45 2017 : Info: ++[eap] = noop Wed Aug 16 22:21:45 2017 : Info: ++[files] = noop Wed Aug 16 22:21:45 2017 : Info: [ldap] performing user authorization for adam Wed Aug 16 22:21:45 2017 : Info: [ldap] expand: %{Stripped-User-Name} -> Wed Aug 16 22:21:45 2017 : Info: [ldap] ... expanding second conditional Wed Aug 16 22:21:45 2017 : Info: [ldap] expand: %{User-Name} -> adam Wed Aug 16 22:21:45 2017 : Info: [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=adam) Wed Aug 16 22:21:45 2017 : Info: [ldap] expand: OU=users,DC=d-holomit,DC=com -> OU=users,DC=d-holomit,DC=com Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 16 22:21:45 2017 : Debug: [ldap] attempting LDAP reconnection Wed Aug 16 22:21:45 2017 : Debug: [ldap] (re)connect to host1.holimit.com:389, authentication 0 Wed Aug 16 22:21:45 2017 : Debug: [ldap] bind as cn=connect,ou=users,dc=d-holomit,dc=com/wP67yh345 to host1.holomit.com:389 Wed Aug 16 22:21:45 2017 : Debug: [ldap] waiting for bind result ... Wed Aug 16 22:21:45 2017 : Debug: [ldap] Bind was successful Wed Aug 16 22:21:45 2017 : Debug: [ldap] performing search in OU=users,DC=d-holomit,DC=com, with filter (sAMAccountName=adam) Wed Aug 16 22:21:45 2017 : Info: [ldap] No default NMAS login sequence Wed Aug 16 22:21:45 2017 : Info: [ldap] looking for check items in directory... Wed Aug 16 22:21:45 2017 : Info: [ldap] looking for reply items in directory... Wed Aug 16 22:21:45 2017 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 16 22:21:45 2017 : Info: ++[ldap] = ok Wed Aug 16 22:21:45 2017 : Info: ++[expiration] = noop Wed Aug 16 22:21:45 2017 : Info: ++[logintime] = noop Wed Aug 16 22:21:45 2017 : Info: ++[pap] = noop Wed Aug 16 22:21:45 2017 : Info: ++? if (LDAP-Group == Group1) Wed Aug 16 22:21:45 2017 : Debug: [ldap] Entering ldap_groupcmp() Wed Aug 16 22:21:45 2017 : Info: expand: OU=users,DC=d-holomit,DC=com -> OU=users,DC=d-holomit,DC=com Wed Aug 16 22:21:45 2017 : Info: expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dInfraestructura\2cOU\3dG. Infraestructura\2cOU\3dusers\3dd-holomit\2cDC\3dcom))) Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 16 22:21:45 2017 : Debug: [ldap] performing search in OU=users,DC=d-holomit,DC=com, with filter (&(cn=Group1)(|(&(objectClass=group)(member=CN\3dAdam\3dUsers\2cOU\3dd-holomit\2cDC\3dcom))) Wed Aug 16 22:21:45 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in group Group1 Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 16 22:21:45 2017 : Info: ? Evaluating (LDAP-Group == Group1) -> TRUE Wed Aug 16 22:21:45 2017 : Info: ++? if (LDAP-Group == Group1) -> TRUE Wed Aug 16 22:21:45 2017 : Info: ++if (LDAP-Group == Group1) { Wed Aug 16 22:21:45 2017 : Info: +++[noop] = noop Wed Aug 16 22:21:45 2017 : Info: ++} # if (LDAP-Group == Group1) = noop Wed Aug 16 22:21:45 2017 : Info: ++ ... skipping else for request 0: Preceding "if" was taken Wed Aug 16 22:21:45 2017 : Info: +} # group authorize = ok Wed Aug 16 22:21:45 2017 : Info: Found Auth-Type = MSCHAP Wed Aug 16 22:21:45 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 16 22:21:45 2017 : Info: +group MS-CHAP { Wed Aug 16 22:21:45 2017 : Info: [mschap] Client is using MS-CHAPv1 with NT-Password Wed Aug 16 22:21:45 2017 : Info: [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=adam Wed Aug 16 22:21:45 2017 : Info: [mschap] No NT-Domain was found in the User-Name. Wed Aug 16 22:21:45 2017 : Info: [mschap] expand: %{mschap:NT-Domain} -> Wed Aug 16 22:21:45 2017 : Info: [mschap] ... expanding second conditional Wed Aug 16 22:21:45 2017 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-D-HOLOMIT} -> --domain=D-HOLOMIT