On a test deployment I've both mysql and ntlm (AD) configured. If I use EAP no problem to authenticate users on both backend. But…in the process to use a Cisco WLC captive portal I've verified that only sql works. If I add in users DEFAULT Auth-Type = ntlm_auth, then also AD users are authenticated, but not mysql ones. radiusd -X reports in this case: ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = ntlm_auth Instead in absence of DEFAULT Auth-Type = ntlm_auth in users, I logs : ==== rad_recv: Access-Request packet from host 150.178.3.53 port 55249, id=114, length=77 User-Name = "barbato" User-Password = "xxxxxxxxxxx" NAS-IP-Address = 150.178.33.105 NAS-Port = 1 Message-Authenticator = 0x122864a655b86ac6d24c76e360fac328 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "barbato", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "barbato" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> barbato [sql] sql_set_user escaped user --> 'barbato' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'barbato' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'barbato' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User barbato not found ++[sql] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [barbato] (from client rfxnet1 port 1) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> barbato attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated === radtest behave the same. So it's seems I miss something somewhere….any suggestion from the list ? Regards, Paolo. ------------------------------------------------------------------------------------------------ Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718 ------------------------------------------------------------------------------------------------
On 11/05/12 11:40, Paolo Barbato wrote:
On a test deployment I've both mysql and ntlm (AD) configured.
By "ntlm" you mean the "mschap" module calling the "ntlm_auth" helper, yes?
If I use EAP no problem to authenticate users on both backend.
But…in the process to use a Cisco WLC captive portal I've verified that only sql works.
WLC captive portal sends "pap" requests. Therefore, the "mschap" module doesn't (can't) process them. You can create a simple "exec" module which calls "ntlm_auth" in username/password mode, like so: modules/papntdom: exec papntdom { wait = yes program = "/usr/bin/ntlm_auth --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} --password=%{User-Password}" } You then need to arrange for the "papntdom" module to be called for users who aren't found in SQL. For example: sites-enables/default: authorize { ... sql if (notfound) { # if not found in SQL if (User-Password) { # and it's a PAP request update control { Auth-Type = PAPNTDOM } } } ... } authenticate { Auth-Type PAP { # handles users in SQL w/ Cleartext-Password pap } Auth-Type PAPNTDOM { # handles users in Active Directory papntdom } } Obviously you will need to modify this policy as appropriate, to meet your needs and match the other modules you are using.
Phil…really helpful. Thanks !!! On 11/mag/2012, at 13:43, Phil Mayers wrote:
On 11/05/12 11:40, Paolo Barbato wrote:
On a test deployment I've both mysql and ntlm (AD) configured.
By "ntlm" you mean the "mschap" module calling the "ntlm_auth" helper, yes?
If I use EAP no problem to authenticate users on both backend.
But…in the process to use a Cisco WLC captive portal I've verified that only sql works.
WLC captive portal sends "pap" requests. Therefore, the "mschap" module doesn't (can't) process them.
You can create a simple "exec" module which calls "ntlm_auth" in username/password mode, like so:
modules/papntdom:
exec papntdom { wait = yes program = "/usr/bin/ntlm_auth --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} --password=%{User-Password}" }
You then need to arrange for the "papntdom" module to be called for users who aren't found in SQL. For example:
sites-enables/default:
authorize { ... sql if (notfound) { # if not found in SQL if (User-Password) { # and it's a PAP request update control { Auth-Type = PAPNTDOM } } } ... }
authenticate { Auth-Type PAP { # handles users in SQL w/ Cleartext-Password pap } Auth-Type PAPNTDOM { # handles users in Active Directory papntdom } }
Obviously you will need to modify this policy as appropriate, to meet your needs and match the other modules you are using. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------------------------------ Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718 ------------------------------------------------------------------------------------------------
participants (2)
-
Paolo Barbato -
Phil Mayers