At 06:12 PM 11/30/2009, tnt@kalik.net wrote:
You need to set fall-through so that you still do per user processing. This is documented in the raddb/users file and you should also read doc/processing_users_file
Or just add Auth-Type := ntlm_auth to the first line (ie. instead of Accept). Fall-Through is more elegant since you don't have to add Auth-Type to every DEFAULT entry.
Yup, both of those work, and I'm to the point I understand why! What I think is my final problem. I'm now working to authenticate VPN users in the same scenario, using the l2tp client in windows. Looks like everything automatically picks up that it's a MSCHAP request. Using a similar logic: DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users" The only problem is that it appears to ignore my LDAP group, and just authenticate ANY user (with a valid User ID/ Password) regardless of LDAP group. rad_recv: Access-Request packet from host 10.4.1.2 port 1924, id=55, length=129 User-Name = "notvpnuser" MS-CHAP-Challenge = 0x85e6507f219630664491c4e1bbeee67b MS-CHAP2-Response = 0x0100cc49a55de60f33a16e0afd73fb10d7dd0000000000000000eb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4 NAS-IP-Address = 10.4.1.2 NAS-Port = 0 server server_vpn { +- entering group authorize {...} ++[preprocess] returns ok [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok rlm_ldap: Entering ldap_groupcmp() [files] expand: OU=Enterprise,DC=int,DC=example,DC=com -> OU=Enterprise,DC=int,DC=example,DC=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) -> (&(sAMAccountname=notvpnuser)(objectClass=person)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to int.example.com:389, authentication 0 rlm_ldap: bind as CN=_sonicwall,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I to int.example.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=Enterprise,DC=int,DC=example,DC=com, with filter (&(sAMAccountname=notvpnuser)(objectClass=person)) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dcisco rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Enterprise,DC=int,DC=example,DC=com, with filter (&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3dcisco rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=cisco rsteeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with filter (objectclass=*) rlm_ldap: performing search in CN=Infrastructure,OU=Security Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users) rlm_ldap: object not found rlm_ldap::groupcmp: Group VPN_Users not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for notvpnuser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) -> (&(sAMAccountname=notvpnuser)(objectClass=person)) [ldap] expand: OU=Enterprise,DC=int,DC=example,DC=com -> OU=Enterprise,DC=int,DC=example,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Enterprise,DC=int,DC=example,DC=com, with filter (&(sAMAccountname=notvpnuser)(objectClass=person)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user notvpnuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for notvpnuser with NT-Password [mschap] expand: --username=%{mschap:User-Name} -> --username=notvpnuser [mschap] No NT-Domain was found in the User-Name. [mschap] expand: --domain=%{mschap:NT-Domain:-int.example.com} -> --domain=int.example.com [mschap] mschap2: 85 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=902a16bba035658e [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=eb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4 Exec-Program output: NT_KEY: 4E1F254C4B27DD3C7F78BB1C5513887C Exec-Program-Wait: plaintext: NT_KEY: 4E1F254C4B27DD3C7F78BB1C5513887C Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok Login OK: [notvpnuser] (from client VPN port 0) +- entering group post-auth {...} ++[exec] returns noop } # server server_vpn Sending Access-Accept of id 55 to 10.4.1.2 port 1924 MS-CHAP2-Success = 0x01533d38304631424142374345463745433336454431353636444636413932383044334131463237314437 MS-MPPE-Recv-Key = 0xdb66e88cd170cf5f5a59034267079b9e MS-MPPE-Send-Key = 0x660d90f211a1efa06e81e612eb08f3fa MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 55 with timestamp +13 Ready to process requests.
Ivan Kalik
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html