FreeRADIUS & AD LAP Communication
Dear Good Peoples Greetings Version Information: FreeRADIUS 2.2.0. Question: What does the following means? Is it not authentication area in "default" virtual server? i have listed "ldap" there. 1.) rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. 2.) i have one Linux open-ldap server, FreeRADIUS Auth works from that LDAP server, with following configuration. Please note, the passport storage in destination Linux LDAP Server is cleartext. i do check using the following command. * radtest mike aabb88@ localhost 1812 HYbbunINFDR$88 * # CentOS Open-ldap Server server = "ldapserver-mydomain.net<http://ldap.digital-infotech.net/> " identity = "cn=Administrator,dc=ldap-mydomain,dc=net" password = "password" basedn = "dc=mydomain,dc=net" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" i receive, access Accept !!! - NO problem 3.) When i do user query from FreeRADIUS to Windows Domain Controller Server 2012 x64. # Windows Domain Controller Server 2012 64-Bit AD server = "ldap-mydomain.com <http://ldap-teledataict.com/>" identity = "cn=Administrator,cn=Users,dc=ldap-mydomain,dc=com" password = "password" basedn = "dc=ldap-mydomain,dc=com" # Enable One Filter Only #filter = "(SamAccountName=%u)" filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" 3a) Following is the out-put with REJECT access, Perhaps because password storage in AD is not clear text, is it due to that? Perhaps it cannot be tested with redtest? i am using the following to test, is it correct test * radtest mike aabb88@ localhost 1812 HYbbunINFDR$88* 4.) rad_recv: Access-Request packet from host 127.0.0.1 port 46861, id=137, length=75 User-Name = "mike" User-Password = "aabb88@" NAS-IP-Address = 14.14.14.14 NAS-Port = 1812 Message-Authenticator = 0x4a3417dcf9e80de96f2274fbfa6f5c4d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "mike", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for mike [ldap] expand: (SamAccountName=%u) -> (SamAccountName=mike) [ldap] expand: dc=ldap-teledataict,dc=com -> dc=ldap-teledataict,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap-mydomain.net:389<http://ldap-teledataict.com:389/>, authentication 0 [ldap] bind as cn=Administrator,cn=Users,dc=ldap-teledataict,dc=com/rootadmin to ldap-mydomain.net:389 <http://ldap-teledataict.com:389/> [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=ldap-teledataict,dc=com, with filter (SamAccountName=mike) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user mike authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[forevertimecounter] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[gigawordcounter] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/auth_all +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> mike attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 137 to 127.0.0.1 port 46861 Waking up in 4.9 seconds. Cleaning up request 0 ID 137 with timestamp +3 Ready to process requests. Thanks / Regards
3a) Following is the out-put with REJECT access, Perhaps because password storage in AD is not clear text, is it due to that? Perhaps it cannot be tested with redtest? i am using the following to test, is it correct test radtest mike aabb88@ localhost 1812 HYbbunINFDR$88
Correct. Active Directory does not store its passwords in plain-text. Active Directory only accepts NTLM/MSCHAPv2 authentication (or Kerberos, but that's a whole different kettle of fish). Additionally, you are better off testing EAP-TTLS/EAP-MSCHAPv2 or EAP-PEAP with Active Directory since that is what the general use case is. For that, you need eapol_test, which is part of the wpa_supplicant package. See http://deployingradius.com/documents/protocols/compatibility.html first, then http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+aut... and http://confluence.diamond.ac.uk/display/PAAUTH/Building+eapol_test+in+wpa_su... for details :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
Thank You Stefan. I shall study !! Regards RM -- On Wed, Nov 20, 2013 at 5:36 PM, <stefan.paetow@diamond.ac.uk> wrote:
3a) Following is the out-put with REJECT access, Perhaps because password storage in AD is not clear text, is it due to that? Perhaps it cannot be tested with redtest? i am using the following to test, is it correct test radtest mike aabb88@ localhost 1812 HYbbunINFDR$88
Correct. Active Directory does not store its passwords in plain-text. Active Directory only accepts NTLM/MSCHAPv2 authentication (or Kerberos, but that's a whole different kettle of fish).
Additionally, you are better off testing EAP-TTLS/EAP-MSCHAPv2 or EAP-PEAP with Active Directory since that is what the general use case is. For that, you need eapol_test, which is part of the wpa_supplicant package.
See http://deployingradius.com/documents/protocols/compatibility.htmlfirst, then http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+aut... http://confluence.diamond.ac.uk/display/PAAUTH/Building+eapol_test+in+wpa_su... details :-)
Stefan
-- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Russell Mike -
stefan.paetow@diamond.ac.uk