Change username for MSCHAPv2
Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap. I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP and MSCHAPv2 against Active directory. User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName. With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using authorize { update request { User-Name := `/path/to/my/script '%{User-Name}'` } .. .. .. I have an error in the log (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Identity does not match User-Name, setting from EAP Identity (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid Is there any way to perform this account translation before send request to EAP ? Thanks to all Gab
On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele@verzeletti.org> wrote:
Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap. I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP and MSCHAPv2 against Active directory. User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName.
ntlm_auth just passes data from FreeRADIUS to AD. If the user is being rejected, it's not because of ntlm_auth.
With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
authorize { update request { User-Name := `/path/to/my/script '%{User-Name}'` }
Don't edit the User-Name. It's wrong. You also don't need to run a script to do this. FreeRADIUS can do LDAP queries natively.
I have an error in the log
(0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Identity does not match User-Name, setting from EAP Identity (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid
Yup In the short term, you can do: authorize { update request { Stripped-User-Name := `/path/to/my/script '%{User-Name}'` } } And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name. Alan DeKok.
Hi, I had a similar problem that I resolved with a LDAP query. In this way I also extract other parameters from the AD database that I can use for authorization (for example groups membership). The main idea is to configure the LDAP module with a proper filter: * if you want to match just userPrincipalName: filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}@example.com)" * if you want to match userPrincipalName OR sAMAccountName: filter = "(|(userPrincipalName=%{%{ Stripped-User-Name}:-%{User-Name}}@example.com )(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" and then map the LDAP attribute sAMAccountName in some radius custom attribute (I defined, for example, AD-Samaccountname) in the in the control dictionary. Then you can just use --username=%{control:AD-Samaccountname} in the ntlm_auth exec command. I wrote a post about it on my blog[1], unfortunately it is for FR2 and not FR3 (and, as usual, it's not the official wiki). The idea for this "trick" is not mine but it came from some old post in this list. Regards, Enrico [1] https://uz.sns.it/~enrico/site/posts/networking/ntlm-auth-in-freeradius-usin... On Fri, Jun 30, 2017 at 7:26 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele@verzeletti.org> wrote:
Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap. I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP
and MSCHAPv2 against Active directory.
User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName.
ntlm_auth just passes data from FreeRADIUS to AD. If the user is being rejected, it's not because of ntlm_auth.
With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
authorize { update request { User-Name := `/path/to/my/script '%{User-Name}'` }
Don't edit the User-Name. It's wrong.
You also don't need to run a script to do this. FreeRADIUS can do LDAP queries natively.
I have an error in the log
(0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Identity does not match User-Name, setting from EAP Identity (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid
Yup
In the short term, you can do:
authorize { update request { Stripped-User-Name := `/path/to/my/script '%{User-Name}'` } }
And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Good tutorial, I'll try it in my environment.
Thanks a lot
Il 30 Giu 2017 9:05 PM, "Enrico Polesel" <epol.lists@gmail.com> ha scritto:
> Hi,
>
> I had a similar problem that I resolved with a LDAP query. In this way I
> also extract other parameters from the AD database that I can use for
> authorization (for example groups membership).
>
> The main idea is to configure the LDAP module with a proper filter:
> * if you want to match just userPrincipalName: filter =
> "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}@example.com)"
> * if you want to match userPrincipalName OR sAMAccountName:
> filter = "(|(userPrincipalName=%{%{
> Stripped-User-Name}:-%{User-Name}}@example.com
> )(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
>
> and then map the LDAP attribute sAMAccountName in some radius custom
> attribute (I defined, for example, AD-Samaccountname) in the in the control
> dictionary. Then you can just use --username=%{control:AD-Samaccountname}
> in the ntlm_auth exec command.
>
> I wrote a post about it on my blog[1], unfortunately it is for FR2 and not
> FR3 (and, as usual, it's not the official wiki). The idea for this "trick"
> is not mine but it came from some old post in this list.
>
> Regards,
> Enrico
>
>
> [1]
> https://uz.sns.it/~enrico/site/posts/networking/ntlm-
> auth-in-freeradius-using-userprincipalname-instead-of-
> samaccountname-or-both.html
>
> On Fri, Jun 30, 2017 at 7:26 PM Alan DeKok <aland@deployingradius.com>
> wrote:
>
> > On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <
> gabriele@verzeletti.org>
> > wrote:
> > >
> > > Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap.
> > > I need to authenticate users for WiFi access WPA2 Enterprise, using
> PEAP
> > and MSCHAPv2 against Active directory.
> > > User account are identified by userPrinciplaName, but ntlm_auth is not
> > able to authenticate using this attribute, it looks into samAccountName.
> >
> > ntlm_auth just passes data from FreeRADIUS to AD. If the user is being
> > rejected, it's not because of ntlm_auth.
> >
> > > With an external script I'm able to performa a query on active
> directory
> > and retrieve the samAccountName, but if I update the attribute User-Name
> > using
> > >
> > > authorize {
> > > update request {
> > > User-Name := `/path/to/my/script '%{User-Name}'`
> > > }
> >
> > Don't edit the User-Name. It's wrong.
> >
> > You also don't need to run a script to do this. FreeRADIUS can do LDAP
> > queries natively.
