Freeradius + AD authentication passing Domain+User
Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi users from cell phones and notebooks. In the case of cell phones, the users type the corresponding usernames and passwords and after that Freeradius passes it to the AD and everything works OK. In the case of the notebooks, the Windows users are logged into our DC domain, then they type the username or username@domain or domain\username with the corresponding passwords but in theses cases they can't authenticate against the AD (there is a reject message in the Freradius log). In case they are not logged into the domain, and they are local users in the notebooks, if they type just their usernames (without domain) they authenticate OK. So how can I authenticate Windows users against the AD when they are logged into the domain??? Do I have to define a special directive in a config file from freeradius, winbind or samba? Thanks in advance, regards!!! Alejandro
On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi users from cell phones and notebooks.
In the case of cell phones, the users type the corresponding usernames and passwords and after that Freeradius passes it to the AD and everything works OK.
That's good.
In the case of the notebooks, the Windows users are logged into our DC domain, then they type the username or username@domain or domain\username with the corresponding passwords but in theses cases they can't authenticate against the AD (there is a reject message in the Freradius log).
So... what is the reject message? Please post the full debug output as suggested in the FAQ, "man" pages, wiki, and daily on this list.
In case they are not logged into the domain, and they are local users in the notebooks, if they type just their usernames (without domain) they authenticate OK.
That's good.
So how can I authenticate Windows users against the AD when they are logged into the domain??? Do I have to define a special directive in a config file from freeradius, winbind or samba?
It's not magic. But it DOES require that you read the debug output. Alan DeKok.
Dear Alan and people, thanks for your response. Below I show you the log from Freeradius in debug mode. But I need to say something before showing the logs: the WiFi notebook clients are Windows 7 and 10, the users logged into them are domain users, and we want to use these users in order to connect AUTOMATICALLY to our WiFi network. This means that we need the user to automatically connect to wifi network without type user or user@domain or domain\user, just type the corresponding password to the domain user from the notebook. The log is this: rad_recv: Access-Request packet from host 192.168.1.250 port 32769, id=59, length=412 User-Name = "host/NB100.domain.com" Calling-Station-Id = "24:0a:64:33:43:c7" Called-Station-Id = "44:ad:d9:0e:dd:40:Test-radius" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000000685943ee2e" NAS-IP-Address = 192.168.1.250 NAS-Identifier = "WLC" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x020700901580000000861603010046100000424104df31414042b0d244a7712595d396618c2b2b1bed913f71b10c4b86a308500b9979452bec950cf5c175adc2a421f3e1379d4f2bdb2e1bb7fc14eeb78e6dd1baa114030100010116030100307c89f3e96ccb753fc640b7610548d56f0c3ed30a73e291c63eb7085a430189922680bb69c7cbd567500b05c63bb76c8d State = 0xf7161b91f3110e7694cf1c709482b6fc Message-Authenticator = 0xc0000c50748336541b27a2a07c1cf909 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/NB100.domain.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 134 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: unknown state [ttls] TLS_accept: unknown state [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: unknown state [ttls] TLS_accept: unknown state [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 59 to 192.168.1.250 port 32769 EAP-Message = 0x0108004515800000003b1403010001011603010030ec57aa02d394d0e82f3c4e7e7615f5c9d454c1b7a187db4110a6e4bf4279e4470958bf3a061fadfe3b0bd9eb3778c688 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf7161b91f21e0e7694cf1c709482b6fc Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 54 with timestamp +511 Cleaning up request 2 ID 55 with timestamp +511 Cleaning up request 3 ID 56 with timestamp +511 Cleaning up request 4 ID 57 with timestamp +511 Cleaning up request 5 ID 58 with timestamp +511 Cleaning up request 6 ID 59 with timestamp +511 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xf7161b91f21e0e76 did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility rad_recv: Access-Request packet from host 192.168.1.250 port 32769, id=60, length=258 User-Name = "DOMAIN.COM\\alejandro" Calling-Station-Id = "24:0a:64:33:43:c7" Called-Station-Id = "44:ad:d9:0e:dd:40:Test-radius" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000000685943ee2e" NAS-IP-Address = 192.168.1.250 NAS-Identifier = "WLC" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0202001501472d424150524f5c616261726c697a61 Message-Authenticator = 0x6909a617235e3ada0db90748d81e7ddd # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "DOMAIN\alejandro", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [sql] expand: %{User-Name} -> DOMAIN.COM\\alejandro [sql] sql_set_user escaped user --> 'DOMAIN.COM\\alejandro' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'DOMAIN=5C=5C=5C=5Calejandro' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'DOMAIN=5C=5C=5C=5Calejandro' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User DOMAIN.COM\\alejandro not found ++[sql] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 60 to 192.168.1.250 port 32769 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x92095a79920a4f103a071bb9e5e9a7b2 Finished request 7. Going to the next request Waking up in 4.9 seconds. Special thanks !!! Alejandro 2017-06-15 14:05 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi users from cell phones and notebooks.
