New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but little reference on HOW to do it, other than that it has something to do with editing the "realms" file. I also went to #freeradius on FreeNode, but it seemed there was rarely anyone in the channel. So here I am. I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM (freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that is a member of an AD domain via Samba 3.5.4 (which was required to talk to the 2008R2 domain controllers). We have a multi-domain, single forest environment. I'm running two virtual servers, based on the defaults. I have the "campus-main" virtual server that is pretty much the exact same as the default, except that I have LDAP authentication enabled. This works perfectly and is able to authenticate users for all domains. I also have the "campus-eap" and "campus-inner-tunnel" virtual servers for EAP authentication that are the same as the "default" and "inner-tunnel" servers except for the names. (I copied them so I could make changes to the "campus-XXX" virtual servers and still have the originals for reference.) The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the "host\\computer.domain.name" users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members. Sooo... help? What's the basic idea behind making this work? Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 "Do you have a concussion?" Ping is NOT a service. You don't need it. Use a real test.
On 27/02/2011 18:08, McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but little reference on HOW to do it, other than that it has something to do with editing the "realms" file. I also went to #freeradius on FreeNode, but it seemed there was rarely anyone in the channel. So here I am. I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM (freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that is a member of an AD domain via Samba 3.5.4 (which was required to talk to the 2008R2 domain controllers). We have a multi-domain, single forest environment. I'm running two virtual servers, based on the defaults. I have the "campus-main" virtual server that is pretty much the exact same as the default, except that I have LDAP authentication enabled. This works perfectly and is able to authenticate users for all domains. I also have the "campus-eap" and "campus-inner-tunnel" virtual servers for EAP authentication that are the same as the "default" and "inner-tunnel" servers except for the names. (I copied them so I could make changes to the "campus-XXX" virtual servers and still have the originals for reference.) The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the "host\\computer.domain.name" users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members. Sooo... help? What's the basic idea behind making this work?
Hi Justin, Could you send us the output of radiusd -X for a computer auth? If it works for users it should just work for machines. You'll need to make sure you have samba > 3.0.23 [IIRC] [which you seem to have] and your ntlm_auth line has to have an appropriately formatted User-Name bit e.g. %{mschap:User-Name} (the mschap module will take host\\computer.domain.name and turn it in to computer$ automatically). -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net --
Could you send us the output of radiusd -X for a computer auth?
Done. (See previous message with attachment.)
If it works for users it should just work for machines.
Perhaps under certain circumstances, but not for us, apparently. Perhaps it's the significant difference between the NT-style domain name and the AD-style domain name. Perhaps it's the multi-domain AD structure. I don't know. I do know that users can successfully authenticate - IF they supply a domain as part of their credentials - and computers cannot. Yet.
You'll need to make sure you have samba > 3.0.23 [IIRC] [which you seem to have] and your ntlm_auth line has to have an appropriately formatted User-Name bit e.g. %{mschap:User-Name} (the mschap module will take host\\computer.domain.name and turn it in to computer$ automatically).
Yup. Samba 3.5.4. Here's the ntlm_auth line used (from mschap module): ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Interestingly enough, the modules/ntlm_auth file contains something completely different, though I don't think it is in play: exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}" } --J
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished?
http://deployingradius.com/documents/configuration/active_directory.html It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :)
The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the "host\\computer.domain.name" users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members.
So... what goes wrong?
Sooo... help? What's the basic idea behind making this work?
Post the debug log from a failed session. Alan DeKok.
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished?
http://deployingradius.com/documents/configuration/active_directory.html
It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :)
If I recall, we used this walkthrough to get user authentication to work (which it does), but it still doesn't work for host authentication. This is keeping in mind that users' creds come across as "NT-LIKE-DOMAIN\\USERID" but hosts appear as "host\\computer.ad.domain.name" AND that "NT-LIKE-DOMAIN" and "ad.domain.name" do not look at all alike. I'll re-read the link, though, just to be sure.
So... what goes wrong?
For users, it's a number of things. Bad passwords. Attempts to use EAP-TLS or EAP-MD5 (which we don't support). Misspelled or missing domain names. That sort of thing. For the hosts, it Just Doesn't Work. I have yet to determine why. (More research.)
Post the debug log from a failed session.
Will do. (Pulling just the relevant bits out will be difficult, given the verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so it shouldn't take long.) --J
Two comments about posting logs ... #1 Post the entire log of radiusd -X (NOT -XX, that has a bunch of timestamps we don't need) and don't redact anything that's not privileged info, you can very easily remove the portion of the log that holds the answer to your questions. #2 your output of radiusd -X WILL CONTAIN your SSL cert passwords in CLEAR TEXT! So make sure you remember to scrub them of any info you don't want becoming public. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] On Behalf Of McNutt, Justin M. Sent: Sunday, February 27, 2011 2:05 PM To: FreeRadius users mailing list Subject: RE: New User and AD Question
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished?
http://deployingradius.com/documents/configuration/active_directory.ht ml
It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :)
If I recall, we used this walkthrough to get user authentication to work (which it does), but it still doesn't work for host authentication. This is keeping in mind that users' creds come across as "NT-LIKE-DOMAIN\\USERID" but hosts appear as "host\\computer.ad.domain.name" AND that "NT-LIKE-DOMAIN" and "ad.domain.name" do not look at all alike. I'll re-read the link, though, just to be sure.
So... what goes wrong?
For users, it's a number of things. Bad passwords. Attempts to use EAP-TLS or EAP-MD5 (which we don't support). Misspelled or missing domain names. That sort of thing. For the hosts, it Just Doesn't Work. I have yet to determine why. (More research.)
Post the debug log from a failed session.
Will do. (Pulling just the relevant bits out will be difficult, given the verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so it shouldn't take long.) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing the shared secrets, LDAP user passwords, etc. was the redacting I was talking about. That, and removing the thousands of messages related to other users' auth attempts, if I had had to do this on a production server. Fortunately, that wasn't necessary. I was able to get a valid debug log from the test server. --J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: Sunday, February 27, 2011 4:05 PM To: FreeRadius users mailing list Subject: RE: New User and AD Question
Two comments about posting logs ...
#1 Post the entire log of radiusd -X (NOT -XX, that has a bunch of timestamps we don't need) and don't redact anything that's not privileged info, you can very easily remove the portion of the log that holds the answer to your questions.
