authenticate Cisco devices against AD via Freeradius
Hi all, i currently use my radius server (3.0.11) to do things such EAP-TTLS, MSCHAPv2, CHAP in order to authenticate different users on devices/machines/etc... I managed to configure a virtual router for doing PAP against local USERS (in users file) following a guide about IOS+Freeradius. Works perfectly. What i'd like to do now is to authenticate users from the Cisco IOS device against AD (via ldap, mschap or whatever). The device i'm using only support PAP. The radius server is joined to the AD domain, getent passwd retrives all the AD users. Is it possible? (i know, i have a lot of imagination :-)) thanks -- "Madness, like small fish, runs in hosts, in vast numbers of instances." Nessuno mi pettina bene come il vento.
On Sep 21, 2016, at 5:08 AM, aquilinux <aquilinux@gmail.com> wrote:
Hi all, i currently use my radius server (3.0.11) to do things such EAP-TTLS, MSCHAPv2, CHAP in order to authenticate different users on devices/machines/etc... I managed to configure a virtual router for doing PAP against local USERS (in users file) following a guide about IOS+Freeradius. Works perfectly. What i'd like to do now is to authenticate users from the Cisco IOS device against AD (via ldap, mschap or whatever). The device i'm using only support PAP. The radius server is joined to the AD domain, getent passwd retrives all the AD users. Is it possible? (i know, i have a lot of imagination :-))
http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok.
Thanks for your reply Alan, it was trivial... btw even if radius server answers with a Access-Accept the NAS is rejecting with "authorization failed".
From Radius Ready to process requests (0) Received Access-Request Id 73 from 192.168.105.222:1812 to 172.20.2.199:1812 length 80 (0) NAS-IP-Address = 192.168.105.222 (0) NAS-Port = 1 (0) NAS-Port-Type = Virtual (0) User-Name = "testrad" (0) Calling-Station-Id = "172.20.17.151" (0) User-Password = "testrad123" (0) # Executing section authorize from file /usr/etc/raddb/sites-enabled/vr-test-netdev (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /usr/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /usr/var/log/radius/radacct/ 192.168.105.222/auth-detail-20160921 (0) auth_log: /usr/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/var/log/radius/radacct/192.168.105.222/auth-detail-20160921 (0) auth_log: EXPAND %t (0) auth_log: --> Wed Sep 21 17:04:02 2016 (0) [auth_log] = ok (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=EA-MILANO --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=S-1-5-21-486643733-1688716086-2075228900-512: (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=testrad (0) ntlm_auth: EXPAND --password=%{User-Password} (0) ntlm_auth: --> --password=testrad123 (0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)' (0) ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) if (ok) { (0) if (ok) -> TRUE (0) if (ok) { (0) update control { (0) Auth-Type := Accept (0) } # update control = noop (0) } # if (ok) = noop (0) [files] = noop (0) [unix] = notfound (0) return (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/vr-test-netdev (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 73 from 172.20.2.199:1812 to 192.168.105.222:1812 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 73 with timestamp +12 Ready to process requests
From Cisco 2950: Username: testrad Password: % Authorization failed. Connection closed by foreign host.
thanks. On Wed, Sep 21, 2016 at 3:04 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 21, 2016, at 5:08 AM, aquilinux <aquilinux@gmail.com> wrote:
Hi all, i currently use my radius server (3.0.11) to do things such EAP-TTLS, MSCHAPv2, CHAP in order to authenticate different users on devices/machines/etc... I managed to configure a virtual router for doing PAP against local USERS (in users file) following a guide about IOS+Freeradius. Works perfectly. What i'd like to do now is to authenticate users from the Cisco IOS
device
against AD (via ldap, mschap or whatever). The device i'm using only support PAP. The radius server is joined to the AD domain, getent passwd retrives all the AD users. Is it possible? (i know, i have a lot of imagination :-))
http://deployingradius.com/documents/configuration/active_directory.html
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- "Madness, like small fish, runs in hosts, in vast numbers of instances." Nessuno mi pettina bene come il vento.
nevermind.... got it working. i had commented out some useful entries in "user" file. thanks! On Wed, Sep 21, 2016 at 5:07 PM, aquilinux <aquilinux@gmail.com> wrote:
Thanks for your reply Alan, it was trivial... btw even if radius server answers with a Access-Accept the NAS is rejecting with "authorization failed".
From Radius Ready to process requests (0) Received Access-Request Id 73 from 192.168.105.222:1812 to 172.20.2.199:1812 length 80 (0) NAS-IP-Address = 192.168.105.222 (0) NAS-Port = 1 (0) NAS-Port-Type = Virtual (0) User-Name = "testrad" (0) Calling-Station-Id = "172.20.17.151" (0) User-Password = "testrad123" (0) # Executing section authorize from file /usr/etc/raddb/sites-enabled/ vr-test-netdev (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /usr/var/log/radius/radacct/%{ %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /usr/var/log/radius/radacct/19 2.168.105.222/auth-detail-20160921 (0) auth_log: /usr/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/var/log/radius/radacct/192.168.105.222/auth-detail-20160921 (0) auth_log: EXPAND %t (0) auth_log: --> Wed Sep 21 17:04:02 2016 (0) [auth_log] = ok (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=EA-MILANO --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=S-1-5- 21-486643733-1688716086-2075228900-512: (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=testrad (0) ntlm_auth: EXPAND --password=%{User-Password} (0) ntlm_auth: --> --password=testrad123 (0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)' (0) ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) if (ok) { (0) if (ok) -> TRUE (0) if (ok) { (0) update control { (0) Auth-Type := Accept (0) } # update control = noop (0) } # if (ok) = noop (0) [files] = noop (0) [unix] = notfound (0) return (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/ vr-test-netdev (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 73 from 172.20.2.199:1812 to 192.168.105.222:1812 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 73 with timestamp +12 Ready to process requests
From Cisco 2950: Username: testrad Password: % Authorization failed. Connection closed by foreign host.
thanks.
On Wed, Sep 21, 2016 at 3:04 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 21, 2016, at 5:08 AM, aquilinux <aquilinux@gmail.com> wrote:
Hi all, i currently use my radius server (3.0.11) to do things such EAP-TTLS, MSCHAPv2, CHAP in order to authenticate different users on devices/machines/etc... I managed to configure a virtual router for doing PAP against local
USERS
(in users file) following a guide about IOS+Freeradius. Works perfectly. What i'd like to do now is to authenticate users from the Cisco IOS device against AD (via ldap, mschap or whatever). The device i'm using only support PAP. The radius server is joined to the AD domain, getent passwd retrives all the AD users. Is it possible? (i know, i have a lot of imagination :-))
http://deployingradius.com/documents/configuration/active_directory.html
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
-- "Madness, like small fish, runs in hosts, in vast numbers of instances."
Nessuno mi pettina bene come il vento.
-- "Madness, like small fish, runs in hosts, in vast numbers of instances." Nessuno mi pettina bene come il vento.
participants (2)
-
Alan DeKok -
aquilinux