Google LDAP integration failure
Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject. I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help =================================================================================================================== rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (15) [ldap] = ok (15) [expiration] = noop (15) [logintime] = noop (15) [pap] = noop (15) } # authorize = updated (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15) authenticate { (15) eap: Expiring EAP session with state 0x53c912cb54220b41 (15) eap: Finished EAP session with state 0x313d43603170599a (15) eap: Previous EAP request found for state 0x313d43603170599a, released from the list (15) eap: Peer sent packet with method EAP MSCHAPv2 (26) (15) eap: Calling submodule eap_mschapv2 to process data (15) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15) eap_mschapv2: authenticate { (15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (15) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (15) mschap: Creating challenge hash with username: phil.grace@hssd.k12.ar.us (15) mschap: Client is using MS-CHAPv2 (15) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (15) mschap: ERROR: MS-CHAP2-Response is incorrect (15) [mschap] = reject (15) } # authenticate = reject (15) eap: Sending EAP Failure (code 4) ID 77 length 4 (15) eap: Freeing handler (15) [eap] = reject (15) } # authenticate = reject (15) Failed to authenticate the user (15) Using Post-Auth-Type Reject (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15) Post-Auth-Type REJECT { (15) attr_filter.access_reject: EXPAND %{User-Name} (15) attr_filter.access_reject: --> phil.grace@hssd.k12.ar.us (15) attr_filter.access_reject: Matched entry DEFAULT at line 11 (15) [attr_filter.access_reject] = updated (15) update outer.session-state { (15) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (15) } # update outer.session-state = noop (15) } # Post-Auth-Type REJECT = updated (15) } # server inner-tunnel (15) Virtual server sending reply (15) MS-CHAP-Error = "ME=691 R=1 C=369d22d8c278cfa7667ff5d2ab0bf287 V=3 M=Authentication rejected" (15) EAP-Message = 0x044d0004 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) eap_peap: Got tunneled reply code 3 (15) eap_peap: MS-CHAP-Error = "ME=691 R=1 C=369d22d8c278cfa7667ff5d2ab0bf287 V=3 M=Authentication rejected" (15) eap_peap: EAP-Message = 0x044d0004 (15) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15) eap_peap: Got tunneled reply RADIUS code 3 (15) eap_peap: MS-CHAP-Error = "ME=691 R=1 C=369d22d8c278cfa7667ff5d2ab0bf287 V=3 M=Authentication rejected" (15) eap_peap: EAP-Message = 0x044d0004 (15) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15) eap_peap: Tunneled authentication was rejected (15) eap_peap: FAILURE (15) eap: Sending EAP Request (code 1) ID 78 length 46 (15) eap: EAP session adding &reply:State = 0x893d3c588e7325ea (15) [eap] = handled (15) } # authenticate = handled (15) Using Post-Auth-Type Challenge (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) Challenge { ... } # empty sub-section is ignored (15) session-state: Saving cached attributes (15) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (15) Sent Access-Challenge Id 78 from 10.8.172.26:1812 to 10.8.173.105:38595 length 0 (15) EAP-Message = 0x014e002e1900170303002377d07beda30c6131207f85740de5138af7d4342329fb590ca32ddd8e781256a69c9a3a (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x893d3c588e7325ea93a4d1f0a45e4742 (15) Finished request Waking up in 3.4 seconds. (16) Received Access-Request Id 79 from 10.8.173.105:38595 to 10.8.172.26:1812 length 320 (16) User-Name = "phil.grace@hssd.k12.ar.us" (16) NAS-IP-Address = 10.8.173.105 (16) Called-Station-Id = "8A-15-54-AB-61-48:Faculty" (16) NAS-Port-Type = Wireless-802.11 (16) Service-Type = Framed-User (16) NAS-Port = 1 (16) Calling-Station-Id = "C8-3C-85-9C-A7-17" (16) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 26, Channel: 149" (16) Acct-Session-Id = "03D12019BACECB86" (16) WLAN-Pairwise-Cipher = 1027076 (16) WLAN-Group-Cipher = 1027074 (16) WLAN-AKM-Suite = 1027073 (16) Meraki-Device-Name = "Technology Dept" (16) Framed-MTU = 1400 (16) EAP-Message = 0x024e002e1900170303002321d3fee96f33295e5c79085340cadd61fe65772f5ac4bf4fb1b67c9346e8461e546cea (16) State = 0x893d3c588e7325ea93a4d1f0a45e4742 (16) Message-Authenticator = 0x36f2f741b4dbc208756af96049eeda54 (16) Restoring &session-state (16) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: Looking up realm "hssd.k12.ar.us" for User-Name = "phil.grace@hssd.k12.ar.us" (16) suffix: No such realm "hssd.k12.ar.us" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 78 length 46 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) authenticate { (16) eap: Expiring EAP session with state 0x53c912cb54220b41 (16) eap: Finished EAP session with state 0x893d3c588e7325ea (16) eap: Previous EAP request found for state 0x893d3c588e7325ea, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: [eaptls verify] = ok (16) eap_peap: Done initial handshake (16) eap_peap: [eaptls process] = ok (16) eap_peap: Session established. Decoding tunneled attributes (16) eap_peap: PEAP state send tlv failure (16) eap_peap: Received EAP-TLV response (16) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (16) eap_peap: This means you need to read the PREVIOUS messages in the debug output (16) eap_peap: to find out the reason why the user was rejected (16) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (16) eap_peap: what went wrong, and how to fix the problem (16) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (16) eap: Sending EAP Failure (code 4) ID 78 length 4 (16) eap: Failed in EAP select (16) [eap] = invalid (16) } # authenticate = invalid (16) Failed to authenticate the user (16) Using Post-Auth-Type Reject (16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (16) Post-Auth-Type REJECT { (16) attr_filter.access_reject: EXPAND %{User-Name} (16) attr_filter.access_reject: --> phil.grace@hssd.k12.ar.us (16) attr_filter.access_reject: Matched entry DEFAULT at line 11 (16) [attr_filter.access_reject] = updated (16) [eap] = noop (16) policy remove_reply_message_if_eap { (16) if (&reply:EAP-Message && &reply:Reply-Message) { (16) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (16) else { (16) [noop] = noop (16) } # else = noop (16) } # policy remove_reply_message_if_eap = noop (16) } # Post-Auth-Type REJECT = updated (16) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (16) Sending delayed response (16) Sent Access-Reject Id 79 from 10.8.172.26:1812 to 10.8.173.105:38595 length 44 (16) EAP-Message = 0x044e0004 (16) Message-Authenticator = 0x00000000000000000000000000000000 =================================================================================== Phil Grace Director of Technology Heber Springs School District phil.grace@hssd.k12.ar.us Arkansas LEA Rep to the NCES Forum National Center for Education Statistics https://nces.ed.gov/forum/
On Feb 23, 2019, at 12:58 PM, Phil Grace <phil.grace@hssd.k12.ar.us> wrote:
Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject.
Are you reading the "known good" password from LDAP? Or are you seeing the User-Password to LDAP, and having it verify the password?
I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help
... (15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (15) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
The server didn't get the "known good" password from LDAP. So it can't do the MS-CHAP calculations. And no, you can't pass the MS-CHAP stuff to LDAP. LDAP servers are databases. They don't implement authentication protocols like MS-CHAP. The only solution here is to have the LDAP server return the "known good" password to FreeRADIUS. Alan DeKok.
Alan, thanks for the reply.
On Feb 23, 2019, at 1:08 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 23, 2019, at 12:58 PM, Phil Grace <phil.grace@hssd.k12.ar.us> wrote:
Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject.
Are you reading the "known good" password from LDAP? Or are you seeing the User-Password to LDAP, and having it verify the password?