In the case of cell phones, the users type the corresponding usernames and passwords and after that Freeradius passes it to the AD and everything works OK.
That's good.
In the case of the notebooks, the Windows users are logged into our DC domain, then they type the username or username@domain or domain\username with the corresponding passwords but in theses cases they can't authenticate against the AD (there is a reject message in the Freradius log).
So... what is the reject message?
Please post the full debug output as suggested in the FAQ, "man" pages, wiki, and daily on this list.
In case they are not logged into the domain, and they are local users in the notebooks, if they type just their usernames (without domain) they authenticate OK.
That's good.
So how can I authenticate Windows users against the AD when they are logged into the domain??? Do I have to define a special directive in a config file from freeradius, winbind or samba?
It's not magic. But it DOES require that you read the debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro //
On Jun 16, 2017, at 12:43 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
]] But I need to say something before showing the logs: the WiFi notebook clients are Windows 7 and 10, the users logged into them are domain users, and we want to use these users in order to connect AUTOMATICALLY to our WiFi network. This means that we need the user to automatically connect to wifi network without type user or user@domain or domain\user, just type the corresponding password to the domain user from the notebook.
You don't control how the Windows machines work. You have to live with how they *actually* work. When the Windows machines are provisioned properly, they will prompt the user for name/password once, and then cache it. Or, the name and password can be provisioned automatically. If login fails, Windows will show a prompt containing the user name, and prompt for a password.
The log is this:
rad_recv: Access-Request packet from host 192.168.1.250 port 32769, id=59, length=412 User-Name = "host/NB100.domain.com" Calling-Station-Id = "24:0a:64:33:43:c7" Called-Station-Id = "44:ad:d9:0e:dd:40:Test-radius" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000000685943ee2e" NAS-IP-Address = 192.168.1.250 NAS-Identifier = "WLC" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x020700901580000000861603010046100000424104df31414042b0d244a7712595d396618c2b2b1bed913f71b10c4b86a308500b9979452bec950cf5c175adc2a421f3e1379d4f2bdb2e1bb7fc14eeb78e6dd1baa114030100010116030100307c89f3e96ccb753fc640b7610548d56f0c3ed30a73e291c63eb7085a430189922680bb69c7cbd567500b05c63bb76c8d State = 0xf7161b91f3110e7694cf1c709482b6fc Message-Authenticator = 0xc0000c50748336541b27a2a07c1cf909 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/NB100.domain.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 134 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: unknown state [ttls] TLS_accept: unknown state [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: unknown state [ttls] TLS_accept: unknown state [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 59 to 192.168.1.250 port 32769 EAP-Message = 0x0108004515800000003b1403010001011603010030ec57aa02d394d0e82f3c4e7e7615f5c9d454c1b7a187db4110a6e4bf4279e4470958bf3a061fadfe3b0bd9eb3778c688 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf7161b91f21e0e7694cf1c709482b6fc Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 54 with timestamp +511 Cleaning up request 2 ID 55 with timestamp +511 Cleaning up request 3 ID 56 with timestamp +511 Cleaning up request 4 ID 57 with timestamp +511 Cleaning up request 5 ID 58 with timestamp +511 Cleaning up request 6 ID 59 with timestamp +511 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xf7161b91f21e0e76 did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
So... read that web page and follow it's instructions on how to fix the problem.
[sql] User DOMAIN.COM\\alejandro not found ++[sql] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
The user isn't found in the SQL database. That's why it's failing. If you want to have "DOMAIN.COM" treated as a local domain / realm, go read raddb/proxy.conf. Set the domain as a LOCAL realm. And read raddb/sites-enabled/default. Look for "ntdomain". It tells you how to set up NT domains for login. Alan DeKok.