#2 your output of radiusd -X WILL CONTAIN your SSL cert passwords in CLEAR TEXT! So make sure you remember to scrub them of any info you don't want becoming public.
Jake Sallee Godfather Of Bandwidth Network Engineer
Fone: 254-295-4658 Phax: 254-295-4221
-----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius .org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.fr eeradius.org] On Behalf Of McNutt, Justin M. Sent: Sunday, February 27, 2011 2:05 PM To: FreeRadius users mailing list Subject: RE: New User and AD Question
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished?
http://deployingradius.com/documents/configuration/active_directory.ht
ml
It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :)
If I recall, we used this walkthrough to get user authentication to work (which it does), but it still doesn't work for host authentication. This is keeping in mind that users' creds come across as "NT-LIKE-DOMAIN\\USERID" but hosts appear as "host\\computer.ad.domain.name" AND that "NT-LIKE-DOMAIN" and "ad.domain.name" do not look at all alike.
I'll re-read the link, though, just to be sure.
So... what goes wrong?
For users, it's a number of things. Bad passwords. Attempts to use EAP-TLS or EAP-MD5 (which we don't support). Misspelled or missing domain names. That sort of thing.
For the hosts, it Just Doesn't Work. I have yet to determine why. (More research.)
Post the debug log from a failed session.
Will do. (Pulling just the relevant bits out will be difficult, given the verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so it shouldn't take long.)
--J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Removing the shared secrets, LDAP user passwords, etc. was the redacting I was talking about. That, and removing the thousands of messages related to other users' auth attempts, if I had had to do this on a production server.
you can use radmin do get a full debug of a single client/NAS etc (depending on choice of debug filter expression). very very handy alan
Should I post the debug log here, or a pastebin, or...? --J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Alan DeKok Sent: Sunday, February 27, 2011 1:51 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished?
http://deployingradius.com/documents/configuration/active_dire ctory.html
It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :)
The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the "host\\computer.domain.name" users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members.
So... what goes wrong?
Sooo... help? What's the basic idea behind making this work?
Post the debug log from a failed session.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Very well. Attached. :) --J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 2:51 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question
Hi,
Should I post the debug log here, or a pastebin, or...?
quick answer? post it here
want to wait until someone can be bothered to go to some random web page? pastebin
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, in your campus-eap virtual server you are not making a call to eg the prefix module (put straight after the preprocess module) ie preprocess suffix ntdomain do this in the authorization and preacct sections to handle these better alan
I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the "authorize" section of the campus-eap virtual server (this is the default, I believe).
From the debug log, request 9:
server campus-eap { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/doit-tcb-agl.col.missouri.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop The preacct section of raddb/sites-available/campus-eap has this as well. Several files make mention of the "realm" module. In this case, I'm trying to use "DOIT-TCB-AGL" as the "user name" and "COL.MISSOURI.EDU" as the realm (or domain). What I'm not clear on is how to code a realm { } section to match this: "host/$USER.$REALM" where the first dot is a delimiter, the remaining dots are part of the realm, and the prefix "host/" is only used to identify that this section should be used to process the ID. Or am I going off in the completely wrong direction here? --J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 3:16 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question
hi,
in your campus-eap virtual server you are not making a call to eg the prefix module (put straight after the preprocess module)
ie
preprocess suffix ntdomain
do this in the authorization and preacct sections to handle these better
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'll try it, but I've read it, and I don't see how this (from realm module): # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" } Is going to apply to this: User-Name = "host/doit-tcb-agl.col.missouri.edu" --J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 4:42 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question
Hi,
I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the "authorize" section of the campus-eap virtual server (this is the default, I believe).
just add ntdomain as i said
read the realm module for description about fall through
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
First, is your last name really "McNutt"? And, have you ever been by the house near MU that has camels and zebras in the front yard? ----- Original Message ----- From: McNutt, Justin M. [mailto:McNuttJ@missouri.edu] Sent: Monday, February 28, 2011 04:52 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: New User and AD Question I'll try it, but I've read it, and I don't see how this (from realm module): # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" } Is going to apply to this: User-Name = "host/doit-tcb-agl.col.missouri.edu" --J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 4:42 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question
Hi,
I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the "authorize" section of the campus-eap virtual server (this is the default, I believe).
just add ntdomain as i said
read the realm module for description about fall through
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Yes, and no, respectively. My wife has taken the kids there, but I have never been. --J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Gary Gatten Sent: Monday, February 28, 2011 5:34 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: New User and AD Question: OT hijack
First, is your last name really "McNutt"? And, have you ever been by the house near MU that has camels and zebras in the front yard?
----- Original Message ----- From: McNutt, Justin M. [mailto:McNuttJ@missouri.edu] Sent: Monday, February 28, 2011 04:52 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: New User and AD Question
I'll try it, but I've read it, and I don't see how this (from realm module):
# # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" }
Is going to apply to this:
User-Name = "host/doit-tcb-agl.col.missouri.edu"
--J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 4:42 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question
Hi,
I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the "authorize" section of the campus-eap virtual server (this is the default, I believe).
just add ntdomain as i said
read the realm module for description about fall through
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ha, sweet... ----- Original Message ----- From: McNutt, Justin M. [mailto:McNuttJ@missouri.edu] Sent: Monday, February 28, 2011 05:53 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: New User and AD Question: OT hijack Yes, and no, respectively. My wife has taken the kids there, but I have never been. --J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Gary Gatten Sent: Monday, February 28, 2011 5:34 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: New User and AD Question: OT hijack
First, is your last name really "McNutt"? And, have you ever been by the house near MU that has camels and zebras in the front yard?
----- Original Message ----- From: McNutt, Justin M. [mailto:McNuttJ@missouri.edu] Sent: Monday, February 28, 2011 04:52 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: New User and AD Question
I'll try it, but I've read it, and I don't see how this (from realm module):
# # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" }
Is going to apply to this:
User-Name = "host/doit-tcb-agl.col.missouri.edu"
--J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 4:42 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question
Hi,
I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the "authorize" section of the campus-eap virtual server (this is the default, I believe).
just add ntdomain as i said
read the realm module for description about fall through
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Hi,
I'll try it, but I've read it, and I don't see how this (from realm module):
# # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" }
Is going to apply to this:
User-Name = "host/doit-tcb-agl.col.missouri.edu"
ignore me. i'm tired. yes, this is a little bit of pain. you'll be best off using a bit of unlang eg (put this in the authorize section of your main virtual server) if ( User-Name =~ /^host\//i ) { if ( User-Name =~ /\\.col\\.missouri\\.edu$/i ) { update control { Proxy-To-Realm := "col.missouri.edu" } } } this will then throw the packet to the the part of proxy.conf that has col.missouri.edu a bit of regex foo and you can use %{1} return operators etc rather than hardcode things if you want.... alternatively you can deal with what you know as yours and then identity what isnt yours and reject or proxy them machine auth can be pretty nasty... alan
ignore me. i'm tired. yes, this is a little bit of pain.
