ntlm_auth and AD authentication
freeradius2-2.1.7-2.el5 freeradius2-utils-2.1.7-2.el5 freeradius2-libs-2.1.7-2.el5 CentOS 5.2 I'm trying to get freeradius to authenticate with an AD server, using the instructions at http://deployingradius.com/documents/configuration/active_directory.html The initial confirmation of communication with AD is working. The instructions then say to try: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password to confirm, and it looks like it's working. However, the instructions also indicate you should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication. However, whether I use ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password or ntlm_auth --domain=MYDOMAIN --username=user --password=password the output/response looks the same: NT_STATUS_OK: Success (0x0) which leads me to believe that the nt-key isn't being provided? What is the nt-key supposed to look like? If it's not showing up correctly, any ideas why? thanks Rick Rick Steeves http://www.sinister.net In reality nothing is more damaging to the adventurous spirit within a man than a secure future - Alexander Supertramp
On Mon, 2009-11-23 at 10:24 -0500, freeradius@corwyn.net wrote:
However, whether I use ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password or ntlm_auth --domain=MYDOMAIN --username=user --password=password
the output/response looks the same: NT_STATUS_OK: Success (0x0)
Hi Rick, That's ok I had the same working like a charm
At 10:24 AM 11/23/2009, freeradius@corwyn.net wrote:
to confirm, and it looks like it's working.
Hmm. I have two sets of authentication I care about, VPN Users, and Cisco switches. I'd like to be able to control access to each of those separately (different AD Security Groups, and different shared keys). I've found instructions for restricting ntlm_auth to a particular security group, but adding --require-membership-of={SID|Name} to the ntlm_auth command. But I can't puzzle out how I'd then have one set of authentication for one security group, and one set of authentication for a second security group. (currently any AD users works). Am I going to have to do something like create different modules (ntlm_auth and ntlm_auth2) radiusd.conf in the module section? Rick
On Mon, 2009-11-23 at 13:35 -0500, freeradius@corwyn.net wrote:
At 10:24 AM 11/23/2009, freeradius@corwyn.net wrote:
to confirm, and it looks like it's working.
Hmm. I have two sets of authentication I care about, VPN Users, and Cisco switches. I'd like to be able to control access to each of those separately (different AD Security Groups, and different shared keys).
I've found instructions for restricting ntlm_auth to a particular security group, but adding --require-membership-of={SID|Name} to the ntlm_auth command.
But I can't puzzle out how I'd then have one set of authentication for one security group, and one set of authentication for a second security group. (currently any AD users works).
Am I going to have to do something like create different modules (ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
Rick
You need to create two separate entries in modules having two mschap entries .. sth like : mschap mschap_group1 { ... ntlm_auth = "your first ntlm_auth command" } mschap mschap_group2 { ... ntlm_auth = "your second ntlm_auth command" } and then have the respective mschaps used in the respective virtual servers for each client.
At 02:33 PM 11/23/2009, Paul Ryszka wrote:
On Mon, 2009-11-23 at 13:35 -0500, freeradius@corwyn.net wrote:
Am I going to have to do something like create different modules (ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
You need to create two separate entries in modules having two mschap entries .. sth like : mschap mschap_group1 { ... ntlm_auth = "your first ntlm_auth command" } mschap mschap_group2 { ... ntlm_auth = "your second ntlm_auth command" } and then have the respective mschaps used in the respective virtual servers for each client.
I currently have (working) exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=int.invtitle.com --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=int.example.com+VPN_Users" } so I'm not sure how that relates to mschap groups? I don't currently have a mschap group at all currently in the radiusd.conf file. Would I just create exec ntlm_auth_2 { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=int.invtitle.com --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=int.example.com+Cisco_Users" } And how do I control which group is used for auth from a specific client? Rick
On Mon, 2009-11-23 at 15:05 -0500, freeradius@corwyn.net wrote:
At 02:33 PM 11/23/2009, Paul Ryszka wrote:
On Mon, 2009-11-23 at 13:35 -0500, freeradius@corwyn.net wrote:
Am I going to have to do something like create different modules (ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
You need to create two separate entries in modules having two mschap entries .. sth like : mschap mschap_group1 { ... ntlm_auth = "your first ntlm_auth command" } mschap mschap_group2 { ... ntlm_auth = "your second ntlm_auth command" } and then have the respective mschaps used in the respective virtual servers for each client.
I currently have (working) exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=int.invtitle.com --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=int.example.com+VPN_Users" }
so I'm not sure how that relates to mschap groups? I don't currently have a mschap group at all currently in the radiusd.conf file.
Would I just create exec ntlm_auth_2 { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=int.invtitle.com --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=int.example.com+Cisco_Users" }
And how do I control which group is used for auth from a specific client?
Rick no you have to have two different modules look how mschap module looks like in the default config (there is a place for ntlm auth there) and just copy it twice you can choose the module in authorize section of virtual server so you have one virtual server with mschap_group1 and the other with mschap_group2.
