Hi, I have several problems when I would like to link freeradius with AD using OpenLDAP. When I tried to test the binding of OpenLDAP to the AD with radtest, it responds Access-Accept (as you can see in the log after). But when I wanted to check with a real supplicant (under WinXP with MD5-Challenge Auth) I got an access-reject. Things I changed : - modules/ldap : ldap { server = "test.fr" identity = "cn=bindradius,cn=Users,dc=test,dc=fr" password = bindradius basedn = "cn=Users,dc=test,dc=fr" filter = "(samaccountname=%{User-Name})" .. } password_attribute = userPassword - site-enabled/default & inner-tunnel : authorize { .. # uncommented : ldap .. } authenticate { .. # uncommented : Auth-Type LDAP { ldap } Thanks for your help --------------------------------------------------------------------------------- Radtest : --------------------------------------------------------------------------------- root@freeradius:~# radtest philippe philippe localhost 0 testing123 Sending Access-Request of id 50 to 127.0.0.1 port 1812 User-Name = "philippe" User-Password = "philippe" NAS-IP-Address = 192.168.1.3 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=50, length=20 --------------------------------------------------------------------------------- Freeradius log with radtest : --------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 127.0.0.1 port 47525, id=50, length=60 User-Name = "philippe" User-Password = "philippe" NAS-IP-Address = 192.168.1.3 NAS-Port = 0 [..] Tue Feb 17 15:38:25 2009 : Info: [ldap] performing user authorization for philippe Tue Feb 17 15:38:25 2009 : Info: [ldap] expand: (samaccountname=%{User-Name}) -> (samaccountname=philippe) Tue Feb 17 15:38:25 2009 : Info: [ldap] expand: cn=Users,dc=test,dc=fr -> cn=Users,dc=test,dc=fr Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: attempting LDAP reconnection Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: (re)connect to test.fr:389, authentication 0 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as cn=bindradius,cn=Users,dc=test,dc=fr/bindradius to test.fr:389 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: performing search in cn=Users,dc=test,dc=fr, with filter (samaccountname=philippe) Tue Feb 17 15:38:25 2009 : Info: [ldap] looking for check items in directory... Tue Feb 17 15:38:25 2009 : Info: [ldap] looking for reply items in directory... Tue Feb 17 15:38:25 2009 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authorized to use remote access Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Feb 17 15:38:25 2009 : Info: ++[ldap] returns ok [..] Tue Feb 17 15:38:25 2009 : Info: Found Auth-Type = LDAP Tue Feb 17 15:38:25 2009 : Info: +- entering group LDAP {...} Tue Feb 17 15:38:25 2009 : Info: [ldap] login attempt by "philippe" with password "philippe" Tue Feb 17 15:38:25 2009 : Info: [ldap] user DN: CN=philippe,CN=Users,DC=test,DC=fr Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: (re)connect to test.fr:389, authentication 1 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated succesfully [..] Sending Access-Accept of id 50 to 127.0.0.1 port 47525 --------------------------------------------------------------------------------- With a real supplicant : --------------------------------------------------------------------------------- Tue Feb 17 15:40:50 2009 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 1024, id=5, length=202 Framed-MTU = 1480 NAS-IP-Address = 192.168.1.1 NAS-Identifier = "SWiTCH" User-Name = "philippe" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 21 NAS-Port-Type = Ethernet NAS-Port-Id = "21" Called-Station-Id = "00-13-21-a8-24-40" Calling-Station-Id = "00-15-c5-06-84-d8" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "4" EAP-Message = 0x0201000d017068696c69707065 Message-Authenticator = 0x2e787b9c5fea331ecfc02e8c3b85c55c Tue Feb 17 15:41:28 2009 : Info: +- entering group authorize {...} Tue Feb 17 15:41:28 2009 : Info: ++[preprocess] returns ok Tue Feb 17 15:41:28 2009 : Info: ++[chap] returns noop Tue Feb 17 15:41:28 2009 : Info: ++[mschap] returns noop Tue Feb 17 15:41:28 2009 : Info: [suffix] No '@' in User-Name = "philippe", looking up realm NULL Tue Feb 17 15:41:28 2009 : Info: [suffix] No such realm "NULL" Tue Feb 17 15:41:28 2009 : Info: ++[suffix] returns noop Tue Feb 17 15:41:28 2009 : Info: [eap] EAP packet type response id 1 length 13 Tue Feb 17 15:41:28 2009 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Feb 17 15:41:28 2009 : Info: ++[eap] returns updated Tue Feb 17 15:41:28 2009 : Info: ++[unix] returns notfound Tue Feb 17 15:41:28 2009 : Info: [files] users: Matched entry DEFAULT at line 1 Tue Feb 17 15:41:28 2009 : Info: ++[files] returns ok Tue Feb 17 15:41:28 2009 : Info: [ldap] performing user authorization for philippe Tue Feb 17 15:41:28 2009 : Info: [ldap] expand: (samaccountname=%{User-Name}) -> (samaccountname=philippe) Tue Feb 17 15:41:28 2009 : Info: [ldap] expand: cn=Users,dc=test,dc=fr -> cn=Users,dc=test,dc=fr Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: attempting LDAP reconnection Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: (re)connect to test.fr:389, authentication 0 Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: bind as cn=bindradius,cn=Users,dc=test,dc=fr/bindradius to test.fr:389 Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: waiting for bind result ... Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: Bind was successful Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: performing search in cn=Users,dc=test,dc=fr, with filter (samaccountname=philippe) Tue Feb 17 15:41:28 2009 : Info: [ldap] looking for check items in directory... Tue Feb 17 15:41:28 2009 : Info: [ldap] looking for reply items in directory... Tue Feb 17 15:41:28 2009 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Tue Feb 17 15:41:28 2009 : Info: [ldap] user philippe authorized to use remote access Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Feb 17 15:41:28 2009 : Info: ++[ldap] returns ok Tue Feb 17 15:41:28 2009 : Info: ++[expiration] returns noop Tue Feb 17 15:41:28 2009 : Info: ++[logintime] returns noop Tue Feb 17 15:41:28 2009 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Tue Feb 17 15:41:28 2009 : Info: ++[pap] returns noop Tue Feb 17 15:41:28 2009 : Info: Found Auth-Type = EAP Tue Feb 17 15:41:28 2009 : Info: +- entering group authenticate {...} Tue Feb 17 15:41:28 2009 : Info: [eap] EAP Identity Tue Feb 17 15:41:28 2009 : Info: [eap] processing type md5 Tue Feb 17 15:41:28 2009 : Debug: rlm_eap_md5: Issuing Challenge Tue Feb 17 15:41:28 2009 : Info: ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.1.1 port 1024 EAP-Message = 0x01020016041005f180280d72810cb4b1b9fa2033ede2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x89d76e5089d56a6c48de80e818248c16 Tue Feb 17 15:41:28 2009 : Info: Finished request 0. Tue Feb 17 15:41:28 2009 : Debug: Going to the next request Tue Feb 17 15:41:28 2009 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1024, id=6, length=237 Framed-MTU = 1480 NAS-IP-Address = 192.168.1.1 NAS-Identifier = "SWiTCH" User-Name = "philippe" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 21 NAS-Port-Type = Ethernet NAS-Port-Id = "21" Called-Station-Id = "00-13-21-a8-24-40" Calling-Station-Id = "00-15-c5-06-84-d8" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "4" State = 0x89d76e5089d56a6c48de80e818248c16 EAP-Message = 0x0202001e041046b39f2ac453deec1f14d2b599506e377068696c69707065 Message-Authenticator = 0x57f0fce82988e78eeb9bc719d015033d Tue Feb 17 15:41:28 2009 : Info: +- entering group authorize {...} Tue Feb 17 15:41:28 2009 : Info: ++[preprocess] returns ok Tue Feb 17 15:41:28 2009 : Info: ++[chap] returns noop Tue Feb 17 15:41:28 2009 : Info: ++[mschap] returns noop Tue Feb 17 15:41:28 2009 : Info: [suffix] No '@' in User-Name = "philippe", looking up realm NULL Tue Feb 17 15:41:28 2009 : Info: [suffix] No such realm "NULL" Tue Feb 17 15:41:28 2009 : Info: ++[suffix] returns noop Tue Feb 17 15:41:28 2009 : Info: [eap] EAP packet type response id 2 length 30 Tue Feb 17 15:41:28 2009 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Feb 17 15:41:28 2009 : Info: ++[eap] returns updated Tue Feb 17 15:41:28 2009 : Info: ++[unix] returns notfound Tue Feb 17 15:41:28 2009 : Info: [files] users: Matched entry DEFAULT at line 1 Tue Feb 17 15:41:28 2009 : Info: ++[files] returns ok Tue Feb 17 15:41:28 2009 : Info: [ldap] performing user authorization for philippe Tue Feb 17 15:41:28 2009 : Info: [ldap] expand: (samaccountname=%{User-Name}) -> (samaccountname=philippe) Tue Feb 17 15:41:28 2009 : Info: [ldap] expand: cn=Users,dc=test,dc=fr -> cn=Users,dc=test,dc=fr Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: performing search in cn=Users,dc=test,dc=fr, with filter (samaccountname=philippe) Tue Feb 17 15:41:28 2009 : Info: [ldap] looking for check items in directory... Tue Feb 17 15:41:28 2009 : Info: [ldap] looking for reply items in directory... Tue Feb 17 15:41:28 2009 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Tue Feb 17 15:41:28 2009 : Info: [ldap] user philippe authorized to use remote access Tue Feb 17 15:41:28 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Feb 17 15:41:28 2009 : Info: ++[ldap] returns ok Tue Feb 17 15:41:28 2009 : Info: ++[expiration] returns noop Tue Feb 17 15:41:28 2009 : Info: ++[logintime] returns noop Tue Feb 17 15:41:28 2009 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Tue Feb 17 15:41:28 2009 : Info: ++[pap] returns noop Tue Feb 17 15:41:28 2009 : Info: Found Auth-Type = EAP Tue Feb 17 15:41:28 2009 : Info: +- entering group authenticate {...