I understand. I wondered about that when I saw the ac.uk. You must be working hours similar to mine. (That is, all of them.)
you'll be best off using a bit of unlang eg (put this in the authorize section of your main virtual server)
if ( User-Name =~ /^host\//i ) { if ( User-Name =~ /\\.col\\.missouri\\.edu$/i ) { update control { Proxy-To-Realm := "col.missouri.edu" } } }
this will then throw the packet to the the part of proxy.conf that has col.missouri.edu
a bit of regex foo and you can use %{1} return operators etc rather than hardcode things if you want.... alternatively you can deal with what you know as yours and then identity what isnt yours and reject or proxy them
machine auth can be pretty nasty...
That looks like Perl. Perl, I can deal with. I do have multiple domains to attack. If I can come up with something generic that works for at least two domains, I'll post it here. Looks predictable enough. I'm thinking along the lines of something like this: # BOL, "host", a slash, one or more non-dot characters, a dot, # one or more non-whitespace chars, EOL. if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { update control { Proxy-To-Realm := %{2}; } } I have two toddlers crawling on me at the moment (literally), so I haven't checked unlang syntax, but from Perl, that's more or less what it would look like. %{1} would contain the host name. Do I need to update the User-Name to just %{1} and/or update other fields related to the realm (domain)? It may be difficult to try this before tomorrow morning, since I'm now off site, but I'll at least work at it until "radiusd -X" is happy with it. Thanks! --J
That looks like Perl. Perl, I can deal with. I do have multiple domains to attack. If I can come up with something generic that works for at least two domains, I'll post it here. Looks predictable enough. I'm thinking along the lines of something like this:
# BOL, "host", a slash, one or more non-dot characters, a dot, # one or more non-whitespace chars, EOL. if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { update control { Proxy-To-Realm := %{2}; } }
I have two toddlers crawling on me at the moment (literally), so I haven't checked unlang syntax, but from Perl, that's more or less what it would look like. %{1} would contain the host name. Do I need to update the User-Name to just %{1} and/or update other fields related to the realm (domain)?
Yes, that's correct. If you have multiple realms you may want to use a case statement
# BOL, "host", a slash, one or more non-dot characters, a dot, # one or more non-whitespace chars, EOL. if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { switch "%{2}" { case 'my-domain-string-1' { update control { Proxy-To-Realm := 'my-domain-1' } } case 'my-domain-string-2' { update control { Proxy-To-Realm := 'my-domain-1' } } case 'my-domain-string-3' { update control { Proxy-To-Realm := 'my-domain-2' } } case { # Domain not recognised } } }
It may be difficult to try this before tomorrow morning, since I'm now off site, but I'll at least work at it until "radiusd -X" is happy with it.
-Arran
# BOL, "host", a slash, one or more non-dot characters, a dot, # one or more non-whitespace chars, EOL. if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { switch "%{2}" { case 'my-domain-string-1' { update control { Proxy-To-Realm := 'my-domain-1' } } case 'my-domain-string-2' { update control { Proxy-To-Realm := 'my-domain-1' } } case 'my-domain-string-3' { update control { Proxy-To-Realm := 'my-domain-2' } } case { # Domain not recognised } } }
I took this code and modified it, assuming that if the code I wrote before (which tries to use "COL.MISSOURI.EDU" as the realm) doesn't work, I can use the code above to take FOO.MISSOURI.EDU and proxy to the NT domain FOO-USERS, which is more than just massaging the User-Name field. The switch statement will be necessary to translate the AD domain into the correct NT domain. "radiusd -XC" likes it. Hopefully, I'll be able to tell if one or both of these schemes works fairly early tomorrow. Thanks! --J
Hi,
I took this code and modified it, assuming that if the code I wrote before (which tries to use "COL.MISSOURI.EDU" as the realm) doesn't work, I can use the code above to take FOO.MISSOURI.EDU and proxy to the NT domain FOO-USERS, which is more than just massaging the User-Name field. The switch statement will be necessary to translate the AD domain into the correct NT domain.
this stuff doesnt touch the User-Name - it just looks at it and alters the servers proxy choosing behaviour which is what makes it useful and powerful. the language is 'unlang' - its a built in parser in freeradius - making the server very powerful by being able to actually put coding logic into the config files....in short its brilliant. 'man unlang' for more info
"radiusd -XC" likes it. Hopefully, I'll be able to tell if one or both of these schemes works fairly early tomorrow.
I was going to suggest a session of radiusd -X because in the output you can actually SEE the logic decisions being made - which really really helps with dealing with false/true hits where you might not expect them.. the old 'why didnt that match?' question gets answered very quickly alan
this stuff doesnt touch the User-Name - it just looks at it and alters the servers proxy choosing behaviour which is what makes it useful and powerful.
It's not doing it correctly yet. See previous message.
the language is 'unlang' - its a built in parser in freeradius - making the server very powerful by being able to actually put coding logic into the config files....in short its brilliant. 'man unlang' for more info
Yup. I've been reading that, but it's a lot to digest in a short amount of time. Working on that.
"radiusd -XC" likes it. Hopefully, I'll be able to tell if one or both of these schemes works fairly early tomorrow.
