Issues authenticating vs 2003 AD
I am handing off a qurest from pppd to radius and am failing with a valid user in the domain. Here is the output of radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=39, length=72 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "ppptest" CHAP-Password = 0xa3de2596eae8f89f46e35d612d8858ac55 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ppptest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ppptest radius_xlat: '(sAMAccountName=ppptest)' radius_xlat: 'dc=company,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to domcon.company.org:389, authentication 0 rlm_ldap: bind as cn=administrator,cn=Users,dc=company,dc=org/password to domcon.company.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=company,dc=org, with filter (sAMAccountName=ppptest) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ppptest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by "ppptest" with CHAP password rlm_chap: Could not find clear text password for user ppptest modcall[authenticate]: module "chap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 39 to 127.0.0.1:32769 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 39 with timestamp 4303762d Nothing to do. Sleeping until we see a request. Any ideas? Both mschap and chap are enabled in the radiusd.conf
Tim P <panterafreak@gmail.com> wrote:
I am handing off a qurest from pppd to radius and am failing with a valid user in the domain.
No. The server is failing because it doesn't have a clear-text password.
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory...
The LDAP module doesn't get a clear-text password from AD, so the server can't authenticate the user.
Any ideas? Both mschap and chap are enabled in the radiusd.conf
AD won't give the server clear-text passwords. So doing CHAP to AD is *impossible*. You CAN use MS-CHAP, but for that you've got to configure ntlm_auth. Remember, AD is *not* and LDAP server. It just pretends to be one sometimes. Alan DeKok.
Thought it was configured, I beleive I have tested it positive in the past, I want to use ntlm_auth, I had this in there and had tested it as far as i know: Radius.conf ldap { server = "domcon.company.org" basedn = "dc=company,dc=org" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" password_attribute = "userPassword" identity = "cn=administrator,cn=Users,dc=company,dc=org" password = password Will this not work, if not how to config the ntml? On 8/17/05, Alan DeKok <aland@ox.org> wrote:
Tim P <panterafreak@gmail.com> wrote:
I am handing off a qurest from pppd to radius and am failing with a valid user in the domain.
No.
The server is failing because it doesn't have a clear-text password.
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory...
The LDAP module doesn't get a clear-text password from AD, so the server can't authenticate the user.
Any ideas? Both mschap and chap are enabled in the radiusd.conf
AD won't give the server clear-text passwords. So doing CHAP to AD is *impossible*.
You CAN use MS-CHAP, but for that you've got to configure ntlm_auth.
Remember, AD is *not* and LDAP server. It just pretends to be one sometimes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim P <panterafreak@gmail.com> wrote:
Thought it was configured, I beleive I have tested it positive in the past, I want to use ntlm_auth, I had this in there and had tested it as far as i know:
Radius.conf ldap {
That doesn't configure ntlm.
Will this not work, if not how to config the ntml?
Read radiusd.conf. Alan DeKok.
