Removing domain prefix from login
I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain. DOMAIN\\Users How can i avoid that radius read the prefix? I've tried to introduce the option prefix in /etc/sites-enable/default , but its getting me back errors because of wrong way to introduce that line. Can any help me? Thanks very much
Hi,
I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain.
DOMAIN\\Users
How can i avoid that radius read the prefix?
ntdomain with the 'hack' option set to yes - Stripped-User-Name is then properly created - use that variable in the LDAP alan
Alejandro Gandara wrote:
I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain.
DOMAIN\\Users
How can i avoid that radius read the prefix?
You should be able to authenticate using just the user name, using ntlm_auth. See the examples in raddb/modules/ntlm_auth
I've tried to introduce the option prefix in /etc/sites-enable/default , but its getting me back errors because of wrong way to introduce that line.
Yes. Don't define a realm. It won't work. Post the debug output. That helps, too. Alan DeKok.
Hi Alan, Thanks for your answers and excuse me for my english fill of mistakes. 2011/11/10 Alan DeKok <aland@deployingradius.com>
Alejandro Gandara wrote:
I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain.
DOMAIN\\Users
How can i avoid that radius read the prefix?
You should be able to authenticate using just the user name, using ntlm_auth. See the examples in raddb/modules/ntlm_auth
Im reading about it. Thanks for this information.
I've tried to introduce the option prefix in /etc/sites-enable/default , but its getting me back errors because of wrong way to introduce that line.
Yes. Don't define a realm. It won't work.
Post the debug output. That helps, too.
This is my debug output: rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.28 NAS-Identifier = "SW-INT-1-3" User-Name = "PRIVATE\\usertest" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 32 NAS-Port-Type = Ethernet NAS-Port-Id = "32" Called-Station-Id = "f0-62-81-05-33-40" Calling-Station-Id = "f0-4d-a2-bc-77-cd" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x020a0012014f50544152455c62726f75636f Message-Authenticator = 0x055981a2c542df52f4c292042c89a019 [ldap] performing user authorization for usertest [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> usertest [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=usertest) [ldap] expand: dc=private,dc=loc -> dc=private,dc=loc [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.20.52.206:389, authentication 0 [ldap] bind as cn=raddbuser,dc=private,dc=loc/password to 172.20.52.206:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=pruebas,dc=loc, with filter (uid=usertest) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3245334230434533423046383434414238374145393237384141453730393331 [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "01" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN [ldap] radiusFramedIPAddress -> Framed-IP-Address = 192.45.51.9 [ldap] user brouco authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [eap] EAP packet type response id 10 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} *[eap] Identity does not match User-Name, setting from EAP Identity.* [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [usertest/<via Auth-Type = EAP>] (from client privradius port 32 cli f0-4d-a2-bc-77-cd) Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/default Thanks for all Alan. Regards, Alejandro Gándara
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for your answer. I think I've changed the following things to try to remove DOMAIN: ./modules/preprocess: with_ntdomain_hack = yes ./modules/mschap: with_ntdomain_hack = yes ./eap.conf: with_ntdomain_hack = yes I hope this could help, If you know more information I could give. Tell me. 2011/11/10 Alan DeKok <aland@deployingradius.com>
Alejandro Gandara wrote:
This is my debug output:
Well... you deleted a lot of the default configuration. It now doesn't work. I'm not sure why.
Use the default configuration. It works. Change as little as possible.
Il try once more, If i do not get results, I will reinstall freeradius changing only the necessary.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regards, Alejandro Gándara
On 10/11/11 08:15, Alejandro Gandara wrote:
Hi Alan,
Thanks for your answers and excuse me for my english fill of mistakes.
2011/11/10 Alan DeKok <aland@deployingradius.com <mailto:aland@deployingradius.com>>
Alejandro Gandara wrote: > I'm authenticating users in RADIUS against LDAP, if I login from > computer with 802.1x configured and users and password taken from domain > automatic. Im getting wrong authenticated because the login has the > following chain. > > DOMAIN\\Users > > How can i avoid that radius read the prefix?
You should be able to authenticate using just the user name, using ntlm_auth. See the examples in raddb/modules/ntlm_auth
Im reading about it. Thanks for this information.
> I've tried to introduce the option prefix in /etc/sites-enable/default , > but its getting me back errors because of wrong way to introduce that line.
Yes. Don't define a realm. It won't work.
Post the debug output. That helps, too.
This is my debug output:
rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.28 NAS-Identifier = "SW-INT-1-3" User-Name = "PRIVATE\\usertest"
Have you edited this debug?
Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 32 NAS-Port-Type = Ethernet NAS-Port-Id = "32" Called-Station-Id = "f0-62-81-05-33-40" Calling-Station-Id = "f0-4d-a2-bc-77-cd" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x020a0012014f50544152455c62726f75636f
This decodes as: \x02\n\x00\x12\x01OPTARE\\brouco
Message-Authenticator = 0x055981a2c542df52f4c292042c89a019 Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} *[eap] Identity does not match User-Name, setting from EAP Identity.*
This claims MSCHAP and Radius username don't match. Did you edit the debug? Don't do that. Please provide a full debug, like so: radiusd -X | tee log.txt # run a test auth # ctrl+c # email log.txt
2011/11/10 Phil Mayers <p.mayers@imperial.ac.uk>
On 10/11/11 08:15, Alejandro Gandara wrote:
Hi Alan,
Thanks for your answers and excuse me for my english fill of mistakes.
