Hello All, I need some help authenticating against AD. I have followed directions online as best as I can, but things still aren't working as expected. I'm ultimately hoping to have our VPN users and admins logging into Cisco network equipment authenticate against AD through our FreeRADIUS 2 installation. Today, I have been testing authentication from one of Cisco switches, and I continually receive this basic output: rad_recv: Access-Request packet from host w.x.y.z port 37611, id=147, length=61 User-Name = "mphillips" User-Password = "xxxx" NAS-IP-Address = w.x.y.z NAS-Port = 2000 Thu Nov 19 16:17:34 2009 : Info: +- entering group authorize {...} Thu Nov 19 16:17:34 2009 : Info: ++[preprocess] returns ok Thu Nov 19 16:17:34 2009 : Info: [suffix] No '@' in User-Name = "mphillips", looking up realm NULL Thu Nov 19 16:17:34 2009 : Info: [suffix] No such realm "NULL" Thu Nov 19 16:17:34 2009 : Info: ++[suffix] returns noop Thu Nov 19 16:17:34 2009 : Info: [eap] No EAP-Message, not doing EAP Thu Nov 19 16:17:34 2009 : Info: ++[eap] returns noop Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated Thu Nov 19 16:17:34 2009 : Info: ++[files] returns noop Thu Nov 19 16:17:34 2009 : Info: ++[expiration] returns noop Thu Nov 19 16:17:34 2009 : Info: ++[logintime] returns noop Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns updated Thu Nov 19 16:17:34 2009 : Info: Found Auth-Type = PAP Thu Nov 19 16:17:34 2009 : Info: +- entering group PAP {...} Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password "xxxx" Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption. Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns reject Thu Nov 19 16:17:34 2009 : Info: Failed to authenticate the user. Thu Nov 19 16:17:34 2009 : Auth: Login incorrect (rlm_pap: CRYPT password check failed): [mphillips/xxxx] (from client w.x.y.z port 2000) Thu Nov 19 16:17:34 2009 : Info: Using Post-Auth-Type Reject Thu Nov 19 16:17:34 2009 : Info: +- entering group REJECT {...} Thu Nov 19 16:17:34 2009 : Info: [attr_filter.access_reject] expand: %{User-Name} -> mphillips Thu Nov 19 16:17:34 2009 : Debug: attr_filter: Matched entry DEFAULT at line 11 Thu Nov 19 16:17:34 2009 : Info: ++[attr_filter.access_reject] returns updated Thu Nov 19 16:17:34 2009 : Info: Delaying reject of request 5 for 1 seconds Thu Nov 19 16:17:34 2009 : Debug: Going to the next request Thu Nov 19 16:17:34 2009 : Debug: Waking up in 0.9 seconds. Thu Nov 19 16:17:36 2009 : Info: Sending delayed reject for request 5 Sending Access-Reject of id 147 to w.x.y.z port 37611 Thu Nov 19 16:17:36 2009 : Debug: Waking up in 4.6 seconds. Thu Nov 19 16:17:42 2009 : Info: Cleaning up request 5 ID 147 with timestamp +1181 Thu Nov 19 16:17:42 2009 : Debug: Ready to process requests. I can't tell from this output if the RADIUS server is ever even attempting to reach AD. Obviously, if I enter the correct password for my username on the RADIUS server itself, authentication will succeed, but this is not the desired behavior at this time. Any help is greatly appreciated. Michael Phillips _________________________________________________________________ Hotmail: Trusted email with Microsoft's powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141664/direct/01/ http://clk.atdmt.com/GBL/go/177141664/direct/01/
Hi, It doesn't llok like you are using ad authentication Are you trying to set up ntlm_auth ? Here is a good description : http://deployingradius.com/documents/configuration/active_directory.html Regards Paul On Thu, 2009-11-19 at 21:37 +0000, Michael Phillips wrote:
Hello All,