I was going to suggest a session of radiusd -X because in the output you can actually SEE the logic decisions being made - which really really helps with dealing with false/true hits where you might not expect them.. the old 'why didnt that match?' question gets answered very quickly
I sent a relevant snippet in my last message (unredacted in any way). The worst part of what I sent just now is that it was no longer attempting EAP. LDAP auth for the "host/blah.blah" will never work, since the computer doesn't have a cleartext password. It's going to have to go through mschap if it's going to succeed. I think. (Feel free to tell me I'm nuts...) --J
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
Something's wrong with the regex here. From the config: if ( User-Name =~ /^host\/([^\.]+)\.(\S+)$/i ) {
From radiusd -X:
User-Name = "host/dnps-caplap-4.col.missouri.edu" ... ? Evaluating (User-Name =~ /^host\/([^\.]+)\.(\S+)$/i) -> FALSE I removed the ^ and $ anchors and got better results, but still not working: +- entering group authorize {...} ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) ? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) -> TRUE ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) -> TRUE ++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...} +++[control] returns notfound ++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++[preprocess] returns ok Here's the code it's trying to execute. There must be something wrong with the update control section: if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { update control { Proxy-To-Realm := %{2} } } This looks related: WARNING: You set Proxy-To-Realm = %{2}, but the realm does not exist! Cancelling invalid proxy request. I changed the %{2} to $2, but it does basically the same thing: WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! Cancelling invalid proxy request. Here's more context as to what it's doing. Basically, the User-Name and NT-Domain (nor realm) are getting changed into something usable by ntlm_auth. rad_recv: Access-Request packet from host 128.206.131.253 port 20007, id=9, length=209 NAS-Port-Id = "AP85/1" Calling-Station-Id = "00-90-4B-2F-80-B4" Called-Station-Id = "5C-E2-86-00-15-C0:Eddies Office" Service-Type = Framed-User EAP-Message = 0x0201002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475 User-Name = "host/dnps-caplap-4.col.missouri.edu" NAS-Port = 479 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 128.206.131.253 NAS-Identifier = "nortel" Message-Authenticator = 0xa6b9a66a7a99f19b8adc326da2ad0052 server campus-eap { +- entering group authorize {...} ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) ? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) -> TRUE ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) -> TRUE ++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...} +++[control] returns notfound ++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/dnps-caplap-4.col.missouri.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/dnps-caplap-4.col.missouri.edu", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] Request is supposed to be proxied to Realm $2. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound [files] expand: %{Client-IP-Address} -> 128.206.131.253 rlm_ldap: Entering ldap_groupcmp() [files] expand: DC=edu -> DC=edu [files] expand: (|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) -> (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: %{Client-IP-Address} -> 128.206.131.253 rlm_ldap: Entering ldap_groupcmp() [files] expand: DC=edu -> DC=edu [files] expand: (|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) -> (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! Cancelling invalid proxy request. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 479 cli 00-90-4B-2F-80-B4) } # server campus-eap Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/dnps-caplap-4.col.missouri.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 43 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 43 Sending Access-Reject of id 9 to 128.206.131.253 port 20007 Waking up in 4.9 seconds.
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { update control { Proxy-To-Realm := "%{2}" } }
Part of my troubleshooting involved changing the code to this: if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { switch "%{2}" { case 'col.missouri.edu' { update control { Proxy-To-Realm := 'UMC-USERS' } } case 'um.umsystem.edu' { update control { Proxy-To-Realm := 'UM-USERS' } } } } Now it matches, but something about the regex is still wrong (mainly, the multi-character captures) because it's not expanding correctly. Short version: ... User-Name = "host/dnps-caplap-4.col.missouri.edu" ... +- entering group authorize {...} ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) ? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) -> TRUE ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) -> TRUE ++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...} expand: %{2} -> s +++- entering switch %{2} {...} ++++- switch %{2} returns notfound +++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++[preprocess] returns ok So... %{2} expands to 's', which could be the 's' in 'dnps' or one of the 's' in 'missouri'. Definitely going to have to re-write this regex somewhat. :/ Suggestions welcome. Here's the logic behind the original regex: # "host", a slash, one or more non-dot characters, a dot, # one or more non-whitespace chars. I'd like to use the Beginning Of Line and End Of Line anchors as well, but I'm going to have to figure out why the rest of it is failing before I can add those restrictions. Btw, thanks for the help so far. Much appreciated! --J
On 03/01/2011 05:25 PM, McNutt, Justin M. wrote:
Now it matches, but something about the regex is still wrong (mainly, the multi-character captures) because it's not expanding correctly. Short version:
These look like MS-CHAP machine-auth usernames; have you considered using: %{mschap:User-Name} %{mschap:NT-Domain} The mschap module has special handling for host/ names, and these will expand: host/name.domain.com to: name$ domain.com The trailing dollar sign on the hostname is intentional; SAM account names for machines conventionally end in $ in windows.
These look like MS-CHAP machine-auth usernames; have you considered using:
%{mschap:User-Name} %{mschap:NT-Domain}
The mschap module has special handling for host/ names, and these will expand:
host/name.domain.com
to:
name$ domain.com
The trailing dollar sign on the hostname is intentional; SAM account names for machines conventionally end in $ in windows.
I'm aware of all of this. The problem is, it doesn't seem to be actually working. Here's the ntlm_auth command I'm using: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}". Despite this, "host/computer.domain" login attempts always fail. Hence, trying to do the translation manually via a regex and update clauses. --J
McNutt, Justin M. wrote:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}". Despite this, "host/computer.domain" login attempts always fail. Hence, trying to do the translation manually via a regex and update clauses.
And what happens when you try to run ntlm_auth on the command-line? i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters. Alan DeKok.
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters.
I haven't, partly because it works for users, partly because it seemed that some others had done this already and might have been able to tell me what I'm doing incorrectly, and partly because I don't know what you mean by "take the string printed by the server". What is "the string" in this case? --J
Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}". Despite this, "host/computer.domain" login attempts always fail. Hence, trying to do the translation manually via a regex and update clauses.
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters.
Also, here is the 'mschap' section from a recent attempt. Note that the User-Name attribute is not changed to 'dnps-caplap-4$' nor is the NT-Domain attribute set to 'col.missouri.edu'. The User-Name attribute is being left unchanged and the NT-Domain attribute is set to 'col'. So something in mschap is broken? Perhaps is an old bug? This is version 2.1.7 (built a little over a year ago, Dec. 2009). --J
On 02/03/11 12:32, McNutt, Justin M. wrote:
Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}". Despite this, "host/computer.domain" login attempts always fail. Hence, trying to do the translation manually via a regex and update clauses.
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters.
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
So something in mschap is broken? Perhaps is an old bug? This is version 2.1.7 (built a little over a year ago, Dec. 2009).
I don't think so. That code has been unchanged for a *long* time.
