must i use rlm_ldap to use groups/ou via winbind/Active Directory?
Hi all, I am gradually refining my thinking thanks to help from Ivan and others on the list. I am using the current freeradius stable along with Active Directory to provide dot1x based access for our school district. Our test setup looks like this: active directory <=>winbind<=> Freeradius<=>NAS<=>supplicant Problem: I want to enforce different access policies for users depending on who they are and where they try to authenticate. (1) If students or teachers try to authenticate on the wired lan I want my dot1x capable NAS to provide access only if they user has a computer cert and valid domain credentials (2) If students try to connect via the student wireless lan they must only receive access if they are a member of the Active Directory based "student wireless users group", e.g. no staff member should be able to join. (3) If teachers try to connect via the teacher wireless lan, I want them to connect only if they HAVE a computer cert AND they have valid credentials. e.g only members of the Active Directoy based "staff group" using computers with a valid host credential may receive access. One solution would be two have two different radius servers, and point different NAS clients at the appropriate server, but I this is probably not the "right" way to do this. Ideally, I should be able to do it all from a single radius server with appropriate controls. I see that in the past folks have done similar things with openLdap and freeradius. But I think that using winbind may have changed this for users of Active Directly. I am not sure how to proceed. I would appreciate any guidance you wish to share. Thanks! John
I've been debugging this for awhile and I still can't find a solution to the problems I'm having. I'm running freeradius in this pattern: Active Directory <-> MS-CHAP <-> Freeradius <-> Cisco Switch <-> Windows XP SP3 I seem to be getting the error that is described here: http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with... I've run through and created the SSL certificates as described with the Windows OID's and I still seem to be getting the same issues. I have the actual AD authentication setup as described here: http://deployingradius.com/documents/configuration/active_directory.html I've turned off certificate validation on the Windows XP host and still no dice. I ran the EAP debugging as show here: http://deployingradius.com/documents/configuration/eap-problems.html and I have posted the results here: http://www.mythdragon.com/freeradius-debug/ The output of freeradius -X when I attempt a connection is like this: rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=76, length=150 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x0201000b01637374756474 Message-Authenticator = 0x8ffd4ec097ed474d2acfdbd06ce668ec NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 76 to 10.10.10.15 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c6699650575d57e32307d8902b7 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=77, length=237 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x0202005019800000004616030100410100003d03014a16f9f81d590cd2812aba8c635f832ec313fc9cd6070f2bcdb13efd9f9c8543000010 Message-Authenticator = 0x852be4c5dbca1b2f6653ddaef5525a62 NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c6699650575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 2 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 77 to 10.10.10.15 port 1645 EAP-Message = 0x0103040019c00000089b160301002a0200002603014a16f9f822ffc89286e662e0256b43e66215ad341c85a29e778755224a23e687000009 EAP-Message = 0x301e170d3039303532323138353235395a170d3130303532323138353235395a307c310b3009060355040613024652310f300d060355040e EAP-Message = 0x16e1a3903966209e8ab8733cc6c04e80a7b972a847ad3b172844cfe65eb4080ce9170bc842dfb0a6c747fda85e5890ba53ccf0b16757e60b EAP-Message = 0x4e837b84ca468c64275107fe93f5470153c858eb12e74f02ab7bd52ccf54add01488f9987b9a49a8ba1e8e2208c8ade2a727261a596bb4c4 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c6698640575d57e32307d8902b7 Finished request 37. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=78, length=163 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x020300061900 Message-Authenticator = 0xc8f1baef47c6a3668e41c12b29278edc NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c6698640575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 78 to 10.10.10.15 port 1645 EAP-Message = 0x010403fc194000c245b84f58bde16c300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040814 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d68 EAP-Message = 0x1bdaa4b461fa877807cfeb35b8c7db9a395c24818f3db57dd0f5d6f7c4437d6bf232fd2dccebe6c64210a6c8d380a758d51b5977b844a294 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e31203016 EAP-Message = 0xd38d9387a468419b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669b630575d57e32307d8902b7 Finished request 38. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=79, length=163 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x020400061900 Message-Authenticator = 0xd045350ba1ebd09fc6aa69d033f7e022 NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669b630575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 79 to 10.10.10.15 port 1645 EAP-Message = 0x010500b51900b36564be63341757208d386f17c173f1915bf196936c35da2bdb889940fc633ab5960046b3e360595d0217ca1c4a587cbc70 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669a620575d57e32307d8902b7 Finished request 39. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=80, length=479 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x0205014019800000013616030101061000010201005abafa67288b1050a9f42c9d521379eaa30a5d7927acaa6d5cb08c696aa724a733a39e EAP-Message = 0xc79943d0ffbb934a2e561395636d71b516c108a409ed05c21403010001011603010020dccd71cdf582fc34be4e949e4a83a8e3cd43b214c2 Message-Authenticator = 0xbd6fecf99a5ff39317b2e3a76ee1ed01 NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669a620575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 80 to 10.10.10.15 port 1645 EAP-Message = 0x0106003119001403010001011603010020f17c1f67be3975c6810d3764208a8294ab2f5281c3b861884c4cf7cc22a275f8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669d610575d57e32307d8902b7 Finished request 40. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=81, length=163 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x020600061900 Message-Authenticator = 0x04bebaa5f8107e585937873550d1be1b NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669d610575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 81 to 10.10.10.15 port 1645 EAP-Message = 0x01070020190017030100153af1e2ab4422d8623abc16220825b30286308dd3d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669c600575d57e32307d8902b7 Finished request 41. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=82, length=191 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x0207002219001703010017d1d78d24d19c44335278dbf3b577ab1dc6e972c1625ac3 Message-Authenticator = 0x0d00514a34760c9ad0353b282e218722 NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669c600575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 7 length 34 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - chris [peap] Got tunnled request EAP-Message = 0x0207000b01637374756474 server routers-auth { PEAP: Got tunneled identity of chris PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to chris Sending tunneled request EAP-Message = 0x0207000b01637374756474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "chris" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = "chris", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800201a0108001b101195ce2c24ade78b1cf5aa059c23f088637374756474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb344cf36b34cd589c33f8244b7aca70a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800201a0108001b101195ce2c24ade78b1cf5aa059c23f088637374756474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb344cf36b34cd589c33f8244b7aca70a [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 82 to 10.10.10.15 port 1645 EAP-Message = 0x010800371900170301002c4ea2709917cd595f7940395816d8a688fd6ce44d2213388f7b00bc9c55b555c2957c56f4bd0a9439c9913367 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669f6f0575d57e32307d8902b7 Finished request 42. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=83, length=245 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x020800581900170301004d73817b889d4fd7e2bf24fb538ad896be72097e0bc493430d917cf6d552b43ad7eaa6b6bc6cd039067e5ea70ecc Message-Authenticator = 0x11f6fb0bafc3ee1abaabaf02120589cb NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669f6f0575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 8 length 88 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020800411a0208003c3152dc3d0f74f672cab9f314e0aa326c86000000000000000035b488c0131cea6672253fe5e9a3b8e54aacc0c341f4 server routers-auth { PEAP: Setting User-Name to chris Sending tunneled request EAP-Message = 0x020800411a0208003c3152dc3d0f74f672cab9f314e0aa326c86000000000000000035b488c0131cea6672253fe5e9a3b8e54aacc0c341f4 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "chris" State = 0xb344cf36b34cd589c33f8244b7aca70a server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = "chris", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for chris with NT-Password [mschap] No NT-Domain was found in the User-Name. expand: --domain=%{mschap:NT-Domain:-MYDOMAINHERE} -> --domain=MYDOMAINHERE expand: --username=%{mschap:User-Name:-None} -> --username=chris [mschap] mschap2: 11 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4e97ec9325450dea expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031 Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d45334443373936373934363834394539454142413430423735354536323236333832314537464639 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb344cf36b24dd589c33f8244b7aca70a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d45334443373936373934363834394539454142413430423735354536323236333832314537464639 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb344cf36b24dd589c33f8244b7aca70a [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 83 to 10.10.10.15 port 1645 EAP-Message = 0x0109004a1900170301003f9831a816e378081f830ef42917053a509f826145b1c94885404f81f6f05985fbdaed9e0e6a5002ea5d72b9dba9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669e6e0575d57e32307d8902b7 Finished request 43. Going to the next request Waking up in 4.8 seconds. Cleaning up request 36 ID 76 with timestamp +422 Cleaning up request 37 ID 77 with timestamp +422 Cleaning up request 38 ID 78 with timestamp +422 Cleaning up request 39 ID 79 with timestamp +422 Cleaning up request 40 ID 80 with timestamp +422 Cleaning up request 41 ID 81 with timestamp +422 Cleaning up request 42 ID 82 with timestamp +422 Cleaning up request 43 ID 83 with timestamp +422 Ready to process requests. Any help you guys can give me would be very appreciated. I know this issue has been posted here before, but it seems like the results I'm getting from all the solutions I've seen aren't fixing my problem. Chris Studt
Chris Studt wrote:
I've been debugging this for awhile and I still can't find a solution to the problems I'm having. I'm running freeradius in this pattern:
Active Directory <-> MS-CHAP <-> Freeradius <-> Cisco Switch <-> Windows XP SP3
And Samba. Don't forget Samba. And it's not that the server "doesn't reply with Access-Accept". It replies with a challenge, and the client never sends the next packet.
