Using freeradius integrated with Active Directory to autenticate cisco passwords
Hi All! I have several cisco routers and would like to authenticate the logins. For it I am using the following tutorial: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO when I try to authenticate using: bandeira:/etc/raddb # /usr/bin/ntlm_auth --request-nt-key --username=jonny --domain=CELULAR password: NT_STATUS_OK: Success (0x0) It works fine. But when I try with: bandeira:/etc/raddb # /usr/bin/ntlm_auth --request-nt-key --username=jonny --domain=CELULAR --challenge=6151ad29f27eff47 --nt-response=01e42eabc464bf9915883d804457069d4702d95534ce4d53 Logon failure (0xc000006d) I does not work. Also when I try to login in to a router, it shows the log bellow: rad_recv: Access-Request packet from host 10.131.23.252:1645, id=84, length=79 NAS-IP-Address = 10.131.23.252 NAS-Port = 11 NAS-Port-Type = Virtual User-Name = "jonny" Calling-Station-Id = "10.131.23.253" User-Password = "xxxxxx" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "jonny", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 163 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [jonny/xxxxx] (from client 10.131.23.252 port 11 cli 10.131.23.253) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 84 to 10.131.23.252 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 84 with timestamp 47a370cf Nothing to do. Sleeping until we see a request. Could any one help me? Or at least indicate me a how to that works? I want to authenticate logins in to routers/switchs cisco in a freeradius integrated with a active directory. Thank you. Fernando
rad_recv: Access-Request packet from host 10.131.23.252:1645, id=84, length=79 NAS-IP-Address = 10.131.23.252 NAS-Port = 11 NAS-Port-Type = Virtual User-Name = "jonny" Calling-Station-Id = "10.131.23.253" User-Password = "xxxxxx"
This is a PAP request. ntlm_auth will work on mschap requests. Get router to send mschap requests. Ivan Kalik Kalik Informatika ISP
You can use pam with a pam_krb5 module to authenticate users to AD. Markus "Ivan Kalik" <tnt@kalik.net> wrote in message news:ZGPvTXu6.1201917806.9340340.tnt@kalik.co.yu...
rad_recv: Access-Request packet from host 10.131.23.252:1645, id=84, length=79 NAS-IP-Address = 10.131.23.252 NAS-Port = 11 NAS-Port-Type = Virtual User-Name = "jonny" Calling-Station-Id = "10.131.23.253" User-Password = "xxxxxx"
This is a PAP request. ntlm_auth will work on mschap requests. Get router to send mschap requests.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--On Saturday, February 02, 2008 06:50:32 PM +0000 Markus Moeller <huaraz@moeller.plus.com> wrote:
You can use pam with a pam_krb5 module to authenticate users to AD.
Alternately, there is a perfectly good rlm_krb5 in FreeRADIUS.
Thank you all. But how do I do this? Does any one has a tutorial about it? Best regards, 2008/2/4, Jeffrey Hutzelman <jhutz@cmu.edu>:
--On Saturday, February 02, 2008 06:50:32 PM +0000 Markus Moeller <huaraz@moeller.plus.com> wrote:
You can use pam with a pam_krb5 module to authenticate users to AD.
Alternately, there is a perfectly good rlm_krb5 in FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thank you all.
But how do I do this? Does any one has a tutorial about it?
add the required parts to the radius config files to enable krb5 (direct password check) against the AD - you will also need to ensure your kerberos environment is sane and works eg run the command kinit your_user_id on the command line to validate that your machine can get a kerberos ticket the bits you need to add to the radius config are: krb5 { } to the module stanza (radiusd.conf) and Auth-Type krb5 { krb5 } to the authenticate stanza (radiusd.conf in 1.1.x and sites-enabled/default in radiusd 2.x ) you MAY need to set "Auth-Type = krb5" for the required user or NAS setting depending on your config! alan
--On Friday, February 08, 2008 08:19:32 PM +0000 A.L.M.Buxey@lboro.ac.uk wrote:
you MAY need to set "Auth-Type = krb5" for the required user or NAS setting depending on your config!
