Active Directory/freeradius/enterasys - combination
Hello, I know there was a threat with the same subject 3 years ago, but in addition we need mac-authentication (printers,..),too. The Mac-auth is ok: Ready to process requests. rad_recv: Access-Request packet from host 172.16.255.101 port 49169, id=98, length=158 User-Name = "00-13-20-73-D0-45" Service-Type = Framed-User Called-Station-Id = "00-1F-45-19-9C-68" Calling-Station-Id = "00-13-20-73-D0-45" NAS-Identifier = "D2_Zi31_Tom" NAS-IP-Address = 172.16.255.101 NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "ge.1.1" User-Password = "hdpasswd" Message-Authenticator = 0xc2baf30d011d595efa42357331abcc6c +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] expand: %t -> Tue Oct 13 11:59:35 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "00-13-20-73-D0-45", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "00-13-20-73-D0-45", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 213 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "hdpasswd" [pap] Using clear text password "hdpasswd" [pap] User authenticated successfully ++[pap] returns ok Login OK: [00-13-20-73-D0-45/hdpasswd] (from client 172.16.255.101 port 1 cli 00-13-20-73-D0-45) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 98 to 172.16.255.101 port 49169 Framed-Filter-Id = "Enterasys:version=1:policy=Mitarbeiter" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 98 with timestamp +31 Ready to process requests. Now I need a username/password auth against AD. Ntlm-auth works very well. If I activate ldap in /etc/raddb/modules: rad_recv: Access-Request packet from host 172.16.255.101 port 49169, id=191, length=167 User-Name = "DNT1\\testtom" Service-Type = Framed-User Called-Station-Id = "00-1F-45-19-9C-68" Calling-Station-Id = "00-13-20-73-D0-45" NAS-Identifier = "D2_Zi31_Tom" NAS-IP-Address = 172.16.255.101 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0x113208ad123411cced08469153aa8038 EAP-Message = 0x020600061900 Message-Authenticator = 0x27fe716e0b83c7d08f295275043550f4 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] expand: %t -> Tue Oct 13 13:16:13 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DNT1\testtom", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "DNT1" for User-Name = "DNT1\testtom" [ntdomain] Found realm "DNT1" [ntdomain] Adding Stripped-User-Name = "testtom" [ntdomain] Adding Realm = "DNT1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 191 to 172.16.255.101 port 49169 EAP-Message = 0x010700b519003082a52b18d9963104cec8ab3f3ddc453b55e1519bcf57d5178ca7fbc8 1d20727b3d75c92c438dbafd9a5544e5443ad544f16869af57ef84883eebc730362387c9 e6357c18fcb15a8e862e2b6c2ea1871b8756414a7ba875ff9416143a5baf78b6a9f7c93d c023f5edd6c8da55e646513482e5a39f9ccb7c480d68b7e965247b4accf8c1fa07b08368 80301de9e7058a5b891fd8f9e8443517e0eb83847723441ae98c447e7416030100040e00 0000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x113208ad153511cced08469153aa8038 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 187 with timestamp +63 Cleaning up request 2 ID 188 with timestamp +63 Cleaning up request 3 ID 189 with timestamp +63 Cleaning up request 4 ID 190 with timestamp +63 Cleaning up request 5 ID 191 with timestamp +63 Ready to process requests. The server don't do ldap. What is my mistake ? First the server should do a ntlm-auth and then check an ldap-group in AD. Version 2.1.6-rpm and CentOS 5.3. Thank you Tom
T.Robers@heidelberg.de wrote: ...
Sending Access-Challenge of id 191 to 172.16.255.101 port 49169 EAP-Message = 0x010700b519003082a52b18d9963104cec8ab3f3ddc453b55e1519bcf57d5178ca7fbc8 1d20727b3d75c92c438dbafd9a5544e5443ad544f16869af57ef84883eebc730362387c9 e6357c18fcb15a8e862e2b6c2ea1871b8756414a7ba875ff9416143a5baf78b6a9f7c93d c023f5edd6c8da55e646513482e5a39f9ccb7c480d68b7e965247b4accf8c1fa07b08368 80301de9e7058a5b891fd8f9e8443517e0eb83847723441ae98c447e7416030100040e00 0000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x113208ad153511cced08469153aa8038 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 187 with timestamp +63 Cleaning up request 2 ID 188 with timestamp +63 ... The server don't do ldap.
What is my mistake ?
Read the FAQ, and eap.conf. Alan DeKok.
participants (2)
-
Alan DeKok -
T.Robers@heidelberg.de