The output of freeradius -X when I attempt a connection is like this: ... [mschapv2] +- entering group MS-CHAP {...} ... expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4e97ec9325450dea expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031 Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ... Sending Access-Challenge of id 83 to 10.10.10.15 port 1645 EAP-Message = 0x0109004a1900170301003f9831a816e378081f830ef42917053a509f826145b1c94885404f81f6f05985fbdaed9e0e6a5002ea5d72b9dba9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669e6e0575d57e32307d8902b7 Finished request 43. Going to the next request Waking up in 4.8 seconds. Cleaning up request 36 ID 76 with timestamp +422
OK. That problem is becoming more common.
Any help you guys can give me would be very appreciated. I know this issue has been posted here before, but it seems like the results I'm getting from all the solutions I've seen aren't fixing my problem.
Please post: 1) OS you're using to run RADIUS. 2) version of Active Directory 3) version of Samba Then, try *downgrading* samba to an earlier version. Keep going backwards until it works. Then, post the version of Samba where it starts working. I've asked the Samba people if they know anything more about this, but have seen no response. If this is common, I'll open a bug with them, and see if it can get larger attention. Alan DeKok.
Chris Studt wrote:
I've been debugging this for awhile and I still can't find a solution to the problems I'm having. I'm running freeradius in this pattern:
Active Directory <-> MS-CHAP <-> Freeradius <-> Cisco Switch <-> Windows XP SP3
And Samba. Don't forget Samba.
And it's not that the server "doesn't reply with Access-Accept". It replies with a challenge, and the client never sends the next packet.
The output of freeradius -X when I attempt a connection is like this: ... [mschapv2] +- entering group MS-CHAP {...} ... expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4e97ec9325450dea expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031 Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ... Sending Access-Challenge of id 83 to 10.10.10.15 port 1645 EAP-Message = 0x0109004a1900170301003f9831a816e378081f830ef42917053a509f826145b1c94885404f81f6f05985fbdaed9e0e6a5002ea5d72b9dba9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669e6e0575d57e32307d8902b7 Finished request 43. Going to the next request Waking up in 4.8 seconds. Cleaning up request 36 ID 76 with timestamp +422
OK. That problem is becoming more common.
Any help you guys can give me would be very appreciated. I know this issue has been posted here before, but it seems like the results I'm getting from all the solutions I've seen aren't fixing my problem.
Please post:
1) OS you're using to run RADIUS. 2) version of Active Directory 3) version of Samba
Then, try *downgrading* samba to an earlier version. Keep going backwards until it works. Then, post the version of Samba where it starts working.
I've asked the Samba people if they know anything more about this, but have seen no response. If this is common, I'll open a bug with them, and see if it can get larger attention.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the help, yes I am using Samba between AD and Freeradius. The OS I'm running on the Freeradius server is Ubuntu 8.10. I'm running a OpenSSL patched package of Freeradius 2.1.0+dfsg-0ubuntu2. The Active Directory server is Windows Server 2003. The version of Samba (and winbind) running is 3.2.3-1ubuntu3.4. I will begin downgrading my Samba and see if that changes anything. Chris Studt
Please post:
1) OS you're using to run RADIUS. 2) version of Active Directory 3) version of Samba
Then, try *downgrading* samba to an earlier version. Keep going backwards until it works. Then, post the version of Samba where it starts working.
I've asked the Samba people if they know anything more about this, but have seen no response. If this is common, I'll open a bug with them, and see if it can get larger attention.
Thanks for the help, yes I am using Samba between AD and Freeradius.
The OS I'm running on the Freeradius server is Ubuntu 8.10. I'm running a OpenSSL patched package of Freeradius 2.1.0+dfsg-0ubuntu2. The Active Directory server is Windows Server 2003. The version of Samba (and winbind) running is 3.2.3-1ubuntu3.4.
I will begin downgrading my Samba and see if that changes anything.
Samba was exactly the issue. I downgraded from the "ubuntu intrepid" version of Samba (3.2.3-1ubuntu3.4) to the "ubuntu hardy" version of Samba (3.0.28a-1ubuntu4.7) and my Windows XP clients started authenticating right away. Thanks guys, you saved me quite a bit of headache. Chris Studt
I've been debugging this for awhile and I still can't find a solution to the problems I'm having. I'm running freeradius in this pattern:
Active Directory <-> MS-CHAP <-> Freeradius <-> Cisco Switch <-> Windows XP SP3
I seem to be getting the error that is described here: http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with...