2011/11/10 Alan DeKok <aland@deployingradius.com <mailto:aland@deployingradius.**com <aland@deployingradius.com>>>
Alejandro Gandara wrote: > I'm authenticating users in RADIUS against LDAP, if I login from > computer with 802.1x configured and users and password taken from domain > automatic. Im getting wrong authenticated because the login has the > following chain. > > DOMAIN\\Users > > How can i avoid that radius read the prefix?
You should be able to authenticate using just the user name, using ntlm_auth. See the examples in raddb/modules/ntlm_auth
Im reading about it. Thanks for this information.
> I've tried to introduce the option prefix in /etc/sites-enable/default , > but its getting me back errors because of wrong way to introduce that line.
Yes. Don't define a realm. It won't work.
Post the debug output. That helps, too.
This is my debug output:
rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.28 NAS-Identifier = "SW-INT-1-3" User-Name = "PRIVATE\\usertest"
Have you edited this debug?
Service-Type = Framed-User
Framed-Protocol = PPP NAS-Port = 32 NAS-Port-Type = Ethernet NAS-Port-Id = "32" Called-Station-Id = "f0-62-81-05-33-40" Calling-Station-Id = "f0-4d-a2-bc-77-cd" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x020a0012014f50544152455c6272**6f75636f
This decodes as:
\x02\n\x00\x12\x01OPTARE\\**brouco
Message-Authenticator = 0x055981a2c542df52f4c292042c89**a019
Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group authenticate {...} *[eap] Identity does not match User-Name, setting from EAP Identity.*
This claims MSCHAP and Radius username don't match.
Did you edit the debug?
Don't do that.
Ok sorry
Please provide a full debug, like so:
radiusd -X | tee log.txt # run a test auth # ctrl+c # email log.txt
I've attached it
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi,
rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, length=218
<snip>
User-Name = "OPTARE\\brouco"
<snip> all okay....but then:
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop ++[digest] returns noop [ldap] performing user authorization for brouco [ldap] expand: %{Stripped-User-Name} ->
no stripped-user-name and User-Name is brouco - but thats not what the client sent. they sent OPTARE\\brouco - so your reply reference something they didnt send. have you got 'ntdomain' module enabled in your virtual servers - just after the 'preprocess' is called? alan
2011/11/10 Alan Buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, length=218
<snip>
User-Name = "OPTARE\\brouco"
I know this, thats why i need try to remove this prefix. At first i thought i could do with module/realm. But I didnt get good results.
<snip>
all okay....but then:
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop ++[digest] returns noop [ldap] performing user authorization for brouco [ldap] expand: %{Stripped-User-Name} ->
no stripped-user-name
I think the problem is eap is looking for User-name and i need it looks for stripped....
and User-Name is brouco - but thats not what the client sent. they sent OPTARE\\brouco - so your reply reference something they didnt send.
have you got 'ntdomain' module enabled in your virtual servers - just after the 'preprocess' is called?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regards, Alejandro
Ok, your debug says: rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.11 NAS-Identifier = "SW-Priv-1-1" User-Name = "OPTARE\\brouco" <snip> # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok Why is preprocess returning "ok". What are you doing in the hints module? Are you modifying the username field? A few lines later it says: [ldap] expand: %{User-Name} -> brouco If you're modifying the username, you can't do that. It will break EAP, which is why it says: [eap] Identity does not match User-Name, setting from EAP Identity. ...then fails. I assume you want to strip "DOMAIN\" so that you can do LDAP? You CANNOT modify the User-Name field. You MUST used the Stripped-User-Name field, and leave the User-Name field alone.
2011/11/10 Phil Mayers <p.mayers@imperial.ac.uk>
Ok, your debug says:
rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.11 NAS-Identifier = "SW-Priv-1-1"
User-Name = "OPTARE\\brouco" <snip> # Executing section authorize from file /etc/freeradius/sites-enabled/** default +- entering group authorize {...} ++[preprocess] returns ok
Why is preprocess returning "ok".
this is preprocess preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints # This hack changes Ascend's wierd port numberings # to standard 0-??? port numbers so that the "+" works # for IP address assignments. with_ascend_hack = no ascend_channels_per_line = 23 # Windows NT machines often authenticate themselves as # NT_DOMAIN\username # # If this is set to 'yes', then the NT_DOMAIN portion # of the user-name is silently discarded. # # This configuration entry SHOULD NOT be used. # See the "realms" module for a better way to handle # NT domains. with_ntdomain_hack = yes # Specialix Jetstream 8500 24 port access server. # # If the user name is 10 characters or longer, a "/" # and the excess characters after the 10th are # appended to the user name. # # If you're not running that NAS, you don't need # this hack. with_specialix_jetstream_hack = no # Cisco (and Quintum in Cisco mode) sends it's VSA attributes # with the attribute name *again* in the string, like: # # H323-Attribute = "h323-attribute=value". # # If this configuration item is set to 'yes', then # the redundant data in the the attribute text is stripped # out. The result is: # # H323-Attribute = "value" # # If you're not running a Cisco or Quintum NAS, you don't }
What are you doing in the hints module?
