The problem was related to the "files" keyword inside the authorize section of inner-tunnel. Removing it everything starts to work. Sorry for the inconvenience. 2016-08-02 10:28 GMT+02:00 Stefano Pardini <stefanopardini@gmail.com>:
Finally I solved the problem. These are my configuration files, hoping that they can be useful for someone.
*** sites/inner-tunnel server inner-tunnel {
listen { ipaddr = 127.0.0.1 port = 18120 type = auth }
authorize { eap { ok = return } }
authenticate { Auth-Type MS-CHAP { mschap }
eap }
session { radutmp }
post-auth {
}
pre-proxy {
}
post-proxy { eap }
}
*** sites/default server default {
listen { type = auth ipaddr = * port = 0
limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }
listen { ipaddr = * port = 0 type = acct limit {
} }
authorize { filter_username preprocess auth_log suffix
eap { ok = return } }
authenticate { eap }
preacct { preprocess acct_unique suffix }
accounting { detail unix exec attr_filter.accounting_response }
session {
}
post-auth { update { &reply: += &session-state: }
files
remove_reply_message_if_eap
Post-Auth-Type REJECT { -sql attr_filter.access_reject
eap
remove_reply_message_if_eap } }
pre-proxy {
}
post-proxy { eap }
}
*** modules/ldap ldap { server = 'server.testdomain.lan' identity = 'cn=administrator,cn=Users,dc=ad,dc=testdomain,dc=lan' password = p4ss base_dn = 'dc=ad,dc=testdomain,dc=lan' sasl { } update { control:Password-With-Header += 'unicodePWD' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(&(objectClass=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" sasl { } } group { base_dn = 'ou=Groups,dc=ad,dc=testdomain,dc=lan' base_dn = "${..base_dn}" filter = '(objectClass=group)' scope = 'sub' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }
*** modules/mschap mschap { winbind_username = "%{mschap:User-Name}" winbind_domain = "TESTDOMAIN" pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 } passchange { } }
*** modules/eap eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = Local } tls-config tls-common { certdir = /etc/ssl cadir = /etc/ssl/ca private_key_file = ${certdir}/radiuswip.server.lan.key certificate_file = ${certdir}/radiuswip.server.lan.crt ca_file = ${cadir}/ca.crt dh_file = ${certdir}/radius.dh ca_path = ${cadir} cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } mschapv2 { } }
2016-08-01 13:10 GMT+02:00 Stefano Pardini <stefanopardini@gmail.com>:
Hi guys.
I'm authenticating users against Samba4 using Winbindd (PEAP-MSCHAPv2). With radtest everything is working fine; the user information are correctly extracted and the authentication process is successful.
I'm now trying to access through a WiFi client. The access point is configured properly and can communicate with the FreeRADIUS server. But I'm encountering the following error (radiusd -X):
(8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv success (8) eap_peap: Received EAP-TLV response (8) eap_peap: Client rejected our response. The password is probably incorrect (8) eap_peap: ERROR: We sent a success, but the client did not agree (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 232 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user
I made some tests even with eapol_test, using the EAP-MSCHAPv2 config file reported in http://deployingradius.com: decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure
I'm using the following FreeRADIUS version. radiusd: FreeRADIUS Version 3.0.12 (git #ae2f29c), for host x86_64-unknown-linux-gnu, built on Jul 29 2016 at 11:17:40 FreeRADIUS Version 3.0.12
And the following Samba version (Debian 8.5): 4.2.10.
To understand the problem tell me if you need more accurate log. Thanks in advance.