Not really. ...
[mschap] Told to do MS-CHAPv2 for chris with NT-Password [mschap] No NT-Domain was found in the User-Name. expand: --domain=%{mschap:NT-Domain:-MYDOMAINHERE} -> --domain=MYDOMAINHERE expand: --username=%{mschap:User-Name:-None} -> --username=chris [mschap] mschap2: 11 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4e97ec9325450dea expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031 Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success
You authenticate fine but then get stuck. This has been reported as Samba problem. You should try to downgrade Samba back to the stable version (if I recall well 3.2 has the problem but 3.0 doesn't). Ivan Kalik Kalik Informatika ISP
Problem:
I want to enforce different access policies for users depending on who they are and where they try to authenticate.
(1) If students or teachers try to authenticate on the wired lan I want my dot1x capable NAS to provide access only if they user has a computer cert and valid domain credentials
You enforce computer authentication on your hardware. If there is no mac auth bypass computer certificates will have to be used. Numbers of users should determine which policy (let's call this one wired_vlan) should go first.
(2) If students try to connect via the student wireless lan they must only receive access if they are a member of the Active Directory based "student wireless users group", e.g. no staff member should be able to join.
This is straightforward use of huntgroups/sqlhuntgroups in combination with Ldap-Group (your AD should be configured in ldap module).
(3) If teachers try to connect via the teacher wireless lan, I want them to connect only if they HAVE a computer cert AND they have valid credentials. e.g only members of the Active Directoy based "staff group" using computers with a valid host credential may receive access.
This combination of two above. Create huntgroups/sqlhuntgroups wired_vlan, student_vlan and teacher_vlan. Then put this in authorize (inner-tunnel, where ldap + preprocess is enabled if you are using huntgrups file or you have ldap + unlang statements described in sql huntgroups howto): if(Huntgroup-Name == "student_vlan" && Ldap-Group == "student") { ok } elsif(Huntgroup-Name == "wired_vlan") { ok } elsif(Huntgroup-Name == "teacher_vlan" && Ldap-Group == "staff") { ok } else { reject } That will allow only users with valid credentials accessing with stated vlans or vlan/group combinations.
On Fri, May 22, 2009 at 1:03 PM, Ivan Kalik <tnt@kalik.net> wrote:
Problem:
I want to enforce different access policies for users depending on who they are and where they try to authenticate.
(1) If students or teachers try to authenticate on the wired lan I want my dot1x capable NAS to provide access only if they user has a computer cert and valid domain credentials
You enforce computer authentication on your hardware. If there is no mac auth bypass computer certificates will have to be used.
I am not sure what you mean by "mac auth bypass." Can you explain. I think I am able to enforce certificate usage all of the time but I am not sure how to enforce it only on certain NAS and not require it on other NAS.
Numbers of users should determine which policy (let's call this one wired_vlan) should go first.
(2) If students try to connect via the student wireless lan they must only receive access if they are a member of the Active Directory based "student wireless users group", e.g. no staff member should be able to join.
This is straightforward use of huntgroups/sqlhuntgroups in combination with Ldap-Group (your AD should be configured in ldap module).
(3) If teachers try to connect via the teacher wireless lan, I want them to connect only if they HAVE a computer cert AND they have valid credentials. e.g only members of the Active Directoy based "staff group" using computers with a valid host credential may receive access.
This combination of two above.
Create huntgroups/sqlhuntgroups wired_vlan, student_vlan and teacher_vlan. Then put this in authorize (inner-tunnel, where ldap + preprocess is enabled if you are using huntgrups file or you have ldap + unlang statements described in sql huntgroups howto):
if(Huntgroup-Name == "student_vlan" && Ldap-Group == "student") { ok } elsif(Huntgroup-Name == "wired_vlan") { ok } elsif(Huntgroup-Name == "teacher_vlan" && Ldap-Group == "staff") { ok } else { reject }
That will allow only users with valid credentials accessing with stated vlans or vlan/group combinations.
Thanks Ivan, So this policy would check the huntgroup that the NAS was a member of and then go on to check if the users was part of the proper Ldap-Group and assuming that both were true then access would be granted. I am still not clear how some hunt groups will always require a host cert and others never will. Is this set in the hunt group? Alan, I can't wait for your book to be published! Thanks for your reply. John
participants (4)
-
Alan DeKok -
Chris Studt -
Ivan Kalik -
john