Active Directory Integration with FreeRADIUS - NTLM_Auth
Hello, I am trying to walk through the following document: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf in order to authenticate Cisco router and switch logins against FreeRadius/Active Directory. Using the HowTo, I have successfully joined a FC2 box to our Windows 2003 AD for testing purposes. I have also successfully used the manual ntlm_auth command to authenticate a user from the Radius server. I have configured the Cisco switch to point to the Radius server for authentication. I am not trying to authenticate an actual PC from a switch port, so I have not followed through with the EAP portion of the HowTo. Here is the output of the Radiusd -X and the attempted telnet login to the switch: # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain= %{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.16.0.3:1645, id=68, length=78 NAS-IP-Address = 172.16.0.3 NAS-Port = 66 NAS-Port-Type = Virtual User-Name = "dwhite" Calling-Station-Id = "172.16.2.122" User-Password = "Password1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "dwhite", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 68 to 172.16.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 68 with timestamp 448daaf9 Nothing to do. Sleeping until we see a request. Any help as to my next step would be greatly appreciated. Thanks, Doug White
"Doug White" <dwhite@infosysnetworks.com> wrote:
Here is the output of the Radiusd -X and the attempted telnet login to the switch: ...
You've sent it an authentication request with a clear-text password, and told it to use /etc/passwd for authentication. The user isn't in /etc/passwd, so authentication fails. I suggest following the rest of the document. If you don't do what it says, don't be surprised if the results aren't what it says. Alan DeKok.
hi, the guide you are following - using ntlm_auth against AD, binding into AD etc is really geared up for doing EAP (PEAP MSCHAPv2 in particular) what _you_ are attempting to do with RADIUS for login authentication of the cisco switches/routers involves plaintext passwords...int his case you'd want to use a kerberos check against your AD instead alan
Alan, Thanks for your reply. Is the plain text kerberos check something that gets configured in the radiusd.conf file? I was hoping to create a OU in AD called Cisco Admins and then have FreeRADIUS authenticate against those user names and passwords. I was told in another post that according to the radiusd -X output FreeRADIUS was attempting to check another location where no user names or passwords were setup. Thanks again, Doug -----Original Message----- From: freeradius-users-bounces+dwhite=infosysnetworks.com@lists.freeradius.org on behalf of A.L.M.Buxey@lboro.ac.uk Sent: Fri 6/16/2006 1:25 PM To: FreeRadius users mailing list Subject: Re: Active Directory Integration with FreeRADIUS - NTLM_Auth hi, the guide you are following - using ntlm_auth against AD, binding into AD etc is really geared up for doing EAP (PEAP MSCHAPv2 in particular) what _you_ are attempting to do with RADIUS for login authentication of the cisco switches/routers involves plaintext passwords...int his case you'd want to use a kerberos check against your AD instead alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Doug White" <dwhite@infosysnetworks.com> wrote:
Thanks for your reply. Is the plain text kerberos check something that gets configured in the radiusd.conf file?
Yes.
I was hoping to create a OU in AD called Cisco Admins and then have FreeRADIUS authenticate against those user names and passwords.
That will work only for PAP. Alan DeKok.
If you're using AD, plaintext (PAP) authentication, and are wanting to restrict the users to a certain OU, you should probably use the rlm_ldap module. That way you can set the base search DN to your Cisco Admins OU. It'll probably be a little easier to use and set up, too, than the Kerberos module. --Mike On Jun 19, 2006, at 11:12 AM, Doug White wrote:
Alan,
Thanks for your reply. Is the plain text kerberos check something that gets configured in the radiusd.conf file? I was hoping to create a OU in AD called Cisco Admins and then have FreeRADIUS authenticate against those user names and passwords. I was told in another post that according to the radiusd -X output FreeRADIUS was attempting to check another location where no user names or passwords were setup.
Thanks again,
Doug
-----Original Message----- From: freeradius-users-bounces +dwhite=infosysnetworks.com@lists.freeradius.org on behalf of A.L.M.Buxey@lboro.ac.uk Sent: Fri 6/16/2006 1:25 PM To: FreeRadius users mailing list Subject: Re: Active Directory Integration with FreeRADIUS - NTLM_Auth
hi,
the guide you are following - using ntlm_auth against AD, binding into AD etc is really geared up for doing EAP (PEAP MSCHAPv2 in particular) what _you_ are attempting to do with RADIUS for login authentication of the cisco switches/routers involves plaintext passwords...int his case you'd want to use a kerberos check against your AD instead
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
<winmail.dat> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Doug White -
Michael Griego