Wed Aug 16 22:21:45 2017 : Info: [mschap] mschap1: e1 Wed Aug 16 22:21:45 2017 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e1248c7251ea7e63 Wed Aug 16 22:21:45 2017 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=d594e0a1673248f8e3a3b358381b78ed47891d8cd0fea851 Wed Aug 16 22:21:45 2017 : *Debug: Exec output: No trusted SAM account (0xc000018b) * Wed Aug 16 22:21:45 2017 : *Debug: Exec plaintext: No trusted SAM account (0xc000018b)* Wed Aug 16 22:21:45 2017 : Info: [mschap] Exec: program returned: 1 Wed Aug 16 22:21:45 2017 : Info: [mschap] External script failed. Wed Aug 16 22:21:45 2017 : Info: [mschap] MS-CHAP-Response is incorrect. Wed Aug 16 22:21:45 2017 : Info: ++[mschap] = reject Wed Aug 16 22:21:45 2017 : Info: +} # group MS-CHAP = reject Wed Aug 16 22:21:45 2017 : Info: Failed to authenticate the user. Wed Aug 16 22:21:45 2017 : Info: } # server inner-tunnel Wed Aug 16 22:21:45 2017 : Info: Using Post-Auth-Type REJECT Wed Aug 16 22:21:45 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 16 22:21:45 2017 : Info: +group REJECT { Wed Aug 16 22:21:45 2017 : Info: [attr_filter.access_reject] expand: %{User-Name} -> adam Wed Aug 16 22:21:45 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Aug 16 22:21:45 2017 : Info: ++[attr_filter.access_reject] = updated Wed Aug 16 22:21:45 2017 : Info: +} # group REJECT = updated Wed Aug 16 22:21:45 2017 : Info: Delaying reject of request 0 for 1 seconds Wed Aug 16 22:21:45 2017 : Debug: Going to the next request Wed Aug 16 22:21:45 2017 : Debug: Waking up in 0.8 seconds. Wed Aug 16 22:21:46 2017 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 90 to 127.0.0.1 port 56467 MS-CHAP-Error = "\000E=691 R=1" Special thanks !!! Adam 2017-08-16 13:28 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 16, 2017, at 4:05 PM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan and people, I'm near the solution of my problem but I'm still having a problem.
Following the Alan Dekok tutorial about Authentication with Active Directory with ntlm_auth and mschap, everything work OK. In this case, I have no LDAP support at all, no authorization, just authentication.
That's fine. The guide deals with one issue at a time.
If you can get AD authentication working, then adding LDAP authorization is about 10 minutes.
But the problem comes when I setup the LDAP support to Authorization when checking if user is or not in a given group with the Ldap-Group attribute.
Put those checks into the virtual server, not in the "users" file.
What LDAP group checks are you doing?
This kind of thing will work:
authorize { ... if (LDAP-Group != admins) { reject } ... }
As I said previously, after configured ldap module and /etc/sites-available/default and inner-tunnel with LDAP for authorization,
To do *what*? Be specific.
In most case, if you can write the requirements down in simple English, you can translate those to "unlang" policy rules pretty directly.
--nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38 Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account * (0xc000018b) Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM account* (0xc000018b)
That's an error produced by AD, not FreeRADIUS.
Can you tell me why mschap auth is ok without LDAP support and it's wrong with LDAP support???
Since you didn't say what you did for LDAP authorization, I have no idea what's going wrong.
But from the error message above, it *is* clear that the user isn't allowed to use AD authentication. That is an issue entirely separate from LDAP authorization.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html