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is. Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details ## NOTE THE NEXT THREE LINES: [mschap] expand: %{User-Name:-None} -> host/dnps-caplap-4.col.missouri.edu [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=host/dnps-caplap-4.col.missouri.edu [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=col [mschap] mschap2: e8 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=665bcdce0a4676a0 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=ac910bfec0608f8f666352ef38ffdd6d6298a98ef35b9b41
So something in mschap is broken? Perhaps is an old bug? This is version 2.1.7 (built a little over a year ago, Dec. 2009).
I don't think so. That code has been unchanged for a *long* time.
--J
On 02/03/11 12:41, McNutt, Justin M. wrote:
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details ## NOTE THE NEXT THREE LINES: [mschap] expand: %{User-Name:-None} -> host/dnps-caplap-4.col.missouri.edu
As expected - User-Name expands to itself.
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=host/dnps-caplap-4.col.missouri.edu
That is not "%{mschap:User-Name}". i.e. it's misconfigured
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=col
Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion assumes that in a host account of the form: host/username.domain.com ...the old-style short domain is "domain". Of course, this falls apart if you have a disjoint DNS/AD namespace: host/username.subdomain.domain.com ...or if your new-style DNS domain and old-style NT domain don't match: host/username.mycompany.com vs. NT domain of "CORP" - mycompany != CORP The only real solution in this case is to not use the %{mschap:NT-Domain} expansion - you can't, since there's not enough info to get the old-style short domain name in all cases. So, in /etc/raddb/modules/mschap, set (don't include the line continuation \ I've added): ntlm_auth = "/path/to/ntlm_auth --request-nt-key \ --username=%{mschap:User-Name} --domain=YOURDOMAIN \ --challenge=... --nt-response=..."
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=host/dnps-caplap-4.col.missouri.edu
That is not "%{mschap:User-Name}". i.e. it's misconfigured
Actually, I tried it both ways, since the longer string shown above was the default.
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=col
Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion assumes that in a host account of the form:
host/username.domain.com
...the old-style short domain is "domain". Of course, this falls apart if you have a disjoint DNS/AD namespace:
host/username.subdomain.domain.com
...or if your new-style DNS domain and old-style NT domain don't match:
host/username.mycompany.com vs. NT domain of "CORP" - mycompany != CORP
And this is the case. AD domain = col.missouri.edu NT domain = UMC-USERS
The only real solution in this case is to not use the %{mschap:NT-Domain} expansion - you can't, since there's not enough info to get the old-style short domain name in all cases.
So, in /etc/raddb/modules/mschap, set (don't include the line continuation \ I've added):
ntlm_auth = "/path/to/ntlm_auth --request-nt-key \ --username=%{mschap:User-Name} --domain=YOURDOMAIN \ --challenge=... --nt-response=..."
Good news: Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 573 cli 00-90-4B-2F-80-B4) +- entering group post-auth {...} ++[exec] returns noop } # server campus-eap Sending Access-Accept of id 179 to 128.206.131.253 port 20009 Bad news: I have a multi-domain environment. If I hard-code the domain in here, then only users or hosts from that domain will be able to authenticate. How can I make it recognize the others and behave correctly? It's fine if I have to write some code using string matching and switch/case. But I can't restrict access to only one domain. --J
Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 573 cli 00-90-4B-2F-80-B4) +- entering group post-auth {...} ++[exec] returns noop } # server campus-eap Sending Access-Accept of id 179 to 128.206.131.253 port 20009
Cool.
Bad news:
I have a multi-domain environment. If I hard-code the domain in here, then only users or hosts from that domain will be able to authenticate. How can I make it recognize the others and behave correctly?
It's fine if I have to write some code using string matching and switch/case. But I can't restrict access to only one domain.
I think you'll have to do that. The tedious bit is matching the domains in the regexps. My advice would be to define a local, internal-only attribute in /etc/raddb/dictionary: ATTRIBUTE My-NT-Domain 3003 string ...and set this in your regexps: if (User-Name =~ /host[/].+[.]domain.com/) { update request { My-NT-Domain = "DOMAIN.COM" } } elsif (...) { } ...then in your ntlm_auth helper, do: ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."
My advice would be to define a local, internal-only attribute in /etc/raddb/dictionary:
ATTRIBUTE My-NT-Domain 3003 string
...and set this in your regexps:
if (User-Name =~ /host[/].+[.]domain.com/) { update request { My-NT-Domain = "DOMAIN.COM" } } elsif (...) { }
...then in your ntlm_auth helper, do:
ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."
That is brilliant! We are going to deploy a second domain this summer, I was wondering exactly how I would make our FR server work with both. I am definitely going to give this a try! Jake Sallee Network Engineer University of Mary Hardin-Baylor Fone: 254-295-4658 Phax: 254-295-4221
Hi,
That is brilliant! We are going to deploy a second domain this summer, I was wondering exactly how I would make our FR server work with both. I am definitely going to give this a try!
we just use the failover method..... have 2 copies of the mschap module - each with labels to mark them, then in the eap.conf we query one, then, if it fails, we query the other. simple. eg Auth-Type MS-CHAP { if("%{User-Name}" =~ /@/){ group { NEWAD-withrealm { reject = 1 ok = return } OLDAD-withrealm { reject = 1 ok = return } } } else { NEWAD { reject = 1 ok = return } OLDAD { reject = 1 ok = return } } } NEWAD calls ntlm_auth against the new domain, OLDAD called ntlm_auth against the old domain. the -withrealm does similar thing but deals with user authentication where '@ourrealm' appears. the joy of FreeRADIUS is the flexibility with which you can tackle any issues that come your way... :-) alan
I think you'll have to do that. The tedious bit is matching the domains in the regexps.
My advice would be to define a local, internal-only attribute in /etc/raddb/dictionary:
ATTRIBUTE My-NT-Domain 3003 string
Done.
...then in your ntlm_auth helper, do:
ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."
Done. Works: [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --domain=%{My-NT-Domain:-umad.umsystem.edu} -> --domain=umad.umsystem.edu (We'll get back to that "deprecated conditional" part later, assuming it's not part of the problem.)