> >
> > > I have an error in the log
> > >
> > > (0) # Executing group from file /etc/raddb/sites-enabled/default
> > > (0) authenticate {
> > > (0) eap: Identity does not match User-Name, setting from EAP Identity
> > > (0) eap: Failed in handler
> > > (0) [eap] = invalid
> > > (0) } # authenticate = invalid
> >
> > Yup
> >
> > In the short term, you can do:
> >
> > authorize {
> > update request {
> > Stripped-User-Name := `/path/to/my/script
> '%{User-Name}'`
> > }
> > }
> >
> > And be sure that the configuration line which runs ntlm_auth uses
> > Stripped-User-Name.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
Hello and thank you for the suggestion. I've already try to set value in Stripped-User-Name. In the log I can see the script running sucessfully, and value is set in Stripped-User-Name, but when it's passed to ntlm_auth the string is empty. Il 30 Giu 2017 7:25 PM, "Alan DeKok" <aland@deployingradius.com> ha scritto:
On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele@verzeletti.org> wrote:
Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap. I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP
and MSCHAPv2 against Active directory.
User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName.
ntlm_auth just passes data from FreeRADIUS to AD. If the user is being rejected, it's not because of ntlm_auth.
With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
authorize { update request { User-Name := `/path/to/my/script '%{User-Name}'` }
Don't edit the User-Name. It's wrong.
You also don't need to run a script to do this. FreeRADIUS can do LDAP queries natively.
I have an error in the log
(0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Identity does not match User-Name, setting from EAP Identity (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid
Yup
In the short term, you can do:
authorize { update request { Stripped-User-Name := `/path/to/my/script '%{User-Name}'` } }
And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Using Stripped-User-Name was one of my first try. I got this errorr eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: Creating challenge hash with username: /user/@/domain.com/ (8) mschap: Client is using MS-CHAPv2 (8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:Stripped-User-Name}:-None} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (8) mschap: ERROR: Unknown expansion string 'Stripped-User-Name' <--------------------------- UNKNOWN !!!!! (8) mschap: EXPAND --username=%{%{mschap:Stripped-User-Name}:-None} (8) mschap: --> --username=None (8) mschap: Creating challenge hash with username: /user@domain.com/ (8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (8) mschap: --> --challenge=ae371b1f11bb456a (8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (8) mschap: --> --nt-response=36fafc123be05aa58780eec7406d0a16a70423c7f4e1cf84 (8) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (8) mschap: External script failed (8) mschap: ERROR: External script says: Logon failure (0xc000006d) (8) mschap: ERROR: MS-CHAP2-Response is incorrect Also the challenge are created against user@domain.com, and not against Stripped-User-Name On 06/30/2017 07:25 PM, Alan DeKok wrote:
On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele@verzeletti.org> wrote:
Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap. I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP and MSCHAPv2 against Active directory. User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName. ntlm_auth just passes data from FreeRADIUS to AD. If the user is being rejected, it's not because of ntlm_auth.
With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
authorize { update request { User-Name := `/path/to/my/script '%{User-Name}'` } Don't edit the User-Name. It's wrong.
You also don't need to run a script to do this. FreeRADIUS can do LDAP queries natively.
I have an error in the log
(0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Identity does not match User-Name, setting from EAP Identity (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid Yup
In the short term, you can do:
authorize { update request { Stripped-User-Name := `/path/to/my/script '%{User-Name}'` } }
And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 3, 2017, at 8:28 AM, Gabriele Verzeletti <gabriele@verzeletti.org> wrote:
Using Stripped-User-Name was one of my first try. I got this error
Did you try using the default configuration for the mschap module? Which has Stripped-User-Name in it? And which works?
eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: Creating challenge hash with username: /user/@/domain.com/ (8) mschap: Client is using MS-CHAPv2 (8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:Stripped-User-Name}:-None} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (8) mschap: ERROR: Unknown expansion string 'Stripped-User-Name' <--------------------------- UNKNOWN !!!!!
Yes... the default configuration has %{Stripped-User-Name}. Not %{mschap:Stripped-User-Name}. Why did you edit the default configuration and break it? Alan DeKok.
Ok, changes made and it works now I have authorize { update request { Stripped-User-Name := `/usr/local/bin/radius-username '%{User-Name}'` } That convert my username into the correct form for my environment, and restored the ntlm_auth as in default: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} Works like a charm Thank you a lot On 07/03/2017 02:36 PM, Alan DeKok wrote:
On Jul 3, 2017, at 8:28 AM, Gabriele Verzeletti <gabriele@verzeletti.org> wrote:
Using Stripped-User-Name was one of my first try. I got this error Did you try using the default configuration for the mschap module? Which has Stripped-User-Name in it? And which works?
eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: Creating challenge hash with username: /user/@/domain.com/ (8) mschap: Client is using MS-CHAPv2 (8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:Stripped-User-Name}:-None} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (8) mschap: ERROR: Unknown expansion string 'Stripped-User-Name' <--------------------------- UNKNOWN !!!!! Yes... the default configuration has %{Stripped-User-Name}. Not %{mschap:Stripped-User-Name}.
Why did you edit the default configuration and break it?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Enrico Polesel -
Gabriele Verzeletti