freeradius against AD authentication not working
Running Freeradius v1.1.1 on a RHEL 4 box and trying to authenticate the WiFi users against windows 2003 active directory using EAP-MSCHAPv2. I was able to join the linux box to windows domain successfully and able to read the users and groups from AD. I have configured the windows XP supplicant with root.der certificate and EAP-MSCHAPv2. When i try to connect to access point, it takes the local machine name default instead of asking for username and password. Does i missed anything ? Here is my radius log file. bash3.0#radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge} --nt-re sponse=%{mschap:NT-Response}" Module: Instantiated mschap (mschap) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/secert/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/secert/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/secert/root.pem" tls: private_key_password = "<removed>" tls: dh_file = "/usr/local/etc/raddb/secert/dh" tls: random_file = "/usr/local/etc/raddb/secert/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.20.3.246:3072, id=0, length=152 User-Name = "host/your-a9279112e3" NAS-IP-Address = 10.20.3.246 Called-Station-Id = "00183910020e" Calling-Station-Id = "00166f6c282f" NAS-Identifier = "00183910020e" NAS-Port = 43 Framed-MTU = 1400 State = 0x8df956d66a233b914490c5a4e103fd9e NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0xe7b8b93d9d67cf0e45588430640cb980 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_realm: No '@' in User-Name = "host/your-a9279112e3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 0 to 10.20.3.246 port 3072 EAP-Message = 0x010500061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ea42dd7cde1d2a43ddc2b06a110d694 Finished request 5 Going to the next request Waking up in 6 seconds... Kartthik
"Karthik R" <kartthikr@gmail.com> wrote:
When i try to connect to access point, it takes the local machine name default instead of asking for username and password.
You have to configure the local machine to NOT authenticate as the machine. It's in the Windows supplicant configuration somewhere. There is nothing you can do to the NAS or RADIUS server to solve this problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
-----Original Message----- "Karthik R" <kartthikr@gmail.com> wrote:
When i try to connect to access point, it takes the local machine name default instead of asking for username and password.
You have to configure the local machine to NOT authenticate as the machine. It's in the Windows supplicant configuration somewhere.
There is nothing you can do to the NAS or RADIUS server to solve this problem.
Alan DeKok.
Alan is completely correct, you have to configure the suppilance to ask for a username password. If your this early in your deployment, I'd suggest you look at the SecureW2 supplicant as opposed to the Built-in XP one. http://securew2.alfa-ariss.com/ (Site seems to be down at the moment, hopefully back up by the time you read this) It's a hell of a lot easier, plus you can script it so that it will automatically deploy with the correct options selected. There is no way to do this with WZC (Windows Zero Config, the XP supplicant) The way to disable this in the WindowsXP client: Network Connections -> Right Click on Network Adaptor - > Properties -> Wireless Network Tab -> SSID Properties -> Authentication tab -> The EAP type tab should be set to Protected EAP (PEAP) (This is NOT the default) Uncheck the "authenticate as a computer when computer information is availble" Hit the properties button On this screen, you MAY have to disable the "Validate server certificate" This is entirely dependant on how you created the cert that is located on your server. Obviously, you want to have this option enabled, but for testing purposes, DISABLE it now. After you get your setup working, ReENABLE this, and see if it still works. If it doesn't, you do not have the magic OID's in the CERT. Towards the bottom, you'll see select Authentication Method. Hit the "Configure" button there: Uncheck the Automatically use my Winodws Logon Name and Password (and domain if any) Hit OK to all boxes to save the changes
participants (3)
-
Alan DeKok -
Karthik R -
King, Michael