Hi Guys I am using CentOS Linux release 7.6.1810 (Core) with all repository installed binaries [root@freeradpoc ~]# rpm -qa | egrep 'freeradius|samba|smb' samba-common-4.8.3-4.el7.noarch libsmbclient-4.8.3-4.el7.x86_64 samba-winbind-modules-4.8.3-4.el7.x86_64 freeradius-doc-3.0.13-10.el7_6.x86_64 freeradius-utils-3.0.13-10.el7_6.x86_64 samba-client-libs-4.8.3-4.el7.x86_64 samba-client-4.8.3-4.el7.x86_64 samba-libs-4.8.3-4.el7.x86_64 samba-winbind-clients-4.8.3-4.el7.x86_64 freeradius-3.0.13-10.el7_6.x86_64 freeradius-krb5-3.0.13-10.el7_6.x86_64 samba-common-libs-4.8.3-4.el7.x86_64 nagios-plugins-disk_smb-2.2.1-16.20180725git3429dad.el7.x86_64 samba-common-tools-4.8.3-4.el7.x86_64 samba-4.8.3-4.el7.x86_64 freeradius-ldap-3.0.13-10.el7_6.x86_64 samba-winbind-4.8.3-4.el7.x86_64 [root@freeradpoc ~]# I configured the winbind and joined it to the AD domain I configured Freeradius to use mschap with ntlm_auth to authenticate the users from AD This worked fine. I am now trying to configure the system to only allow authentication if a user belongs to a specific group on AD Below is my config that I added to the /etc/raddb/sites-enabled/default file in the post-auth section ----- ----- snip ----- ----- # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { if (Group == "Store_WiFi_Access") { noop } else { reject } # # If you need to have a State attribute, you can # add it here. e.g. for later CoA-Request with # State, and Service-Type = Authorize-Only. ----- ----- snip ----- ----- I am getting the following in the radiusd -X output ----- ----- snip ----- ----- Ready to process requests (0) Received Access-Request Id 89 from 127.0.0.1:58652 to 127.0.0.1:1812 length 134 (0) User-Name = "USER" (0) NAS-IP-Address = 172.20.191.111 (0) NAS-Port = 0 (0) Message-Authenticator = 0xdb40186f7a789c28e189db46fe6f52de (0) MS-CHAP-Challenge = 0xa73861b073389f3e (0) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000419d61181a4b646dee7a6c3639ce222a2f6445523d6f6f4b (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "USER", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 1 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{mschap:NT-Domain}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=USER (0) mschap: mschap1: a7 (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=a73861b073389f3e (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=419d61181a4b646dee7a6c3639ce222a2f6445523d6f6f4b (0) mschap: ERROR: No NT-Domain was found in the User-Name (0) mschap: EXPAND --domain=%{mschap:NT-Domain} (0) mschap: --> --domain= (0) mschap: Program returned code (0) and output 'NT_KEY: 475C9726A51B871F423CD04286A9F0E4' (0) mschap: adding MS-CHAPv1 MPPE keys (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) if (Group == "Store_WiFi_Access") { (0) Failed resolving GID: No error (0) if (Group == "Store_WiFi_Access") -> FALSE (0) else { (0) [reject] = reject (0) } # else = reject (0) } # post-auth = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> USER (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 89 from 127.0.0.1:1812 to 127.0.0.1:58652 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 89 with timestamp +4 Ready to process requests ---- ----- snip ----- ----- I need to find out why am I getting this message in the debug output {Failed resolving GID: No error} And if I am using the wrong variable to determine the AD group { if (Group == "Store_WiFi_Access")} I checked the OS /var/log/messages file to see if there is a clue why this is failing but nothing is written to this file. Any help will be helpful at the moment. Regards *Alex Jordaan* Linux Engineer -- Disclaimer: https://www.shopriteholdings.co.za/copyright-etc--statements/email-disclaime... <http://www.shopriteholdings.co.za/copyright-etc--statements/email-disclaimer.html>
Hi Alex Am 15.08.2019 um 14:13 schrieb Alex Jordaan: [...]
This worked fine.
I am now trying to configure the system to only allow authentication if a user belongs to a specific group on AD
Below is my config that I added to the /etc/raddb/sites-enabled/default file in the post-auth section ----- ----- snip ----- ----- # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { if (Group == "Store_WiFi_Access") { noop } else { reject
See: https://wiki.freeradius.org/modules/Rlm_ldap#group-support TL;DR: Use LDAP-Group instead. And for the full documentation as provided by NetworkRADIUS, also check out: https://networkradius.com/doc/current/raddb/mods-available/ldap.html If you have configure mods-available/ldap correctly you'd see it being loaded in the debug log output. Please remember that the list information mentions that when you provide debug log output, that you should provide all of it. (You snipped parts away) See: http://lists.freeradius.org/mailman/listinfo/freeradius-users -- Mathieu
On Thu, 2019-08-15 at 14:13 +0200, Alex Jordaan wrote:
I configured the winbind and joined it to the AD domain I configured Freeradius to use mschap with ntlm_auth to authenticate the users from AD
This worked fine.
I am now trying to configure the system to only allow authentication if a user belongs to a specific group on AD
You might be able to use the rlm_unix module to compare the group, when you're using winbind, but I wouldn't. You've already been advised to use the ldap module. Your debug output hasn't got either the unix or ldap modules in it. Configure rlm_ldap, and use that. It's the best solution for AD groups. Then you'll need to use "LDAP-Group" to compare instead of "Group". LDAP instructions are all on the wiki. -- Matthew
participants (3)
-
Alex Jordaan -
Mathieu Simon (Lists) -
Matthew Newton