machine authentication (was: Windows-Domain login without local users)
hey freeRADIUS users, I've found out that there goes something completely wrong, there is allways the ldap request! also if the user is defined in the users file like: bob Password == "bob" Reply-Message = "Hello, bob" then I try to: 11:03:49 Xradius /etc/raddb [root]radtest bob bob localhost 0 l1nux_r4d1us Sending Access-Request of id 192 to 127.0.0.1 port 1645 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Re-sending Access-Request of id 192 to 127.0.0.1 port 1645 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 ... debug output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 256000 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "yes" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User -Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-Domain}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = no rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = yes Module: Instantiated realm (suffix) realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = yes Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded LDAP ldap: server = "141.201.43.10" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "CN=Administrator,CN=Users,DC=isalab,DC=local" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "labadmin" ldap: basedn = "CN=Users,DC=isalab,DC=local" ldap: filter = "sAMAccountName=%{Stripped-User-Name:-%{User-Name})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "memberOf" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 500 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x9a442b8 Module: Instantiated ldap (ldap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (pre_proxy_log) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (post_proxy_log) Listening on authentication *:1645 Listening on accounting *:1646 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=233, length=55 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20061115' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20061115 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bob", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: No '\' in User-Name = "bob", skipping NULL due to config. modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry bob at line 171 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for bob radius_xlat: 'sAMAccountName=bob)' radius_xlat: 'CN=Users,DC=isalab,DC=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 141.201.43.10:389, authentication 0 rlm_ldap: bind as CN=Administrator,CN=Users,DC=isalab,DC=local/labadmin to 141.201.43.10:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in CN=Users,DC=isalab,DC=local, with filter sAMAccountName=bob) rlm_ldap: ldap_search() failed: Bad search filter: sAMAccountName=bob) rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32769, id=233, length=55 Discarding duplicate request from client localhost:32769 - ID: 233 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 233 with timestamp 455b3ad8 Nothing to do. Sleeping until we see a request. here is my authorize section of radiusd.conf: authorize { preprocess auth_log chap mschap suffix ntdomain eap files ldap } authenticate { ... # Auth-Type LDAP { # ldap # } ... } We normaly need the ldap module to get the groups from Active Directory but if the user is directly configured in the users file there should be no ldap request to the AD! freeRADIUS: v. 1.1.3 hope somone can help me ca mIke
the testlab looks like
Windows 2003 (AD) <---> Freeradius <---> Enterasys switch/Cisco WLAN > <---> Linux/MS-Client
802.1x via PEAP works, so the next step is machine authentication to get also a 802.1x Domain login.
like in this post (http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-November/058...) we have upgradet our releases:
Samba: Version 3.0.23c FreeRADIUS Version 1.1.2 the supplicant is the original Windows supplicant and machine authentication is activated.
Because we are working with the policy system from enterasys the normal user authentication starts with a ldap request to the active directory for group to policy mapping. Therefore we have such user-entries:
DEFAULT LDAP-Group == "CN=adminrole,CN=users,DC=isalab,DC=local", Huntgroup-Name == "enterasys", Realm == ISALAB.local Filter-ID == "Enterasys:version=1:mgmt=su:policy=adminrole", Reply-Message = "Welcome %{Stripped-User-Name:-%{User-Name:-None}} in the %{Realm} - Domain, there are no restrictions for you in this network", Fall-Through = No
So there will be the LDAP request for the group adminrole and then it will be sent to the switch with the above filter-ID. This works good for user-auth, but with machine auth now there are problems because I see the machine LDAP-request now for host/it88.isalab.local and that fails:
============================================= .... =============================================
Then I've tested a bit with ntlm_auth:
16:11:57 Xradius /etc/raddb [root]ntlm_auth --request-key --domain=ISALAB.LOCAL --username=host/it88.isalab.local password: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
... so I think this is the wrong request!
with:
16:12:38 Xradius /etc/raddb [root]ntlm_auth --request-key --domain=ISALAB.LOCAL --username=it88$ password: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
I get the wrong password, so I think this user/machine is available!
any ideas how to go on?!?
thanks mIke
ok, now the normal authentication process works again! normally our config from the ldap request looks like the following: radiusd.conf: basedn = "CN=Users,DC=isalab,DC=local" filter = "sAMAccountName=%{Stripped-User-Name:-%{User-Name})" groupname_attribute = cn groupmembership_filter = "(|(&(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = memberOf users: DEFAULT LDAP-Group == "CN=adminrole,CN=users,DC=isalab,DC=local", Huntgroup-Name == "enterasys", Realm == ISALAB.local Filter-ID == "Enterasys:version=1:mgmt=su:policy=adminrole", Reply-Message = "Welcome %{Stripped-User-Name:-%{User-Name:-None}} in the %{Realm} - Domain, there are no restrictions for you in this network", Fall-Through = No with this config we get the groupmembership from the users and we can give the filter-ID back to the switches. But with machine authentication it looks a bit different! first the DC ist Computers, no more users, then the sAMAccountName is for example IT88$ and freeradius gives the name host/it88.isalab.local to the AD, but this name stands in the servicePrincipalName! also there is no memberOf any more at the device! any ideas this is can be done? ca mIke
"Michael Messner" <michael.messner_edv@inode.at> wrote:
I've found out that there goes something completely wrong, there is allways the ldap request!
Because you configured it to do that? See doc/configurable_failover for how to handle failure cases.
ldap: filter = "sAMAccountName=%{Stripped-User-Name:-%{User-Name})"
That doesn't look right.
rlm_ldap: performing search in CN=Users,DC=isalab,DC=local, with filter sAMAccountName=bob) rlm_ldap: ldap_search() failed: Bad search filter: sAMAccountName=bob)
You're missing a bracket. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hey alan, Alan DeKok schrieb:
"Michael Messner" <michael.messner_edv@inode.at> wrote:
I've found out that there goes something completely wrong, there is allways the ldap request!
Because you configured it to do that? See doc/configurable_failover for how to handle failure cases.
ok, thanks for the information
ldap: filter = "sAMAccountName=%{Stripped-User-Name:-%{User-Name})"
That doesn't look right.
the bracket is now fixed, was this the only thing or is something else not correct? ca mIke -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFW2u+yUY4xkIcFVQRAqPjAKDeH6clrpbPb/7boHnImRnQEXg+MgCgq3FA 3qQqfRiItPegkLy2yEmQnO0= =nhvD -----END PGP SIGNATURE-----
participants (2)
-
Alan DeKok -
Michael Messner