Are you modifying the username field? A few lines later it says:
[ldap] expand: %{User-Name} -> brouco
If you're modifying the username, you can't do that. It will break EAP, which is why it says:
[eap] Identity does not match User-Name, setting from EAP Identity.
...then fails.
I assume you want to strip "DOMAIN\" so that you can do LDAP? You CANNOT modify the User-Name field. You MUST used the Stripped-User-Name field, and leave the User-Name field alone.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 10/11/11 16:53, Alejandro Gandara wrote:
# This configuration entry SHOULD NOT be used. # See the "realms" module for a better way to handle # NT domains. with_ntdomain_hack = yes
^^^ As per the docs. This config item should not be used, and is causing things to break. Set this back to "no". Edit the "proxy.conf" file and add: realm OPTARE { } Then edit raddb/sites-enabled/<server> and add: authorize { preprocess ntdomain .... rest of config }
On 11/10/2011 10:06 PM, Alan Buxey wrote:
Hi,
As per the docs. This config item should not be used, and is causing things to break.
umm, wasnt there a discussion recently in which
with_ntdomain_hack = yes
was going to be set by default in FR 3.x ?
That was the option on the mschap module. That option does not modify the packet, and only controls the string that is input into the mschap challenge/response calculation. Since the RFC says that input string should always be the username without leading DOMAIN\, it seems sensible to change that default and rename the option to something like "challenge_ignore_ntdomain" or something. *This* option, unfortunately named the same thing, does something different - it modifies the username in the packet to remove the DOMAIN\ which is almost never a good thing, and definitely not if you're using EAP. It should probably just be removed - people can use unlang if they really want to hack away at the username. There's also a with_ntdomain_hack on rlm_eap_mschapv2 which again does something different - it strips the DOMAIN\ when proxying the mschap to a remote server. It should probably be renamed to "proxy_send_domain" or something.
2011/11/10 Phil Mayers <p.mayers@imperial.ac.uk>
On 10/11/11 16:53, Alejandro Gandara wrote:
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle # NT domains. with_ntdomain_hack = yes
^^^
As per the docs. This config item should not be used, and is causing things to break.
Set this back to "no". Edit the "proxy.conf" file and add:
Done!
realm OPTARE { }
Done!
Then edit raddb/sites-enabled/<server> and add:
authorize { preprocess ntdomain .... rest of config
}
Done! I got erros anyways. I've attached debug output Thanks very much for your time and patience.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Regards, Alejandro Gándara
2011/11/11 Phil Mayers <p.mayers@imperial.ac.uk>
On 11/11/2011 07:46 AM, Alejandro Gandara wrote:
I got erros anyways. I've attached debug output
The debug output didn't make it through; I guess it was too big. Use a pastebin, or put it inline in the email?
this is the short view: ++[preprocess] returns ok [ntdomain] Looking up realm "OPTARE" for User-Name = "OPTARE\brouco" [ntdomain] Found realm "OPTARE" [ntdomain] Adding Stripped-User-Name = "brouco" [ntdomain] Adding Realm = "OPTARE" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[mschap] returns noop ++[digest] returns noop [ldap] performing user authorization for brouco [ldap] expand: %{Stripped-User-Name} -> brouco [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=brouco) [ldap] expand: dc=optare,dc=loc -> dc=optare,dc=loc [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=optare,dc=loc, with filter (uid=brouco) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] roomNumber -> Pool-Name == "infraestructuras" [ldap] sambaNtPassword -> NT-Password == 0x3245334230434533423046383434414238374145393237384141453730393331 [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "01" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN [ldap] radiusFramedIPAddress -> Framed-IP-Address = 192.45.51.9 WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user brouco authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [eap] EAP packet type response id 45 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. SSL: Removing session 1390126992ccf15f6eca58514ff74975f8661cc927bbe3a5f0e0a52b9a310e4a from the cache [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [OPTARE\\brouco/<via Auth-Type = EAP>] (from client privradius port 29 cli f0-4d-a2-bc-77-cd) Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/default Delaying reject of request 6 for 1 seconds
Thanks for the help
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi list, thanks for the help. Ive fix the problem changing the following parameters: /etc/freeradius/sites-enabled/inner-tunnel:authorize: ntdomain /etc/freeradius/modules/mschap: with_ntdomain_hack = yes Now everythings is OK. Thanks for all. Regards Alejandro Gándara Junior System Administrator OptareSolutions 2011/11/11 Phil Mayers <p.mayers@imperial.ac.uk>
On 11/11/11 09:52, Alejandro Gandara wrote:
this is the short view:
[peap] The users session was previously rejected: returning reject
(again.) [peap] *** This means you need to read the PREVIOUS messages in the
Sigh.
Read this line.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
participants (4)
-
Alan Buxey -
Alan DeKok -
Alejandro Gandara -
Phil Mayers