Could'nt authenticate windows host account with freeradius + ldap backend + samba domain controller
Hello, We have a Samba domain controller (3.0.9) with freeradius on it and several windows XP SP2 workstations attached to it. Actually, this wired setup is working correctly. We are planning to use wifi on those workstations but we encounters many problems. Here our wifi setup: Our APs are cisco 12xx, WPA/PEAP/MSCHAPV2 + 802.1x to the Samba/freeradius servers. Samba is configured to use LDAP as a backend to store its accounts (computers/users/groups). On the XP workstations, we use its own supplicant. Freeradius version 1.1.7 is configured to authorize computers and users from ldap and the authentication is made in mschapv2 through eap. The user authentication is working but not the computer and we must have this to work so that if the computer is switched on and nobody logged in, it can even have access to the network (for applying nightly updates for examples). The problem is when a computer tries to authenticate, the User-Name sent is "host//computername/", but in ldap we have entrie like /computername/$. So we have some attr_rewrite that removes host/ and adds the dollar sign. rlm_ldap finds correctly the entry, but EAP complains about the user name change: "*rlm_eap: Identity does not match User-Name, setting from EAP Identity.** rlm_eap: Failed in handler" *Is there an existing solution to our problem ?* * Thanks in advance for any response. PS: a join the log where you can see what happends, the radiusd.conf and an example computer account (in ldif format) Ce message et toutes les pièces jointes sont établis à l'attention exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce message, le contenu de ce message ne représente en aucun cas un engagement de la part de Adeo Services. prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 60 delete_blocked_requests = no cleanup_delay = 5 max_requests = 8192 bind_address = * port = 1812 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = before lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/ap.pem certificate_file = ${raddbdir}/certs/ap.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes check_crl = no } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { } ldap { server = "localhost" identity = "cn=Manager,dc=mag125,dc=fr,dc=corp,dc=mycompany,dc=com" password = password basedn = "dc=mag125,dc=fr,dc=corp,dc=mycompany,dc=com" filter = "(uid=%{Stripped-User-Name})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = "" searchin = packet replacewith = "%{User-Name}" } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = "^host/(.*)" searchin = packet new_attribute = no replacewith = "%{1}$" } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = "^(.*[\\/]+)" replacewith = "" max_matches = 1 } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } detail pre_proxy_log { detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } exec echo { wait = yes program = "/bin/echo Username:%{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { expr } authorize { copy.user-name add-dollar-sign auth_log suffix ntdomain ldap eap } authenticate { copy.user-name add-dollar-sign Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix ntdomain } accounting { detail radutmp } session { radutmp } post-auth { reply_log } pre-proxy { pre_proxy_log } post-proxy { eap }
david.barbion@adeoservices.com wrote:
Hello, The problem is when a computer tries to authenticate, the User-Name sent is "host//computername/", but in ldap we have entrie like /computername/$. So we have some attr_rewrite that removes host/ and adds the dollar sign.
Why? You can just create a *new* attribute, Stripped-User-Name, with the updated contents. Then, configure the ldap module to look first for Stripped-User-Name, and then User-Name: foo = "... %{Stripper-User-Name:%{User-Name}} ..." See doc/variables.txt
rlm_ldap finds correctly the entry, but EAP complains about the user name change: "*rlm_eap: Identity does not match User-Name, setting from EAP Identity.** rlm_eap: Failed in handler"
Then... don't edit the User-Name. There's no need to edit it. Alan DeKok.
Alan DeKok a écrit : Thanks for your answers.
david.barbion@adeoservices.com wrote:
Hello, The problem is when a computer tries to authenticate, the User-Name sent is "host//computername/", but in ldap we have entrie like /computername/$. So we have some attr_rewrite that removes host/ and adds the dollar sign.
Why? You can just create a *new* attribute, Stripped-User-Name, with the updated contents. Then, configure the ldap module to look first for Stripped-User-Name, and then User-Name:
foo = "... %{Stripper-User-Name:%{User-Name}} ..."
See doc/variables.txt
In the radiusd.conf config file, the %{Stripped-User-Name} is correctly created from %{User-Name}. %{User-Name} looks like "host/computername" and is not modified, %{Stripped-User-Name} looks like "computername$" In the ldap module, it is %{Stripped-User-Name} that is used.
rlm_ldap finds correctly the entry, but EAP complains about the user name change: "*rlm_eap: Identity does not match User-Name, setting from EAP Identity.** rlm_eap: Failed in handler"
Then... don't edit the User-Name. There's no need to edit it.
Alan DeKok.
I have made some tests with and without the %{User-Name} change, but nothing helps I have another question: How does the EAP/MSCHAPV2 authentication work ? which username/password couples does it take ? and with which database does it compare to ? Regards
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ce message et toutes les pièces jointes sont établis à l'attention exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce message, le contenu de ce message ne représente en aucun cas un engagement de la part de Adeo Services.
david.barbion@adeoservices.com wrote:
In the radiusd.conf config file, the %{Stripped-User-Name} is correctly created from %{User-Name}.
That's not the issue. The issue is that something is editing the User-Name attribute. That editing is breaking EAP.
I have made some tests with and without the %{User-Name} change, but nothing helps
Other people have this working. It *is* possible.
I have another question: How does the EAP/MSCHAPV2 authentication work ? which username/password couples does it take ? and with which database does it compare to ?
It doesn't compare anything to a database. Passwords are obtained from whatever database you choose, using whatever queries you choose. Alan DeKok.
Alan DeKok a écrit :
david.barbion@adeoservices.com wrote:
In the radiusd.conf config file, the %{Stripped-User-Name} is correctly created from %{User-Name}.
That's not the issue. The issue is that something is editing the User-Name attribute. That editing is breaking EAP.
Okay, I understand...
I have made some tests with and without the %{User-Name} change, but nothing helps
Other people have this working. It *is* possible.
Ok, that's great ! I know it is possible, but I still wonder how (I will manage to find the right configuration...)
I have another question: How does the EAP/MSCHAPV2 authentication work ? which username/password couples does it take ? and with which database does it compare to ?
It doesn't compare anything to a database. Passwords are obtained from whatever database you choose, using whatever queries you choose.
Thanks a lot for your clue, I understand now how it works and I will be able to find the solution.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ce message et toutes les pièces jointes sont établis à l'attention exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce message, le contenu de ce message ne représente en aucun cas un engagement de la part de Adeo Services.
participants (2)
-
Alan DeKok -
david.barbion@adeoservices.com