You will almost certainly have to do something -- there is no way for the rlm_krb5 module to know that you want to use it for veryifying passwords; that's not something that can be inferred from the request. If all of your clients will be using plain passwords which you want to verify against Kerberos, and you won't be supporting EAP clients, then you can probably get away with something simple like adding the following to the users file: DEFAULT Auth-Type := krb5 Fall-Through = No Note that this violates the general advice of never setting Auth-Type, explicitly; this is necessary because rlm_krb5 does not provide any authorize handling and will not set Auth-Type automatically like many other modules do. If you are trying to support EAP or do something else complicated, then setting Auth-Type explicitly like this will probably break it, unless you are very careful to do so only under circumstances where it is the right thing to do. I'm afraid I can't provide help with that; it's rather complex and really the right thing to do is update rlm_krb5 so it works automatically like everything else. Perhaps someday I'll do that; I doubt the original author of that module cares any longer. -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu> Carnegie Mellon University - Pittsburgh, PA
Jeffrey Hutzelman wrote:
--On Friday, February 08, 2008 08:19:32 PM +0000 A.L.M.Buxey@lboro.ac.uk wrote:
you MAY need to set "Auth-Type = krb5" for the required user or NAS setting depending on your config!
You will almost certainly have to do something -- there is no way for the rlm_krb5 module to know that you want to use it for veryifying passwords; that's not something that can be inferred from the request.
If all of your clients will be using plain passwords which you want to verify against Kerberos, and you won't be supporting EAP clients, then you can probably get away with something simple like adding the following to the users file:
DEFAULT Auth-Type := krb5 Fall-Through = No
Note that this violates the general advice of never setting Auth-Type, explicitly; this is necessary because rlm_krb5 does not provide any authorize handling and will not set Auth-Type automatically like many other modules do.
s/will not/cannot/? How eould rlm_krb5 run in authorize {} and know that the user is a valid kerberos user without getting a ticket?
If you are trying to support EAP or do something else complicated, then setting Auth-Type explicitly like this will probably break it, unless you are very careful to do so only under circumstances where it is the right thing to do. I'm afraid I can't provide help with that; it's rather complex and really the right thing to do is update rlm_krb5 so it works automatically like everything else. Perhaps someday I'll do that; I doubt the original author of that module cares any longer.
How would you envisage it working? At the moment, the "best" (least worst) option is to use something like this: authorize { preprocess eap mschap files } authenticate { Auth-Type MSCHAP { mschap } Auth-Type KRB5 { krb5 } } ..and in the files have this: DEFAULT Auth-Type = KRB5 For the archives: this is one of the VERY FEW instances where setting Auth-Type is ok. Note the operator "=" rather than ":=" (i.e. set only if unset). That way eap (tunnel outer) or mschap (peap tunnel inner) can take precedence, but fallback would be a PAP request via krb5. "files" has to come last in authorize for that to work safely. FreeRadius 2.0 makes this a bit easier with different virtual servers for inner versus outer tunnel. Another alternative would be to redesign such that the various PAP "oracles" (krb5, pam) are sub-modules of the pap module, perhaps run in a defined order: modules { pap { types { pam { service_name = foo } krb5 { default_realm = FOO.EDU } } default_check_order = pam krb5 } } authorize { preprocess files eap mschap pap } authenticate { Auth-Type MSCHAP { mschap } Auth-Type PAP { pap } } Just a thought. I can see problems with the above system though.
--On Saturday, February 09, 2008 12:18:54 PM +0000 Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Note that this violates the general advice of never setting Auth-Type, explicitly; this is necessary because rlm_krb5 does not provide any authorize handling and will not set Auth-Type automatically like many other modules do.
s/will not/cannot/?
How eould rlm_krb5 run in authorize {} and know that the user is a valid kerberos user without getting a ticket?
It can't, really. But what it could do is what rlm_pap does, which is to assume that if there's a password in the request and Auth-Type isn't set yet, you must want to use this module (actually, rlm_pap also requires there be a password or hash in the users database, but of course Kerberos doesn't need that and as you point out, there's no easy way to check the KDB). With such a check, krb5 could be listed after pap in the default authorize configuration, and would pick up any PAP requests for which the users database does not contain password.
