Hi, I have an installation with Samba 4.3.x (with winbindd) and FreeRadius 3.0.11. I want authentication with Windows AD and authorization with Windows AD LDAP. I am trying setup the PEAP mschap wifi and get the following error when /usr/local/bin/radtest radius tycbf@179963 localhost 0 testing123 Ready to process requests (1) Received Access-Request Id 160 from 127.0.0.1:22166 to 127.0.0.1:1812 length 76 (1) User-Name = "radius" (1) User-Password = "tycbf@179963" (1) NAS-IP-Address = 10.200.1.7 (1) NAS-Port = 0 (1) Message-Authenticator = 0xbd3d0852f4606cda7488d1198c4387bc (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "radius", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 1543 seconds rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 1543 seconds rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 1543 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 1543 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 1537 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://10.100.100.10:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (6) (1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (samaccountname=radius) (1) ldap: Performing search in "dc=sgcom,dc=co,dc=sg" with filter "(samaccountname=radius)", scope "sub" (1) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.sgcom.co.sg/DC=DomainDnsZones,DC=sgcom,DC=co,DC=sg rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.sgcom.co.sg/DC=ForestDnsZones,DC=sgcom,DC=co,DC=sg rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// sgcom.co.sg/CN=Configuration,DC=sgcom,DC=co,DC=sg rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) ldap: User object found at DN "CN=radius,OU=LPK USERS,DC=sgcom,DC=co,DC=sg" (1) ldap: Processing user attributes (1) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (6) rlm_ldap (ldap): Need 3 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://10.100.100.10:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = ok (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> radius (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 160 from 127.0.0.1:1812 to 127.0.0.1:22166 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 160 with timestamp +1543
Hi,
I have an installation with Samba 4.3.x (with winbindd) and FreeRadius 3.0.11. I want authentication with Windows AD and authorization with Windows AD LDAP.
for PAP and PEAP you cannot use Windows AD in that manner. you can use the winbind module or the ntlm_auth module.
I am trying setup the PEAP mschap wifi and get the following error when
/usr/local/bin/radtest radius tycbf@179963 localhost 0 testing123
well, that wont be testing PEAP - radtest is a PAP test. and look, clearly in the debug output:
(1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
stop. read the using FreeRADIUS with Active Directory HOWTO/WIKI. alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Albert K