...and set this in your regexps:
if (User-Name =~ /host[/].+[.]domain.com/) { update request { My-NT-Domain = "DOMAIN.COM" } } elsif (...) { }
I had this whole long e-mail about how it wasn't working yet the way I expected and wasn't matching all the time and blah blah blah. I was copying some more stuff out of the debug output to paste in here when I saw this: Sending tunneled request EAP-Message = 0x0208002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/dnps-caplap-4.col.missouri.edu" server campus-inner-tunnel { +- entering group authorize {...} ... "campus-inner-tunnel" ... I'm working on the wrong virtual server! I mean, the variables were getting matched and modified, but only on the outer tunnel (campus-eap)! Curses! So I moved (*moved*, not *copied*) the "if User-Name =~ /stuff/" block to the 'campus-inner-tunnel' virtual server's config just after the "suffix" and "ntdomain" items are called, and bingo! My-NT-Domain is set correctly and the host is able to get in. NOTE: This successful test was done AFTER the output you see above that references "umad.umsystem.edu". The domain "umad.umsystem.edu" is a valid domain here, but there are no computers in it. I was using that domain so I could see if the expansion was working, not getting modified, or what. It also means that it won't work by accident due to my defaults. It all has to work or it breaks. So I now KNOW that this stuff you guys have been helping me set up works THE WAY WE ALL THINK IT SHOULD, not just by accident. Totally awesome. I may set up the eventual production box to have a more tolerant default, but this was perfect for testing. We'll see. Anyway, now that this part is working, I'm going to double-check that I haven't now broken user-based auth. If not, I'm going to try to re-write the pattern match to actually pull the domain name out as %{1} so it works for all domains using one bit of code, rather than hard-coding in every domain I deem as "valid". Whatever it ends up working, I'll respond back to the list, since it sounds like at least one other person was interested in making this work soon. Thanks very much for all the help, everyone. This has been enlightening. --J
Holy crap, it works! I spent some time un-doing as many of the other changes as I could find (that is, anything that deviates from the default and isn't shown below). So what follows should be everything needed to make this work. STEP 1: CUSTOM ATTRIBUTE =========================
My advice would be to define a local, internal-only attribute in /etc/raddb/dictionary: ATTRIBUTE My-NT-Domain 3003 string
This was done exactly as shown. STEP 2: UPDATE MSCHAP MODULE TO USE CUSTOM ATTRIBUTE, IF SET =============================================================
ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."
This was modified slightly to preserve DOMAIN\USER authentication attempts. Here's what I have working in /etc/raddb/modules/mschap (prettified with the backslashes only for readability here): ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name} \ --domain=%{My-NT-Domain:-%{mschap:NT-Domain}} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}" Now this generates the following messages:
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --domain=%{My-NT-Domain:-umad.umsystem.edu} -> --domain=col.missouri.edu
So I changed it to use --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}}. That cleared up the warning messages. You can also set it to default to one domain or another, or (I suppose) fall through both variables to a default domain. I haven't bothered with this. Yet. STEP 3: SET UP REGEX TO GRAB AD-STYLE DOMAIN NAME FOR HOST AUTH ================================================================ This part goes ONLY IN THE inner-tunnel VIRTUAL SERVER DEFINITION when doing EAP authentication. At one time, I had these bits in both the outer and inner virtual servers. In my case, I only care about EAP authentication, so I reverted the outer tunnel to the defaults and made these changes to the inner-tunnel virtual server. If you aren't doing EAP, or you aren't sure, you can add this code to the outer virtual server without problems (as far as I can tell). Anyway, here's the code: # suffix # ntdomain # Match 'host', then a slash, then the computer name # (stuff that's not a dot), then a dot. # Grab everything after that and use it as the domain. if ( User-Name =~ /host\/[^\.]+\.(.+)/ ) { update request { My-NT-Domain = "%{1}" } } The "suffix" and "ntdomain" lines are shown for context, to show *where* I have this code, and also to demonstrate that this works with the "ntdomain" part commented out. Any shenanigans with THIS\THAT User-Name values are handled correctly by mschap, so it's unnecessary to play with it here. STEP 4: IT WORKS, BUT GOOD LORD, *WHY*? ======================================== IF IT'S A HOST ACCOUNT: - Anything after the first "dot" in the computer's FQDN is pulled out and assigned to the custom attribute My-NT-Domain. - User-Name is still "host/COMPUTER.DOMAIN" - My-NT-Domain is "DOMAIN" - %{mschap:NT-Domain} is in a "don't care" state. My-NT-Domain overrides it. - ntlm_auth is called and My-NT-Domain is used for the --domain part, since it has a value. - It works! IF IT IS NOT A HOST ACCOUNT: - It is extremely unlikely that the User-Name variable will match "host/foo.bar", so My-NT-Domain remains unset. - With My-NT-Domain unset, ntlm-auth uses %{mschap:NT-Domain} instead, which is what we were doing with only user accounts anyway. - It works! IF YOU LOGGED INTO A WINDOWS MACHINE USING A LOCAL ACCOUNT: If it's XP, this isn't going to work. Even though the XP machine is a member of the domain and has successfully authenticated, XP will switch over to the user ID you used to log in. Since that's a local account, this will fail. WORKAROUND (XP): You can go into "View Wireless Networks", select the network, click "Connect". Wait a few seconds and a bubble will appear above the systray prompting you for credentials. I used "DOMAIN\USER" format in the "User" field, my password in the obvious place, and left the "Domain" field blank. After that, whenever I logged in using that same local account, XP cached my domain user's credentials for logging into the network. WORKAROUND (Vista/Win7): I believe Windows Vista and newer can be configured so that the computer does not try to re-authenticate upon user login. That is, it can be made to log in using the AD host account and just stay there forever, thus enabling the use of whatever local accounts you like. I HAVE ONLY READ ABOUT THIS AND NEVER TESTED IT. I plan to work on this next. I'll post my results, if no one else beats me to it. Many thanks to everyone on the freeradius-users mailing list, including Alan, Alan, and Phil for your insights on this. And anyone, please chime in if there are any obvious pitfalls in this method or better ways to implement this short of messing with the source code. --J
So, in /etc/raddb/modules/mschap, set (don't include the line continuation \ I've added):
ntlm_auth = "/path/to/ntlm_auth --request-nt-key \ --username=%{mschap:User-Name} --domain=YOURDOMAIN \ --challenge=... --nt-response=..."
