Dear both Alans, thanks for your advice. Before planning the tests, I need your help on these topics: 1) In the first implementation for authentication like Alan Dekok's guide, I setup default and inner-tunnel servers. Now if I enable ldap for authorization, do I have to enable ldap in the default virtual server and also in the inner-tunnel virtual server ??? Or just in default file ??? 2) I can't understand this comment from you: "but why are you running ldap in the outer phase?" Can you explain to me in more detail please ??? Thanks again!!! 2017-08-16 15:23 GMT-03:00 Alan Buxey <alan.buxey@gmail.com>:
hi,
THIS DEBUG IS THE ONE CORRESPONDING TO JUST ONE ATTEMPT OF AUTHENTICATION,
no its not. you have a machine auth there followed by a user auth - ensure your client is configured to only do user authentication
IT'S SO LONG...I APOLOGIZE FOR THIS
thats fine - this is fine - the debug may be long but a lot of it can be scanned over quickly once you understand what is going on - visit some sites about PEAP to see the flow - then look at the conversation that is going on with FreeRADIUS...each packet request/reply being part of the conversation....little hello, then EAP to construct secure tunnel (then lots of those EAP-Message attributes appear, then the MSCHAPv2 inside the PEAP (a few more packets) then end of session, access accept etc.
User-Name = "host/host44.d-holomit.com"
machine auth attempt
Wed Aug 16 12:32:25 2017 : Debug: [ldap] performing search in OU=holomit,DC=d-holomit,DC=com, with filter (sAMAccountName=host/ host44.d-holomit.com) Wed Aug 16 12:32:25 2017 : Debug: [ldap] object not found Wed Aug 16 12:32:25 2017 : Debug: rlm_ldap::ldap_groupcmp: search failed Wed Aug 16 12:32:25 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
machine not in AD (well, not in THAT location anyway ;-) )
Sending Access-Reject of id 188 to 172.22.88.223 port 32769 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000
end of that one.... now the user auth
User-Name = "tyard"
user auth
Wed Aug 16 12:32:37 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in group cn=wifi,ou=WI-FI,ou=in,ou=services,ou=holomit,dc=d-holomit,dc=com
this user was found - but why are you running ldap in the outer phase? anyone can spoof the outer packet....you only trust the inner-tunnel for EAP...
...and onwards
Wed Aug 16 12:32:37 2017 : Info: [eap] Continuing tunnel setup. Wed Aug 16 12:32:37 2017 : Info: ++[eap] = ok Wed Aug 16 12:32:37 2017 : Info: +} # group authorize = ok Wed Aug 16 12:32:37 2017 : Info: Found Auth-Type = EAP Wed Aug 16 12:32:37 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 16 12:32:37 2017 : Info: +group authenticate { Wed Aug 16 12:32:37 2017 : Info: [eap] Request found, released from the list Wed Aug 16 12:32:37 2017 : Info: [eap] EAP/peap Wed Aug 16 12:32:37 2017 : Info: [eap] processing type peap Wed Aug 16 12:32:37 2017 : Info: [peap] processing EAP-TLS
okay PEAP being started
some delays to responses....did you get a cert prompt? you really need to configure your client with correct CA and RADIUS server cert.. there are plenty of 802.1X configuration tools
now the MSCHAPv2 in the inner-tunnel
Wed Aug 16 12:32:43 2017 : Info: [eap] processing type mschapv2 Wed Aug 16 12:32:43 2017 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 16 12:32:43 2017 : Info: [mschapv2] +group MS-CHAP { Wed Aug 16 12:32:43 2017 : Info: [mschap] Creating challenge hash with username: tyard Wed Aug 16 12:32:43 2017 : Info: [mschap] Client is using MS-CHAPv2 for tyard, we need NT-Password Wed Aug 16 12:32:43 2017 : Info: [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=tyard Wed Aug 16 12:32:43 2017 : Info: [mschap] No NT-Domain was found in the User-Name. Wed Aug 16 12:32:43 2017 : Info: [mschap] expand: %{mschap:NT-Domain} -> Wed Aug 16 12:32:43 2017 : Info: [mschap] ... expanding second conditional Wed Aug 16 12:32:43 2017 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-d-holomit} -> --domain=d-holomit Wed Aug 16 12:32:43 2017 : Info: [mschap] Creating challenge hash with username: tyard Wed Aug 16 12:32:43 2017 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c7e9749f9a9488cc Wed Aug 16 12:32:43 2017 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1d818e8388886074e15547872eddf3f58cd2da004dcc5817 Wed Aug 16 12:32:43 2017 : Debug: Exec output: No trusted SAM account (0xc000018b) Wed Aug 16 12:32:43 2017 : Debug: Exec plaintext: No trusted SAM account (0xc000018b) Wed Aug 16 12:32:43 2017 : Info: [mschap] Exec: program returned: 1 Wed Aug 16 12:32:43 2017 : Info: [mschap] External script failed. Wed Aug 16 12:32:43 2017 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
..and from now on its a fail/reject. cause? the user with the doamin of "d-holmit" did not have a trusted account in this AD...is that domain correct? i'd advise against using %{mschap:NT-Domain} - the domain provided by the user in the MSCHAP - and just hardcode it in the ntlm_auth
however. the easiest part here is to just use radtst directly against the inner-tunnel on the server itself... in inner-tunnel, by default, you have a listener directive localhost on port 18120 or such. so all you do is use that as your server target with radtest or such....meaning your mschap request hits inner-tunnel directly (as if EAP had been set up nicely by the client).. and thus you can test your policies and inner-tunnel very easily. at that point, mschapv2 will be working and you can look at ldap and what policies/unlang you need there. one bit at a time
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html