} Tue Feb 17 15:41:28 2009 : Info: [eap] Request found, released from the list Tue Feb 17 15:41:28 2009 : Info: [eap] EAP/md5 Tue Feb 17 15:41:28 2009 : Info: [eap] processing type md5 Tue Feb 17 15:41:28 2009 : Debug: rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication Tue Feb 17 15:41:28 2009 : Info: [eap] Handler failed in EAP/md5 Tue Feb 17 15:41:28 2009 : Info: [eap] Failed in EAP select Tue Feb 17 15:41:28 2009 : Info: ++[eap] returns invalid Tue Feb 17 15:41:28 2009 : Info: Failed to authenticate the user. Tue Feb 17 15:41:28 2009 : Info: Using Post-Auth-Type Reject Tue Feb 17 15:41:28 2009 : Info: +- entering group REJECT {...} Tue Feb 17 15:41:28 2009 : Info: [attr_filter.access_reject] expand: %{User-Name} -> philippe Tue Feb 17 15:41:28 2009 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Feb 17 15:41:28 2009 : Info: ++[attr_filter.access_reject] returns updated Tue Feb 17 15:41:28 2009 : Info: Delaying reject of request 1 for 1 seconds Tue Feb 17 15:41:28 2009 : Debug: Going to the next request Tue Feb 17 15:41:28 2009 : Debug: Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1024, id=6, length=237 Tue Feb 17 15:41:29 2009 : Info: Waiting to send Access-Reject to client 192.168.1.1 port 1024 - ID: 6 Tue Feb 17 15:41:29 2009 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 6 to 192.168.1.1 port 1024 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 Tue Feb 17 15:41:29 2009 : Debug: Waking up in 3.9 seconds. Tue Feb 17 15:41:33 2009 : Info: Cleaning up request 0 ID 5 with timestamp +38 Tue Feb 17 15:41:33 2009 : Debug: Waking up in 0.9 seconds. Tue Feb 17 15:41:34 2009 : Info: Cleaning up request 1 ID 6 with timestamp +38 Tue Feb 17 15:41:34 2009 : Debug: Ready to process requests. -- View this message in context: http://www.nabble.com/Freeradius-with-OpenLDAP-and-AD.-tp22058186p22058186.h... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, I have several problems when I would like to link freeradius with AD using OpenLDAP.
Look up http://deployingradius.com/documents/configuration/active_directory.html to see how to inegrate with AD for pap and mschap/PEAP.
When I tried to test the binding of OpenLDAP to the AD with radtest, it responds Access-Accept (as you can see in the log after).
Yes.
Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated succesfully
Ldap "bind as user" works for pap requests. And nothing else. This is documented in ldap module configuration file.
But when I wanted to check with a real supplicant (under WinXP with MD5-Challenge Auth) I got an access-reject.
EAP-MD5 authentication requires clear text password: http://deployingradius.com/documents/protocols/compatibility.html AD is not going to provide it via ldap. You can't use AD to authenticate with EAP-MD5. Obtaining a reversibly encrypted password from AD is propriatory MS stuff. You need IAS for that plus to enable reversible passwords for your users in Remote Access Policy. If this wasn't enabled already, reversible passwords will be created next time user changes the password (ie. all users will most likely need to enter new passwords). Ivan Kalik Kalik Informatika ISP
Would Kerberos authentication work with AD and EAP, or am I thinking too early in the day? On Tue, Feb 17, 2009 at 8:55 AM, <tnt@kalik.net> wrote:
Hi, I have several problems when I would like to link freeradius with AD using OpenLDAP.
Look up http://deployingradius.com/documents/configuration/active_directory.html to see how to inegrate with AD for pap and mschap/PEAP.
When I tried to test the binding of OpenLDAP to the AD with radtest, it responds Access-Accept (as you can see in the log after).
Yes.
Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated succesfully
Ldap "bind as user" works for pap requests. And nothing else. This is documented in ldap module configuration file.
But when I wanted to check with a real supplicant (under WinXP with MD5-Challenge Auth) I got an access-reject.
EAP-MD5 authentication requires clear text password:
http://deployingradius.com/documents/protocols/compatibility.html
AD is not going to provide it via ldap. You can't use AD to authenticate with EAP-MD5. Obtaining a reversibly encrypted password from AD is propriatory MS stuff. You need IAS for that plus to enable reversible passwords for your users in Remote Access Policy. If this wasn't enabled already, reversible passwords will be created next time user changes the password (ie. all users will most likely need to enter new passwords).
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Would Kerberos authentication work with AD and EAP, or am I thinking too early in the day?
No. Kerberos requires clear text passwords in the request. EAP-MD5 doesn't provide them. EAP-TTLS PAP will work - but native XP supplicant doesn't support that. You can get SecureW2 to do it. Ivan Kalik Kalik Informatika ISP
participants (4)
-
Alan DeKok -
LEOSI -
SDamron -
tnt@kalik.net