More good news (though expected): This change did not break authentication for users. Both users and computers in DOMAIN (whether specified as col.missouri.edu or UMC-USERS) can now authenticate. Still leaves the multi-domain problem, though. :( --J
Hi,
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details ## NOTE THE NEXT THREE LINES: [mschap] expand: %{User-Name:-None} -> host/dnps-caplap-4.col.missouri.edu [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=host/dnps-caplap-4.col.missouri.edu [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=col [mschap] mschap2: e8 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=665bcdce0a4676a0 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=ac910bfec0608f8f666352ef38ffdd6d6298a98ef35b9b41
this output does not match with what you claim to have been using. please ensure that your ntlm_auth configuration is correct and the right one is being called. (this one in debug is looking at %{Stripped-User-Name} etc - you claimed to be using %{mschap:User-Name} alan
this output does not match with what you claim to have been using.
please ensure that your ntlm_auth configuration is correct and the right one is being called. (this one in debug is looking at %{Stripped-User-Name} etc - you claimed to be using %{mschap:User-Name}
That's a test that I ran this morning, taking the "--username" section from the example ntlm_auth line in the mschap module. Since it didn't work, I set it back to ${mschap:User-Name}. I pasted the results anyway because they are exactly the same as when I use %{mschap:User-Name}. Mschap config has definitely been changed back to %{mschap:User-Name}. Working on a few tests based on Phil Mayers' last reply. --J
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters.
I dug through the debug output and presumed that you meant, "do this from the command line": wbinfo --all-domains - good check that winbind isn't screwy - test passed ntlm_auth --request-nt-key --username='dnps-caplap-4$' --domain=col.missouri.edu --challenge=(pasted-from-debug) --nt-response=(pasted-from-debug) The result was: NT_KEY: (long hex string) If I change the username to a bogus hostname, I get "Logon failure (hex error)". So I presume that the problem really is just the proper translation of "host/computer.domain" to username=computer$ domain=domain. Given that I've changed so very few things from the default configs, is there someplace I should look at turning things off that I'm not using that would at least simplify the issue? For example, I see rlm_ldap calls just before "Found Auth-Type = EAP", possibly called by the "files" section just above that. Will commenting out "unix" and "files" and anything else in the virtual server that I'm not using confuse or simplify the issue? I don't want to go changing things that are normally relied upon to preprocess something or at least create some "usual" expected behavior and make it all that much more complicated. --J
McNutt, Justin M. wrote:
ntlm_auth --request-nt-key --username='dnps-caplap-4$' --domain=col.missouri.edu --challenge=(pasted-from-debug) --nt-response=(pasted-from-debug)
The result was: NT_KEY: (long hex string)
Exactly. Now that you know what works, the only problem is creating a configuration in FreeRADIUS that *automatically* uses that style of username && domain. Alan DeKok.
McNutt, Justin M. wrote:
ntlm_auth --request-nt-key --username='dnps-caplap-4$' --domain=col.missouri.edu --challenge=(pasted-from-debug) --nt-response=(pasted-from-debug)
The result was: NT_KEY: (long hex string)
Exactly. Now that you know what works, the only problem is creating a configuration in FreeRADIUS that *automatically* uses that style of username && domain.
Sure. I had been assuming that it worked, but this does prove it, thus reducing the number of unknowns in the conversation. Based on the other thread regarding the behavior of the mschap module, here's where things stand. - The User-Name variable is set to host/computer.ad.domain.edu, which is acceptable to ntlm_auth. In my environment, "ad.domain" may vary and is not set same as the "NT domain" (or even close). - The mschap module wants to take "ad.domain.edu" and set the NT-Domain variable to "ad", which likely works in some environments, but not here. - The hard-coded domain name in the ntlm_auth command line works, but only for users/hosts in that domain (obviously). So in the short term, I'd like to figure out a way to automatically match the DNS-style domain name based on the User-Name variable and update the NT-Domain variable so ntlm_auth will work for more cases. Depending upon how this is implemented - what I'm about to say may not be necessary - I'd like to see a flag for the mschap module that choose between the "NT-style domain guessing" (which results in "col" in this case) and "DNS-style domain guessing" (which would take everything after the first dot as the domain. I think that might result in a cleaner solution in the long term. I think it should be a flag - set to the current "NT-style guessing as the default - to maintain backward compatibility an ease of removal in case it turns out to be a Very Bad Idea Indeed. What do you think? --J
On 02/03/11 14:43, McNutt, Justin M. wrote:
So in the short term, I'd like to figure out a way to automatically match the DNS-style domain name based on the User-Name variable and update the NT-Domain variable so ntlm_auth will work for more cases.
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion. There's no attribute you can "set", so you'll need to use another attribute (see my other email)
Depending upon how this is implemented - what I'm about to say may not be necessary - I'd like to see a flag for the mschap module that choose between the "NT-style domain guessing" (which results in "col" in this case) and "DNS-style domain guessing" (which would take everything after the first dot as the domain. I think that might result in a cleaner solution in the long term.
I think it should be a flag - set to the current "NT-style guessing as the default - to maintain backward compatibility an ease of removal in case it turns out to be a Very Bad Idea Indeed.
What do you think?
I agree. However, as I say - I am pretty sure that long-form won't work either if you have a disjoint DNS/AD namespace. In that case, sites are going to have to use locally-defined rules.
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion. There's no attribute you can "set", so you'll need to use another attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail). That's very likely do-able.
I think it should be a flag - set to the current "NT-style guessing as the default - to maintain backward compatibility an ease of removal in case it turns out to be a Very Bad Idea Indeed.
What do you think?
I agree. However, as I say - I am pretty sure that long-form won't work either if you have a disjoint DNS/AD namespace. In that case, sites are going to have to use locally-defined rules.
I'm not following what you mean about "disjoint namespace". You mean the difference between "UMC-USERS" and "col.missouri.edu"? I think of "UMC-USERS" as "NT namespace" whereas I see AD and DNS as the same thing, in this case. In any event, in the test cases where I hard-coded one of the domain names into the ntlm_auth string, I used "col.missouri.edu" (DNS/long form) and this worked. So I'm confident in that part. I'd just like to see it done automatically, given a user flag that asks it to do so. --J
On 02/03/11 17:11, McNutt, Justin M. wrote:
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion. There's no attribute you can "set", so you'll need to use another attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail). That's very likely do-able.
I think it should be a flag - set to the current "NT-style guessing as the default - to maintain backward compatibility an ease of removal in case it turns out to be a Very Bad Idea Indeed.