I need some help authenticating against AD. I have followed directions online as best as I can, but things still aren't working as expected. I'm ultimately hoping to have our VPN users and admins logging into Cisco network equipment authenticate against AD through our FreeRADIUS 2 installation. Today, I have been testing authentication from one of Cisco switches, and I continually receive this basic output:
rad_recv: Access-Request packet from host w.x.y.z port 37611, id=147, length=61 User-Name = "mphillips" User-Password = "xxxx" NAS-IP-Address = w.x.y.z NAS-Port = 2000 Thu Nov 19 16:17:34 2009 : Info: +- entering group authorize {...} Thu Nov 19 16:17:34 2009 : Info: ++[preprocess] returns ok Thu Nov 19 16:17:34 2009 : Info: [suffix] No '@' in User-Name = "mphillips", looking up realm NULL Thu Nov 19 16:17:34 2009 : Info: [suffix] No such realm "NULL" Thu Nov 19 16:17:34 2009 : Info: ++[suffix] returns noop Thu Nov 19 16:17:34 2009 : Info: [eap] No EAP-Message, not doing EAP Thu Nov 19 16:17:34 2009 : Info: ++[eap] returns noop Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated Thu Nov 19 16:17:34 2009 : Info: ++[files] returns noop Thu Nov 19 16:17:34 2009 : Info: ++[expiration] returns noop Thu Nov 19 16:17:34 2009 : Info: ++[logintime] returns noop Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns updated Thu Nov 19 16:17:34 2009 : Info: Found Auth-Type = PAP Thu Nov 19 16:17:34 2009 : Info: +- entering group PAP {...} Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password "xxxx" Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption. Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match Thu Nov 19 16:17:34 2009 : Info: ++[pap] returns reject Thu Nov 19 16:17:34 2009 : Info: Failed to authenticate the user. Thu Nov 19 16:17:34 2009 : Auth: Login incorrect (rlm_pap: CRYPT password check failed): [mphillips/xxxx] (from client w.x.y.z port 2000) Thu Nov 19 16:17:34 2009 : Info: Using Post-Auth-Type Reject Thu Nov 19 16:17:34 2009 : Info: +- entering group REJECT {..} Thu Nov 19 16:17:34 2009 : Info: [attr_filter.access_reject] expand: %{User-Name} -> mphillips Thu Nov 19 16:17:34 2009 : Debug: attr_filter: Matched entry DEFAULT at line 11 Thu Nov 19 16:17:34 2009 : Info: ++[attr_filter.access_reject] returns updated Thu Nov 19 16:17:34 2009 : Info: Delaying reject of request 5 for 1 seconds Thu Nov 19 16:17:34 2009 : Debug: Going to the next request Thu Nov 19 16:17:34 2009 : Debug: Waking up in 0.9 seconds. Thu Nov 19 16:17:36 2009 : Info: Sending delayed reject for request 5 Sending Access-Reject of id 147 to w.x.y.z port 37611 Thu Nov 19 16:17:36 2009 : Debug: Waking up in 4.6 seconds. Thu Nov 19 16:17:42 2009 : Info: Cleaning up request 5 ID 147 with timestamp +1181 Thu Nov 19 16:17:42 2009 : Debug: Ready to process requests.
I can't tell from this output if the RADIUS server is ever even attempting to reach AD. Obviously, if I enter the correct password for my username on the RADIUS server itself, authentication will succeed, but this is not the desired behavior at this time.
Any help is greatly appreciated.
Michael Phillips
______________________________________________________________________ Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign up now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need some help authenticating against AD. I have followed directions online as best as I can, but things still aren't working as expected.
These: http://deployingradius.com/documents/configuration/active_directory.html
I'm ultimately hoping to have our VPN users and admins logging into Cisco network equipment authenticate against AD through our FreeRADIUS 2 installation. Today, I have been testing authentication from one of Cisco switches, and I continually receive this basic output:
You are not authenticating against AD. You are authenticating against local system file: ...
Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated ... Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password "xxxx" Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption. Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match
... and the password isn't correct.
I can't tell from this output if the RADIUS server is ever even attempting to reach AD.
It isn't.
Obviously, if I enter the correct password for my username on the RADIUS server itself, authentication will succeed, but this is not the desired behavior at this time.
Comment out unix in authorize then. If you follow the guide this will work with Auth-Type := ntlm_auth in users file. Ivan Kalik
I followed the directions in that link prior to emailing the group. For some reason, it still isn't working as expected. If I put this line at the top of the users file, VPN users and Cisco exec users are able to authenticate with their AD account. DEFAULT Auth-Type = ntlm_auth This is the debug output from a successful auth: rad_recv: Access-Request packet from host w.x.y.z port 1645, id=33, length=86 User-Name = "mphillips" User-Password = "xxxx" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "w.x.y.z" NAS-IP-Address = w.x.y.z +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "mphillips", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = ntlm_auth +- entering group ntlm_auth {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=mphillips [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxx Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok Login OK: [mphillips] (from client Access-Layer-Switch1 port 1 cli w.x.y.z) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 33 to w.x.y.z port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 33 with timestamp +16 Ready to process requests. Technically, this is all I need; this seems like a hacked way of doing things, though and I want to understand the operations of the server better. I commented out the pap and unix modules in ../sites-enabled/inner-tunnel and default and I also removed the DEFAULT line from the top of the users file. Now I get this debug output: rad_recv: Access-Request packet from host w.x.y.z port 1645, id=34, length=86 User-Name = "mphillips" User-Password = "xxxx" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "w.x.y.z" NAS-IP-Address = w.x.y.z +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "mphillips", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [mphillips/xxxx] (from client Access-Layer-Switch1 port 1 cli w.x.y.z) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> mphillips attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 34 to 10.200.1.4 port 1645 Waking up in 4.6 seconds. Cleaning up request 0 ID 34 with timestamp +12 Ready to process requests. Thanks for any assistance. -Mike
Date: Thu, 19 Nov 2009 22:30:50 +0000 Subject: Re: need help authenticating against AD From: tnt@kalik.net To: freeradius-users@lists.freeradius.org
I need some help authenticating against AD. I have followed directions online as best as I can, but things still aren't working as expected.
These:
http://deployingradius.com/documents/configuration/active_directory.html
I'm ultimately hoping to have our VPN users and admins logging into Cisco network equipment authenticate against AD through our FreeRADIUS 2 installation. Today, I have been testing authentication from one of Cisco switches, and I continually receive this basic output:
You are not authenticating against AD. You are authenticating against local system file: ...
Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated ... Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password "xxxx" Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption. Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match
... and the password isn't correct.
I can't tell from this output if the RADIUS server is ever even attempting to reach AD.
It isn't.
Obviously, if I enter the correct password for my username on the RADIUS server itself, authentication will succeed, but this is not the desired behavior at this time.
Comment out unix in authorize then. If you follow the guide this will work with Auth-Type := ntlm_auth in users file.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Hotmail: Trusted email with Microsoft's powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141664/direct/01/ http://clk.atdmt.com/GBL/go/177141664/direct/01/
Technically, this is all I need; this seems like a hacked way of doing things,
Well, you have to hack things if you don't want freeradius server to autheticate users but get the result of authentication done by something else.
though and I want to understand the operations of the server better. I commented out the pap and unix modules in ../sites-enabled/inner-tunnel and default and I also removed the DEFAULT line from the top of the users file.
You should remove unix (if you are going to use AD passwords and not local system ones). Put pap back. Instead of forcing things in users file put this bit of unlang *below* pap in authorize: if(!control:Auth-Type) { update control { Auth-Type = "ntlm-auth" } } If none of the standard modules don't set Auth-Type this will set ntlm_auth. Ivan Kalik
participants (3)
-
Michael Phillips -
Paul Ryszka -
tnt@kalik.net