Ok using these settings it seems to authenticate with radtest
Radius.conf ldap { server = "domcon.company.org" basedn = "dc=company,dc=org" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" password_attribute = "userPassword" identity = "cn=administrator,cn=Users,dc=company,dc=org" password = password
[root@redguard ~]# radtest user userpass localhost:1812 1 radiussecret Sending Access-Request of id 201 to 127.0.0.1:1812 User-Name = "user" User-Password = "userpass" NAS-IP-Address = redguard.company.net NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=201, length=20 And the output of radius -X -A shows rlm_ldap: - authorize rlm_ldap: performing user authorization for tporritt radius_xlat: '(sAMAccountName=tporritt)' radius_xlat: 'dc=gtdsolutions,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=gtdsolutions,dc=org, with filter (sAMAccountName=tporritt) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tporritt authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "tporritt" with password "pantera" rlm_ldap: user DN: CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 1 rlm_ldap: bind as CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to gtds-domcon.gtdsolutions.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tporritt authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 201 to 127.0.0.1:32770 Finished request 1 These two look to me like they authenticated the user successfully. I have l2tp handling authentication which puts it to pppd In /etc/ppp/options.l2tpd I have # added for radius auth with radius refuse-chap refuse-mschap require-mschap-v2 require-mppe lcp-echo-failure 30 lcp-echo-interval 5 plugin radius.so Is it possible that this will work? I tried using ntlm_auth with no luck from pppd as it gave me Aug 18 10:13:56 redguard pppd[2260]: WINBIND plugin initialized. Aug 18 10:13:56 redguard pppd[2260]: In file /etc/ppp/options.l2tpd: unrecognized option '--helper-protocol=ntlm-server-1' The line I had was # winbind auth plugin winbind.so ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 Just looking for a way (and preferably and example) of the authentication vs AD since I don't seem to understand how to do it. I have looked in radius.conf and enabled the ntlm authentication but it seems to insist upon using chap and not mschap-v2, is there a difference? It still complains about the "no cleartext password" an example would be greatly apprecated! Thanks Tim
Tim P <panterafreak@gmail.com> wrote:
Ok using these settings it seems to authenticate with radtest ... [root@redguard ~]# radtest user userpass localhost:1812 1 radiussecret
i.e. clear-text password.
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory...
i.e. NO PASSWORD WAS RETURNED BY AD.
rlm_ldap: bind as CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to gtds-domcon.gtdsolutions.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tporritt authenticated succesfully
i.e. You're binding to AD as the user. You are using AD as an "authentication oracle". You hand it bits of information, and it returns yes/no. You are NOT using AD as a database.
These two look to me like they authenticated the user successfully.
Yes. Now try MSCHAP.
In /etc/ppp/options.l2tpd I have .. Is it possible that this will work?
Yes. But you're not getting the password from AD. As I said: AD will not supply the password. Nothing in what you've posted contradicts that.
Just looking for a way (and preferably and example) of the authentication vs AD since I don't seem to understand how to do it. I have looked in radius.conf and enabled the ntlm authentication but it seems to insist upon using chap and not mschap-v2, is there a difference?
The client asks for CHAP, so that's what the RADIUS server sees. The RADIUS server DOES NOT, and CAN NOT change the authentication method the client uses.
It still complains about the "no cleartext password"
Because, as I've said repeatedly, AD doesn't supply the password to you. Alan DeKok.
Sorry to keep asking but can you post an example (using mschap) to authenticate from freeradius to AD using the ntlm_auth method? On 8/18/05, Alan DeKok <aland@ox.org> wrote:
Tim P <panterafreak@gmail.com> wrote:
Ok using these settings it seems to authenticate with radtest ... [root@redguard ~]# radtest user userpass localhost:1812 1 radiussecret
i.e. clear-text password.
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory...
i.e. NO PASSWORD WAS RETURNED BY AD.
rlm_ldap: bind as CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to gtds-domcon.gtdsolutions.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tporritt authenticated succesfully
i.e. You're binding to AD as the user.
You are using AD as an "authentication oracle". You hand it bits of information, and it returns yes/no. You are NOT using AD as a database.
These two look to me like they authenticated the user successfully.
Yes. Now try MSCHAP.
In /etc/ppp/options.l2tpd I have .. Is it possible that this will work?
Yes. But you're not getting the password from AD.
As I said: AD will not supply the password. Nothing in what you've posted contradicts that.
Just looking for a way (and preferably and example) of the authentication vs AD since I don't seem to understand how to do it. I have looked in radius.conf and enabled the ntlm authentication but it seems to insist upon using chap and not mschap-v2, is there a difference?
The client asks for CHAP, so that's what the RADIUS server sees. The RADIUS server DOES NOT, and CAN NOT change the authentication method the client uses.