I’m not sure, I just followed google’s provided setup guide for freeradius to work with their LDAP service.
I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help
... (15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (15) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
The server didn't get the "known good" password from LDAP. So it can't do the MS-CHAP calculations.
And no, you can't pass the MS-CHAP stuff to LDAP. LDAP servers are databases. They don't implement authentication protocols like MS-CHAP.
The only solution here is to have the LDAP server return the "known good" password to FreeRADIUS.
So would I just disable MS-CHAP or do something different with LDAP config to get the “known good”password. Would my issue probably be in the inner-tunnel file or the default file?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 23, 2019, at 5:04 PM, Phil Grace <phil.grace@hssd.k12.ar.us> wrote:
I’m not sure, I just followed google’s provided setup guide for freeradius to work with their LDAP service.
So they say it will work with MS-CHAP?
So would I just disable MS-CHAP or do something different with LDAP config to get the “known good”password. Would my issue probably be in the inner-tunnel file or the default file?
You can't really disable MS-CHAP. It's chosen by the users system, and sent to FreeRADIUS. If you disable MS-CHAP on the server, all that happens is the user gets rejected when they try to use MS-CHAP. Alan DeKok.
Its not mentioned in the guide at all, so I didn’t do anything with ms-chap as far as that goes. So I guess the clients by default are trying to use MS-CHAP. Testing client is Mac OS and I just leave it on automatic.
On Feb 23, 2019, at 4:46 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 23, 2019, at 5:04 PM, Phil Grace <phil.grace@hssd.k12.ar.us> wrote:
I’m not sure, I just followed google’s provided setup guide for freeradius to work with their LDAP service.
So they say it will work with MS-CHAP?
So would I just disable MS-CHAP or do something different with LDAP config to get the “known good”password. Would my issue probably be in the inner-tunnel file or the default file?
You can't really disable MS-CHAP. It's chosen by the users system, and sent to FreeRADIUS.
If you disable MS-CHAP on the server, all that happens is the user gets rejected when they try to use MS-CHAP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 24, 2019, at 6:50 AM, Phil Grace <phil.grace@hssd.k12.ar.us> wrote:
Its not mentioned in the guide at all, so I didn’t do anything with ms-chap as far as that goes. So I guess the clients by default are trying to use MS-CHAP. Testing client is Mac OS and I just leave it on automatic.
Google will not provide the password of the user in cleartext, which is what you'd need for MS-CHAP to work. For MS-CHAP you need either the Cleartext-Password or the NT-Password (MD4ish(Cleartext-Password)) to be available on both the supplicant and the server. You're pretty much limited to EAP-TTLS-PAP or PEAP-GTC. With those EAP methods you'd set control:Auth-Type := LDAP in the authorize section, and call the LDAP module again in the authenticate section. This authenticates the user by submitting their cleartext credentials to Google's LDAP server as part of a Bind operation. -Arran
On Feb 26, 2019, at 11:09 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Feb 24, 2019, at 6:50 AM, Phil Grace <phil.grace@hssd.k12.ar.us> wrote:
Its not mentioned in the guide at all, so I didn’t do anything with ms-chap as far as that goes. So I guess the clients by default are trying to use MS-CHAP. Testing client is Mac OS and I just leave it on automatic.
Google will not provide the password of the user in cleartext, which is what you'd need for MS-CHAP to work. For MS-CHAP you need either the Cleartext-Password or the NT-Password (MD4ish(Cleartext-Password)) to be available on both the supplicant and the server.
You're pretty much limited to EAP-TTLS-PAP or PEAP-GTC. With those EAP methods you'd set control:Auth-Type := LDAP in the authorize section, and call the LDAP module again in the authenticate section.
Additionally, to prevent the server from negotiating certain EAP methods, comment them out in mods-available/eap and mods-available/eap_inner. -Arran
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Phil Grace