FreeRadius - Wifi - Active directory (Eap-Peap-MSCHAP)
Hello, I am trying to set a freeradius authentification against a MS Active directory for Wifi. all went right: - debian in AD - net ads testjoin- wbinfo -a test- /usr/bin/ntlm_auth --request-nt-key --domain=DOM --username=u1 --password=thepassord So basically: authenticating with a AD user is really fine.... even from a "windows 7" laptop is fine, AS LONG as i get prompt for the user/pass, and that I enter it in the form or USER/PASS When i try to use the "automatic", so that it's the "laptop" that sends the credential, it does not work: it does send it as: DOMAIN\\USER. domain: galaxy.privuser: test here is the freeradius -X output. rad_recv: Access-Request packet from host 10.2.103.17 port 59985, id=177, length=173 User-Name = "galaxy\\test" NAS-Identifier = "44d9e7fc21c1" NAS-Port = 0 Called-Station-Id = "46-D9-E7-FD-21-C1:FreeRadius" Calling-Station-Id = "00-1E-65-22-14-C2" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x027300100167616c6178795c74657374 Message-Authenticator = 0x3d46f71089cc7034c3a6636b891a17af# Executing section authorize from file /etc/freeradius/sites-enabled/default+group authorize {++[preprocess] = ok[ntdomain] Looking up realm "galaxy" for User-Name = "galaxy\test"[ntdomain] Found realm "GALAXY"[ntdomain] Adding Stripped-User-Name = "test"[ntdomain] Adding Realm = "GALAXY"[ntdomain] Authentication realm is LOCAL.++[ntdomain] = ok[suffix] Request already proxied. Ignoring.++[suffix] = ok++[chap] = noop++[mschap] = noop++[digest] = noop[suffix] Request already proxied. Ignoring.++[suffix] = ok[eap] EAP packet type response id 115 length 16[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] = updated++[files] = noop++[expiration] = noop++[logintime] = noop[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.++[pap] = noop+} # group authorize = updatedFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+group authenticate {[eap] EAP Identity[eap] processing type tls[tls] Initiate[tls] Start returned 1++[eap] = handled+} # group authenticate = handledSending Access-Challenge of id 177 to 10.2.103.17 port 59985 EAP-Message = 0x017400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf1d729faf1a330fa1233dbe164274a4fFinished request 1.Going to the next requestWaking up in 4.9 seconds. Would you guys have any things i could test? Any advice would be welcome ! Thanks in advance Milkanet
On May 5, 2016, at 5:07 PM, Milka Net <pierre_dejong@hotmail.com> wrote:
Hello, I am trying to set a freeradius authentification against a MS Active directory for Wifi.
Follow my guide: http://deployingradius.com/documents/configuration/active_directory.html
all went right: - debian in AD - net ads testjoin- wbinfo -a test- /usr/bin/ntlm_auth --request-nt-key --domain=DOM --username=u1 --password=thepassord So basically: authenticating with a AD user is really fine.... even from a "windows 7" laptop is fine, AS LONG as i get prompt for the user/pass, and that I enter it in the form or USER/PASS When i try to use the "automatic", so that it's the "laptop" that sends the credential, it does not work: it does send it as: DOMAIN\\USER. domain: galaxy.privuser: test here is the freeradius -X output.
Which is mangled and unreadable.
Would you guys have any things i could test? Any advice would be welcome !
Follow my guide, and it will work. Alan DeKok.