At 02:33 PM 11/23/2009, Paul Ryszka wrote:
On Mon, 2009-11-23 at 13:35 -0500, freeradius@corwyn.net wrote:
Am I going to have to do something like create different modules (ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
You need to create two separate entries in modules having two mschap entries .. sth like : mschap mschap_group1 { ... ntlm_auth = "your first ntlm_auth command" } mschap mschap_group2 { ... ntlm_auth = "your second ntlm_auth command" } and then have the respective mschaps used in the respective virtual servers for each client.
I currently have (working) exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=int.invtitle.com --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=int.example.com+VPN_Users" }
so I'm not sure how that relates to mschap groups? I don't currently have a mschap group at all currently in the radiusd.conf file.
Would I just create exec ntlm_auth_2 { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=int.invtitle.com --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=int.example.com+Cisco_Users" }
And how do I control which group is used for auth from a specific client?
Are Cisco users sending pap or mschap requests. If it's pap just add after pap in authorize: if(!contol:Auth-Type) { update control { Auth-Type = "ntlm_auth_2" } } Ivan Kalik
I'm sorta struggling with the same thing, a la a single "NAS" (Cisco switch) requiring multiple auth types: 1,) VTY / enable access from NetEng group (in AD), 2.) 8021.x auth for everyone! Similar with VPN appliance, VTY's AND IPSec auths. The request type will differ for each type of requests, so it's "simply" a matter of uniquely identifying each type of request and performing the conditional processing. Easy right? :) I shared some emails with Ivan on this issue and got close, but then got involved in other things so never got fully resolved. Seems there are several ways to do it, but I THINK the common thread is to use unlang and / or hints to set the auth_type as required and/or direct the requests to a virtual server that does what you need. If / when I get this worked out I intend to publish a "How To", but if you beat me to it please share! I've spent MANY MANY hours on it thus far and now I've forgotten much of it! Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.or g] On Behalf Of freeradius@corwyn.net Sent: Monday, November 23, 2009 12:35 PM To: FreeRadius users mailing list; freeradius-users@lists.freeradius.org Subject: Re: ntlm_auth and AD authentication At 10:24 AM 11/23/2009, freeradius@corwyn.net wrote:
to confirm, and it looks like it's working.
Hmm. I have two sets of authentication I care about, VPN Users, and Cisco switches. I'd like to be able to control access to each of those separately (different AD Security Groups, and different shared keys). I've found instructions for restricting ntlm_auth to a particular security group, but adding --require-membership-of={SID|Name} to the ntlm_auth command. But I can't puzzle out how I'd then have one set of authentication for one security group, and one set of authentication for a second security group. (currently any AD users works). Am I going to have to do something like create different modules (ntlm_auth and ntlm_auth2) radiusd.conf in the module section? Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Gary Gatten wrote:
I'm sorta struggling with the same thing, a la a single "NAS" (Cisco switch) requiring multiple auth types: 1,) VTY / enable access from NetEng group (in AD), 2.) 8021.x auth for everyone! Similar with VPN appliance, VTY's AND IPSec auths. The request type will differ for each type of requests, so it's "simply" a matter of uniquely identifying each type of request and performing the conditional processing. Easy right?
Yes. a) write down what is in the request, and how you differentiate one type of request from another b) write down what replies you want to give for each type of request c) implement (a) and (b). People usually get stuck at (a). They want to treat "different" things "differently". But they don't know what "different" means. It's usually blindingly obvious: requests for MAC auth have username/password the same... and containing the MAC. EAP requests hae EAP-Message. ADSL requests come from a specific set of NASes. Alan DeKok.
Hmm. I have two sets of authentication I care about, VPN Users, and Cisco switches. I'd like to be able to control access to each of those separately (different AD Security Groups, and different shared keys).
I'm not sure what you mean by "different shared keys" - can you clarify? Also, perhaps I do not understand your requirement; but, I think you mean authorization, not authentication above. Authentication is validation of a user/password combination. Authorization is checking to determine what type of access (if any) a user should have to a device. If I haven't misunderstood what you're trying to do, then I would determine the type of access the user has in the authorization section. Personally, I use a perl module for authorization because we have many different types of devices/groups, including controlling access to several wireless networks. The perl module obtains the user's groups from LDAP (including their default group which isn't in the memberOf attribute) and uses a hash that specifies user/group/machine/container to nas mappings and optionally allows returning custom vsa's. This may be overkill for you, I'm not sure.. You could define multiple mschap modules (that's where ntlm_auth is defined) and use unlang to call the appropriate module. But, this would quickly become unmanageable if you have many different groups you want to test during authorization. If all you will ever have is two groups, then I suppose it wouldn't be an issue.
participants (6)
-
Alan DeKok -
freeradius@corwyn.net -
Garber, Neal -
Gary Gatten -
Paul Ryszka -
tnt@kalik.net