see my other recent reply about accounts in AD - if you want to verify, you can use ntlm_auth directly on the command line the same as FR is doing (check its debug to see what parameters) - expect that the account information is wrong...wrong domain etc. alan On 16 August 2017 at 15:05, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan and people, I'm near the solution of my problem but I'm still having a problem.
Following the Alan Dekok tutorial about Authentication with Active Directory with ntlm_auth and mschap, everything work OK. In this case, I have no LDAP support at all, no authorization, just authentication. At this point I success because I obtain an ACCEP-ACCEPT response packet, let's see:
$ radtest -t mschap adam 1234abcd localhost 0 testing123 Sending Access-Request of id 233 to 127.0.0.1 port 1812 User-Name = "adam" NAS-IP-Address = 10.10.10.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x9c705e7afe5513e7 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000008319855335ab46ea32fd6382fb68640c6c27a0e929182371 rad_recv: *Access-Accept* packet from host 127.0.0.1 port 1812, id=233, length=84 MS-CHAP-MPPE-Keys = 0x0000000000000000997c9fae0cc86f9d48d2cbb81915e1630000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006
But the problem comes when I setup the LDAP support to Authorization when checking if user is or not in a given group with the Ldap-Group attribute. As I said previously, after configured ldap module and /etc/sites-available/default and inner-tunnel with LDAP for authorization, I execute the same radtest command "radtest -t mschap adam 1234abcd localhost 0 testing123" and this is the freeradius debug output when it fail:
rad_recv: Access-Request packet from host 127.0.0.1 port 35229, id=117, length=135 User-Name = "adam" NAS-IP-Address = 10.10.10.1 NAS-Port = 0 Message-Authenticator = 0x38de9478053289444c4ad85736b70bfd MS-CHAP-Challenge = 0xb4d7849d65d481d0 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000000fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38 Wed Aug 16 10:51:56 2017 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 16 10:51:56 2017 : Info: +group authorize { Wed Aug 16 10:51:56 2017 : Info: ++[preprocess] = ok Wed Aug 16 10:51:56 2017 : Info: ++[chap] = noop Wed Aug 16 10:51:56 2017 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = ok Wed Aug 16 10:51:56 2017 : Info: ++[digest] = noop Wed Aug 16 10:51:56 2017 : Info: [suffix] No '@' in User-Name = "adam", looking up realm NULL Wed Aug 16 10:51:56 2017 : Info: [suffix] No such realm "NULL" Wed Aug 16 10:51:56 2017 : Info: ++[suffix] = noop Wed Aug 16 10:51:56 2017 : Info: [eap] No EAP-Message, not doing EAP Wed Aug 16 10:51:56 2017 : Info: ++[eap] = noop Wed Aug 16 10:51:56 2017 : Debug: [ldap] Entering ldap_groupcmp() Wed Aug 16 10:51:56 2017 : Info: [files] expand: OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com Wed Aug 16 10:51:56 2017 : Info: [files] expand: %{Stripped-User-Name} -> Wed Aug 16 10:51:56 2017 : Info: [files] ... expanding second conditional Wed Aug 16 10:51:56 2017 : Info: [files] expand: %{User-Name} -> adam Wed Aug 16 10:51:56 2017 : Info: [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=adam) Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 16 10:51:56 2017 : Debug: [ldap] attempting LDAP reconnection Wed Aug 16 10:51:56 2017 : Debug: [ldap] (re)connect to mitwpdcs01.company.com:389, authentication 0 Wed Aug 16 10:51:56 2017 : Debug: [ldap] bind as cn=wspsf,ou=Proxy para Apps,ou=Internos,ou=Servicios,ou=users,dc=company,dc=com/wP67yh345 to mitwpdcs01.company.com:389 Wed Aug 16 10:51:56 2017 : Debug: [ldap] waiting for bind result ... Wed Aug 16 10:51:56 2017 : Debug: [ldap] Bind was successful Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in OU=users,DC=company,DC=com, with filter (sAMAccountName=adam) Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 16 10:51:56 2017 : Info: [files] expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dusers\2cOU\2cDC\3dcompany\2cDC\3dcom))) Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in cn=group1,ou=wifi,dc=company,dc=com, with filter (|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dUsers\2cOU\3dcompany\2cDC\3dcom))) Wed Aug 16 10:51:56 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in group cn=group1,ou=wifi,dc=company,dc=com Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 16 10:51:56 2017 : Info: [files] users: Matched entry DEFAULT at line 207 Wed Aug 16 10:51:56 2017 : Info: ++[files] = ok Wed Aug 16 10:51:56 2017 : Info: [ldap] performing user authorization for adam Wed Aug 16 10:51:56 2017 : Info: [ldap] expand: %{Stripped-User-Name} -> Wed Aug 16 10:51:56 2017 : Info: [ldap] ... expanding second conditional Wed Aug 16 10:51:56 2017 : Info: [ldap] expand: %{User-Name} -> adam Wed Aug 16 10:51:56 2017 : Info: [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=adam) Wed Aug 16 10:51:56 2017 : Info: [ldap] expand: OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in OU=users,DC=company,DC=com, with filter (sAMAccountName=adam) Wed Aug 16 10:51:56 2017 : Info: [ldap] No default NMAS login sequence Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for check items in directory... Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for reply items in directory... Wed Aug 16 10:51:56 2017 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 16 10:51:56 2017 : Info: ++[ldap] = ok Wed Aug 16 10:51:56 2017 : Info: ++[expiration] = noop Wed Aug 16 10:51:56 2017 : Info: ++[logintime] = noop Wed Aug 16 10:51:56 2017 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Aug 16 10:51:56 2017 : Info: ++[pap] = noop Wed Aug 16 10:51:56 2017 : Info: +} # group authorize = ok Wed Aug 16 10:51:56 2017 : Info: Found Auth-Type = MSCHAP Wed Aug 16 10:51:56 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 16 10:51:56 2017 : Info: +group MS-CHAP { Wed Aug 16 10:51:56 2017 : Info: [mschap] Client is using MS-CHAPv1 with NT-Password Wed Aug 16 10:51:56 2017 : Info: [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=adam Wed Aug 16 10:51:56 2017 : Info: [mschap] No NT-Domain was found in the User-Name. Wed Aug 16 10:51:56 2017 : Info: [mschap] expand: %{mschap:NT-Domain} -> Wed Aug 16 10:51:56 2017 : Info: [mschap] ... expanding second conditional Wed Aug 16 10:51:56 2017 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-company} -> --domain=company Wed Aug 16 10:51:56 2017 : Info: [mschap] mschap1: b4 Wed Aug 16 10:51:56 2017 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=b4d7849d65d481d0 Wed Aug 16 10:51:56 2017 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38 Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account * (0xc000018b) Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM account* (0xc000018b) Wed Aug 16 10:51:56 2017 : Info: [mschap] Exec: program returned: 1 Wed Aug 16 10:51:56 2017 : Info: [mschap] External script failed. Wed Aug 16 10:51:56 2017 : Info: [mschap] MS-CHAP-Response is incorrect. Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = reject Wed Aug 16 10:51:56 2017 : Info: +} # group MS-CHAP = reject Wed Aug 16 10:51:56 2017 : Info: Failed to authenticate the user. Wed Aug 16 10:51:56 2017 : Info: Using Post-Auth-Type REJECT Wed Aug 16 10:51:56 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 16 10:51:56 2017 : Info: +group REJECT { Wed Aug 16 10:51:56 2017 : Info: [attr_filter.access_reject] expand: %{User-Name} -> adam Wed Aug 16 10:51:56 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Aug 16 10:51:56 2017 : Info: ++[attr_filter.access_reject] = updated Wed Aug 16 10:51:56 2017 : Info: +} # group REJECT = updated Wed Aug 16 10:51:56 2017 : Info: Delaying reject of request 3 for 1 seconds Wed Aug 16 10:51:56 2017 : Debug: Going to the next request Wed Aug 16 10:51:56 2017 : Debug: Waking up in 0.8 seconds. Wed Aug 16 10:51:57 2017 : Info: Sending delayed reject for request 3 Sending Access-Reject of id 117 to 127.0.0.1 port 35229 MS-CHAP-Error = "\000E=691 R=1"
Can you tell me why mschap auth is ok without LDAP support and it's wrong with LDAP support???
Thanks a lot again.
ADAM
2017-08-15 13:41 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 15, 2017, at 5:58 PM, Adam Cage <adamcage27@gmail.com> wrote:
Dear all, finally I have followed as you said: Authentication with samba, winbind, ntlm_auth and Authorization with LDAP, but I fails. I post my
main
config LDAP files and the debug output in order to get your help please:
Please don't post configuration files. We ask for the debug output for a reason: it's all we need.
*/etc/freeradius/users:*
DEFAULT Ldap-Group == "cn=group1,ou=wifi,dc=company,dc=com" Service-Type = Login-User
DEFAULT Auth-Type := Reject
You're not telling the server how to authenticate the user.
$ radtest adam 1234abcd 127.0.0.1 0 testing123
Which is just a PAP request...
And I fail, this is the debug output: ... Tue Aug 15 12:38:27 2017 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
That's just Active Directory not supplying the password...
Tue Aug 15 12:38:27 2017 : Info: *ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user* Tue Aug 15 12:38:27 2017 : Info: Failed to authenticate the user.
And you haven't told the server how to authenticate the user.
Follow the guide on deployingradius.com. It *will* work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html