Sorry about the "unreadable".... so, for the guide: all works ... and this "$ radtest -t mschap bob hello localhost 0 testing123 --> OK" is working great succefull: My problem is when "the laptop" does send "domain\user and pass" ... to the radius..... (again, user pass works great) Here is the freeradius -X better layout and readibility rad_recv: Access-Request packet from host 10.2.103.17 port 59985, id=177, length=173 User-Name = "galaxy\\test" NAS-Identifier = "44d9e7fc21c1" NAS-Port = 0 Called-Station-Id = "46-D9-E7-FD-21-C1:FreeRadius" Calling-Station-Id = "00-1E-65-22-14-C2" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x027300100167616c6178795c74657374 Message-Authenticator = 0x3d46f71089cc7034c3a6636b891a17af# Executing section authorize from file /etc/freeradius/sites-enabled/default+group authorize {++[preprocess] = ok[ntdomain] Looking up realm "galaxy" for User-Name = "galaxy\test"[ntdomain] Found realm "GALAXY"[ntdomain] Adding Stripped-User-Name = "test"[ntdomain] Adding Realm = "GALAXY"[ntdomain] Authentication realm is LOCAL.++[ntdomain] = ok[suffix] Request already proxied. Ignoring.++[suffix] = ok++[chap] = noop++[mschap] = noop++[digest] = noop[suffix] Request already proxied. Ignoring.++[suffix] = ok[eap] EAP packet type response id 115 length 16[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] = updated++[files] = noop++[expiration] = noop++[logintime] = noop[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.++[pap] = noop+} # group authorize = updatedFound Auth-Type = EAP# Executing group from file /etc/freeradius/sites-enabled/default+group authenticate {[eap] EAP Identity[eap] processing type tls[tls] Initiate[tls] Start returned 1++[eap] = handled+} # group authenticate = handledSending Access-Challenge of id 177 to 10.2.103.17 port 59985 EAP-Message = 0x017400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf1d729faf1a330fa1233dbe164274a4fFinished request 1.Going to the next requestWaking up in 4.9 seconds. Again, sorry, it was my first post ... ;-) Thanks
Subject: Re: FreeRadius - Wifi - Active directory (Eap-Peap-MSCHAP) From: aland@deployingradius.com Date: Thu, 5 May 2016 17:14:13 -0400 To: pierre@milkanet.be; freeradius-users@lists.freeradius.org
On May 5, 2016, at 5:07 PM, Milka Net <pierre_dejong@hotmail.com> wrote:
Hello, I am trying to set a freeradius authentification against a MS Active directory for Wifi.
Follow my guide:
http://deployingradius.com/documents/configuration/active_directory.html
all went right: - debian in AD - net ads testjoin- wbinfo -a test- /usr/bin/ntlm_auth --request-nt-key --domain=DOM --username=u1 --password=thepassord So basically: authenticating with a AD user is really fine.... even from a "windows 7" laptop is fine, AS LONG as i get prompt for the user/pass, and that I enter it in the form or USER/PASS When i try to use the "automatic", so that it's the "laptop" that sends the credential, it does not work: it does send it as: DOMAIN\\USER. domain: galaxy.privuser: test here is the freeradius -X output.
Which is mangled and unreadable.
Would you guys have any things i could test? Any advice would be welcome !
Follow my guide, and it will work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hum, still not good to read... how can I do it ? good... sorry Can i Join file ? No html should work better ..... pure text... Again, sorry for the 2 previous miss unreadable stuffs! rad_recv: Access-Request packet from host 10.2.103.17 port 59985, id=177, length=173 User-Name = "galaxy\\test" NAS-Identifier = "44d9e7fc21c1" NAS-Port = 0 Called-Station-Id = "46-D9-E7-FD-21-C1:FreeRadius" Calling-Station-Id = "00-1E-65-22-14-C2" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x027300100167616c6178795c74657374 Message-Authenticator = 0x3d46f71089cc7034c3a6636b891a17af # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [ntdomain] Looking up realm "galaxy" for User-Name = "galaxy\test" [ntdomain] Found realm "GALAXY" [ntdomain] Adding Stripped-User-Name = "test" [ntdomain] Adding Realm = "GALAXY" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] = ok [suffix] Request already proxied. Ignoring. ++[suffix] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Request already proxied. Ignoring. ++[suffix] = ok [eap] EAP packet type response id 115 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 177 to 10.2.103.17 port 59985 EAP-Message = 0x017400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf1d729faf1a330fa1233dbe164274a4f Finished request 1. Going to the next request Waking up in 4.9 seconds.
Hi,
rad_recv: Access-Request packet from host 10.2.103.17 port 59985, id=177, length=173 User-Name = "galaxy\\test"
yes, thats how windows will send a userid by default - the logged in user most likely.... it will be their windows username/password - which might be different to their AD one (eg own device) if you want to authenticate such requests then you need to 1) ensure password is correct 2) deal with the username - eg using the required mschap and with_ntdomain_hack etc and ensuring the the DOMAIN part is dealt wiht in proxy.conf as a local domain....and finally this stuff will all go through the EAP layer - so, by default, through inner-tunnel virtual server so ensure that is correctly configured alan
On May 5, 2016, at 5:19 PM, Milka Net <pierre@milkanet.be> wrote:
Sorry about the "unreadable"....
It's still unreadable. Stop using crappy web mail clients that butcher text. That makes it more difficult for us to help you.
so, for the guide: all works ... and this "$ radtest -t mschap bob hello localhost 0 testing123 --> OK" is working great succefull:
Because you're not testing the inner tunnel. In recent versions of the server, read raddb/sites-available/inner-tunnel. There is documentation on how to test it. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Milka Net -
Milka Net