At the moment, the "best" (least worst) option is to use something like this:
authorize { preprocess eap mschap files } authenticate { Auth-Type MSCHAP { mschap } Auth-Type KRB5 { krb5 } }
..and in the files have this:
DEFAULT Auth-Type = KRB5
Yes, I suppose with configuration like that you could avoid the code I describe above. I do think there's some benefit to handling this in the module's authorize handler, if only so we can avoid telling people to set Auth-Type in the users database.
Another alternative would be to redesign such that the various PAP "oracles" (krb5, pam) are sub-modules of the pap module, perhaps run in a defined order:
Perhaps, though I'd avoid putting too much complexity in the rlm_pap configuration. People who actually need something complicated can always use rlm_pam and take advantage of PAM's configuration engine (though that does limit you to platforms which have PAM libraries). What I'd really like to see is an easy way for the users database to specify which submodule gets to handle PAP requests. I suppose that can be accomplished as in your example, by listing files last in the authorize section and set-if-unset Auth-Type in each user entry. -- Jeff
Jeffrey Hutzelman wrote:
It can't, really. But what it could do is what rlm_pap does, which is to assume that if there's a password in the request and Auth-Type isn't set yet, you must want to use this module (actually, rlm_pap also requires there be a password or hash in the users database, but of course Kerberos doesn't need that and as you point out, there's no easy way to check the KDB). With such a check, krb5 could be listed after pap in the default authorize configuration, and would pick up any PAP requests for which the users database does not contain password.
That would work.
Yes, I suppose with configuration like that you could avoid the code I describe above. I do think there's some benefit to handling this in the module's authorize handler, if only so we can avoid telling people to set Auth-Type in the users database.
Which is always good.
What I'd really like to see is an easy way for the users database to specify which submodule gets to handle PAP requests. I suppose that can be accomplished as in your example, by listing files last in the authorize section and set-if-unset Auth-Type in each user entry.
Unfortunately, yes. That's what the "Auth-Type" is for. In 2.0, this is easier to do with "unlang". Alan DeKok.
Still not working. When I added krb5 { } at the radius.conf file, it gave me the following error at startup /usr/local/etc/raddb/radiusd.conf[589]: Unexpected end of section Errors reading radiusd.conf Regards, 2008/2/8, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk>:
Hi,
Thank you all.
But how do I do this? Does any one has a tutorial about it?
add the required parts to the radius config files to enable krb5 (direct password check) against the AD - you will also need to ensure your kerberos environment is sane and works
eg run the command
kinit your_user_id
on the command line to validate that your machine can get a kerberos ticket
the bits you need to add to the radius config are:
krb5 { }
to the module stanza (radiusd.conf)
and
Auth-Type krb5 { krb5 }
to the authenticate stanza (radiusd.conf in 1.1.x and sites-enabled/default in radiusd 2.x )
you MAY need to set "Auth-Type = krb5" for the required user or NAS setting depending on your config!
alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan! How do I get router to send mschap request instead of PAP? Best Regards, Fernando 2008/2/1, Ivan Kalik <tnt@kalik.net>:
rad_recv: Access-Request packet from host 10.131.23.252:1645, id=84, length=79 NAS-IP-Address = 10.131.23.252 NAS-Port = 11 NAS-Port-Type = Virtual User-Name = "jonny" Calling-Station-Id = "10.131.23.253" User-Password = "xxxxxx"
This is a PAP request. ntlm_auth will work on mschap requests. Get router to send mschap requests.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Depends on the router. You will have to read router documentation. For Cisco it's ppp authentication mschap on the interface. User's machine trying to connect will also need to support mschap. Ivan Kalik Kalik Informatika ISP Dana 8/2/2008, "Fernando Coelho" <cafe.fernando@gmail.com> piše:
Hi Ivan!
How do I get router to send mschap request instead of PAP?
Best Regards,
Fernando
2008/2/1, Ivan Kalik <tnt@kalik.net>:
rad_recv: Access-Request packet from host 10.131.23.252:1645, id=84, length=79 NAS-IP-Address = 10.131.23.252 NAS-Port = 11 NAS-Port-Type = Virtual User-Name = "jonny" Calling-Station-Id = "10.131.23.253" User-Password = "xxxxxx"
This is a PAP request. ntlm_auth will work on mschap requests. Get router to send mschap requests.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Fernando Coelho -
Ivan Kalik -
Jeffrey Hutzelman -
Markus Moeller -
Phil Mayers