What do you think?
I agree. However, as I say - I am pretty sure that long-form won't work either if you have a disjoint DNS/AD namespace. In that case, sites are going to have to use locally-defined rules.
I'm not following what you mean about "disjoint namespace". You mean the difference between "UMC-USERS" and "col.missouri.edu"? I think of "UMC-USERS" as "NT namespace" whereas I see AD and DNS as the same thing, in this case.
Disjoint namespace is the term used if you have DNS names for windows active directory members which are anything other than: samaccountname.<AD domain> So, if you give your hosts DNS hostnames of: samaccountname.dept.<AD domain> ...this is a disjoint namespace. This is a supported configuration in principle - AD itself and most of the Microsoft tools work just fine - but in practice you'll find an awful lot of 3rd party stuff out there assumes that the AD domain starts at the first "." in the hostname, and will break if it doesn't. This makes me sad, since the underlying protocols at AD is built on (DNS, Kerberos, LDAP) have plenty of mechanisms for doing the mapping properly. They're just not used.
Disjoint namespace is the term used if you have DNS names for windows active directory members which are anything other than:
samaccountname.<AD domain>
So, if you give your hosts DNS hostnames of:
samaccountname.dept.<AD domain>
...this is a disjoint namespace. This is a supported configuration in principle - AD itself and most of the Microsoft tools work just fine - but in practice you'll find an awful lot of 3rd party stuff out there assumes that the AD domain starts at the first "." in the hostname, and will break if it doesn't.
This makes me sad, since the underlying protocols at AD is built on (DNS, Kerberos, LDAP) have plenty of mechanisms for doing the mapping properly. They're just not used.
Okay. Fortunately, we're not doing that. "Missouri.edu" is not an AD domain. "Col.missouri.edu" however, is. So a dnps-caplap-4.col.missouri.edu is a computer named dnps-caplap-4 in the col.missouri.edu AD domain. So the "first dot" assumption should work IF you take "col.missouri.edu" as the domain, rather than just "COL" (that which is between the first two dots). --J
On 02/03/11 12:09, McNutt, Justin M. wrote:
These look like MS-CHAP machine-auth usernames; have you considered using:
%{mschap:User-Name} %{mschap:NT-Domain}
The mschap module has special handling for host/ names, and these will expand:
host/name.domain.com
to:
name$ domain.com
The trailing dollar sign on the hostname is intentional; SAM account names for machines conventionally end in $ in windows.
I'm aware of all of this. The problem is, it doesn't seem to be actually working. Here's the ntlm_auth command I'm using:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}". Despite this, "host/computer.domain" login attempts always fail. Hence, trying to do the translation manually via a regex and update clauses.
In the most recent debug I see you posted (16:36 yesterday) it's failing because: [eap] Request is supposed to be proxied to Realm $2. Not doing EAP. ++[eap] returns noop ...then later: WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! Cancelling invalid proxy request. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. You tried to use a regexp to parse the username (usually a mistake IMHO) and put the "domain" bit into the "Proxy-To-Realm" attribute but Proxy-To-Realm instructs the server to do just that - which cancels local authentiction. Reading back through the thread, it seems like there is some confusion between "domain" in the Windows NT/Active Directory sense, and "domain" as a "Realm", which is a concept used in Radius proxying. I'm going to take a guess and assume you don't really need to do proxying, and were just trying to use the "realm" module to strip off the "host/...domain.com" bits, and have gotten a bit tangled. Don't set "Realm" or "Proxy-To-Realm" unless you want the radius packet to be sent to a different radius server. Make sure you're using "%{mschap:User-Name}" everywhere that NT domain usernames might exist - in the "ldap" module filter, for starters. At this point, you may find it easier to revert to the default configs and start from scratch, one change at a time and keeping the configs in version control.
In the most recent debug I see you posted (16:36 yesterday) it's failing because:
[eap] Request is supposed to be proxied to Realm $2. Not doing EAP. ++[eap] returns noop ... You tried to use a regexp to parse the username (usually a mistake IMHO) and put the "domain" bit into the "Proxy-To-Realm" attribute but Proxy-To-Realm instructs the server to do just that - which cancels local authentiction.
Agreed. I commented all that back out this morning while pursuing the mschap possibility.
Reading back through the thread, it seems like there is some confusion between "domain" in the Windows NT/Active Directory sense, and "domain" as a "Realm", which is a concept used in Radius proxying.
I'm going to take a guess and assume you don't really need to do proxying, and were just trying to use the "realm" module to strip off the "host/...domain.com" bits, and have gotten a bit tangled.
Yup.
Make sure you're using "%{mschap:User-Name}" everywhere that NT domain usernames might exist - in the "ldap" module filter, for starters.
That's the thing. There isn't anywhere else to set it, that I can see.
At this point, you may find it easier to revert to the default configs and start from scratch, one change at a time and keeping the configs in version control.
That's another thing. I specifically created this setup by doing: cd /etc/raddb/sites-available cp default campus-eap And then making only the necessary changes to make it work. Anything I've changed was done by commenting out the original, copying that line(s), and making changes. I have changed very, very little from the default. --J
Hi,
You tried to use a regexp to parse the username (usually a mistake IMHO) and put the "domain" bit into the "Proxy-To-Realm" attribute but Proxy-To-Realm instructs the server to do just that - which cancels local authentiction.
which you resolve by putting the right entries into proxy.conf eg col.missouri.edu { strip } alan
On 02/03/11 12:51, Alan Buxey wrote:
Hi,
You tried to use a regexp to parse the username (usually a mistake IMHO) and put the "domain" bit into the "Proxy-To-Realm" attribute but Proxy-To-Realm instructs the server to do just that - which cancels local authentiction.
which you resolve by putting the right entries into proxy.conf
I don't understand why you'd use the "realm" module at *all*. How does it help in this case?
Attempted and failed. Can authenticate users, but host authentication still fails. Uncommented "ntdomain" from both the "authorize" and "preacct" sections of /etc/raddb/sites-available/campus-eap. Same behavior as before. --J
-----Original Message----- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 4:42 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question
Hi,
I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the "authorize" section of the campus-eap virtual server (this is the default, I believe).
just add ntdomain as i said
read the realm module for description about fall through
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (8)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Gary Gatten -
James J J Hooper -
McNutt, Justin M. -
Phil Mayers -
Sallee, Stephen (Jake)