It still complains about the "no cleartext password"
Because, as I've said repeatedly, AD doesn't supply the password to you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have read the docs, maybe I am just missing where there example was, I see the entries commented but not for what I need I guess (or I missed). I have reconfigured radiusd.conf again to see it I can authenticate and am still having trouble Can you look at these configs and tell me where you see issues? radiusd.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes #with_ntdomain_hack = no ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } authorize { preprocess # auth_log # attr_filter # chap mschap # digest # IPASS suffix # ntdomain # eap # files # sql # etc_smbpasswd # ldap # daily # checkval } authenticate { Auth-Type MS-CHAP { mschap } } preacct { preprocess suffix proxy.conf realm gtdsolutions.org { type = radius authhost = LOCAL accthost = LOCAL } realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL } users DEFAULT Auth-Type = mschap Fall-Through = 1 attempted login from a windows host via l2tp output of radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32771, id=169, length=90 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "tporritt@gtdsolutions.org" CHAP-Password = 0x44ac3d380292ea549c27ecce30ec2afe9c NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "gtdsolutions.org" for User-Name = "tporritt@gtdsolutions.org" rlm_realm: Found realm "gtdsolutions.org" rlm_realm: Adding Stripped-User-Name = "tporritt" rlm_realm: Proxying request from user tporritt to realm gtdsolutions.org rlm_realm: Adding Realm = "gtdsolutions.org" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0
Tim P <panterafreak@gmail.com> wrote:
I have reconfigured radiusd.conf again to see it I can authenticate and am still having trouble
Can you look at these configs and tell me where you see issues?
The client is doing CHAP. You have configured the MSCHAP module to use ntlm_auth. CHAP is not MSCHAP. CHAP will not work with AD. I've said this repeatedly. Alan DeKok.
I understand you have said that repeatedly what I am asking is where is that chap coming from? I am not sure if it is coming from pppd or l2tpd or my windows client as I have radius properly configured correct? The client is windows xp sp2 with a vpn tunnel going to the box, ipsec works fine, l2tp recieves the auth request and hands it to pppd which then passes it to radius. On the windows side I have set it to only use mschap-v2 (also tried it with only ms chap) so it would seem the windows client is configured properly. So does my radius config look correct and another peice of the chain is broken and for some reason passing auth as chap? I'm sorry I'm not that knowledgable when it comes to radius, this is my first time using it, please be patient, I am just trying to figure out how it works (and yes I have read the conf file but still am not 100% sure of it). Thanks, Tim On 8/19/05, Alan DeKok <aland@ox.org> wrote:
Tim P <panterafreak@gmail.com> wrote:
I have reconfigured radiusd.conf again to see it I can authenticate and am still having trouble
Can you look at these configs and tell me where you see issues?
The client is doing CHAP. You have configured the MSCHAP module to use ntlm_auth.
CHAP is not MSCHAP. CHAP will not work with AD. I've said this repeatedly.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim P <panterafreak@gmail.com> wrote:
I understand you have said that repeatedly what I am asking is where is that chap coming from?
As I've also said repeatedly, the client sends the authentication request to the server, and the server does not, and can not control what authenticate type the client uses.
I am not sure if it is coming from pppd or l2tpd or my windows client as I have radius properly configured correct?
It probably comes from pppd or l2tpd. I recall that the configuration you posted earlier disabled chap, so I don't know why the client would still be using it.
The client is windows xp sp2 with a vpn tunnel going to the box, ipsec works fine, l2tp recieves the auth request and hands it to pppd which then passes it to radius. On the windows side I have set it to only use mschap-v2 (also tried it with only ms chap) so it would seem the windows client is configured properly.
If the RADIUS server is receiving a CHAP-Password in the request, then something else in the system is using CHAP. You *think* you've configured it to use MSCHAP, but that is obviously not happening.
So does my radius config look correct and another peice of the chain is broken and for some reason passing auth as chap?
Yes.
I'm sorry I'm not that knowledgable when it comes to radius, this is my first time using it, please be patient, I am just trying to figure out how it works (and yes I have read the conf file but still am not 100% sure of it).
The problem isn't understanding how it works. The problem is believing things that are explained on the list. Alan DeKok.
participants (2)
-
Alan DeKok -
Tim P