Dear Alan, I'm following your guide "Configuring Authentication with Active Directory" (http://deployingradius.com/documents/configuration/active_ directory.html) in order to analyze my configurations issues. Please I will show you the most important parts of the tutorial, and I will tell you what I put or what I get from the tests, so you can comment below if you can: *1) Configuring Freeradius to use ntlm_auth, in /etc/freeradius/modules/ntlm_**auth:* exec ntlm_auth { wait = yes program = "*/usr/bin/ntlm_auth* --request-nt-key --domain=*DOMAIN.COM <http://DOMAIN.COM>* --username=%{mschap:User-Name} --password=%{User-Password}" } But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not the following authenticate sections at all: authenticate { ... ntlm_auth ... } If I have to put them, what do I have to add in the "..." lines you don't specify??? *2) After that, you recommend to use the testing command:* $ radtest *user* *password* localhost 0 testing123 This user correspond to my domain "DOMAIN.COM", or is a local user in order to test the config ??? *3) Configuring Freeradius to use ntlm_auth for MSCHAP* In /etc/freeradius/modules/mschap file I put: ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-*DOMAIN.COM <http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" After that I start the Freeradius service in debug mode, and I use radtest command to send a MSCHAP authentication request. I have Freeradius 2.2.5, so I execute: $ radtest -t mschap bob hello localhost 0 testing123 Is bob/hello a username/password from DOMAIN.COM ??? If I execute this in this way: Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>" NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0xdb6688ffc58b6208 MS-CHAP-Response = 0x0001000000000000000000000000 0000000000000000000000007cf9df3af3b49e1fa7eb2697b78da21f1e9dde3f44a6493a r ad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=220, length=38 MS-CHAP-Error = "\000E=691 R=1" Please I'll be waiting for your feedback, special thanks !!! Alejandro 2017-06-15 14:05 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi users from cell phones and notebooks.
In the case of cell phones, the users type the corresponding usernames and passwords and after that Freeradius passes it to the AD and everything works OK.
That's good.
In the case of the notebooks, the Windows users are logged into our DC domain, then they type the username or username@domain or domain\username with the corresponding passwords but in theses cases they can't authenticate against the AD (there is a reject message in the Freradius log).
So... what is the reject message?
Please post the full debug output as suggested in the FAQ, "man" pages, wiki, and daily on this list.
In case they are not logged into the domain, and they are local users in the notebooks, if they type just their usernames (without domain) they authenticate OK.
That's good.
So how can I authenticate Windows users against the AD when they are logged into the domain??? Do I have to define a special directive in a config file from freeradius, winbind or samba?
It's not magic. But it DOES require that you read the debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro //
ignore the ntlm_auth module.... you need to just use the mschap method - enure you have configured the ntlm_auth string in the mschap module (or, with latest versions of freeRADIUS, dont use ntlm_auth at all, use the native direct winbindd method - much much faster) - then, to test, dnt use radtest - as thats basic, use eg eapol_test instead as that will behave like a real client (EAP method) - your error suggests incorrect password (or rather user/pass combination issue) - suggest that your AD doesnt like getting a domain in the username - so just add your domain to the proxy.conf as a local realm eg realm domain.com { } then ensure that 'Stripped-User-Name' is being used in the ntlm_auth or winbindd call rather than mschap:User-Name alan On 21 June 2017 at 19:12, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Dear Alan, I'm following your guide "Configuring Authentication with Active Directory" (http://deployingradius.com/documents/configuration/active_ directory.html) in order to analyze my configurations issues.
Please I will show you the most important parts of the tutorial, and I will tell you what I put or what I get from the tests, so you can comment below if you can:
*1) Configuring Freeradius to use ntlm_auth, in /etc/freeradius/modules/ntlm_**auth:*
exec ntlm_auth { wait = yes program = "*/usr/bin/ntlm_auth* --request-nt-key --domain=*DOMAIN.COM <http://DOMAIN.COM>* --username=%{mschap:User-Name} --password=%{User-Password}" }
But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not the following authenticate sections at all:
authenticate { ... ntlm_auth ... }
If I have to put them, what do I have to add in the "..." lines you don't specify???
*2) After that, you recommend to use the testing command:*
$ radtest *user* *password* localhost 0 testing123
This user correspond to my domain "DOMAIN.COM", or is a local user in order to test the config ???
*3) Configuring Freeradius to use ntlm_auth for MSCHAP*
In /etc/freeradius/modules/mschap file I put:
ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-*DOMAIN.COM <http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
After that I start the Freeradius service in debug mode, and I use radtest command to send a MSCHAP authentication request. I have Freeradius 2.2.5, so I execute:
$ radtest -t mschap bob hello localhost 0 testing123
Is bob/hello a username/password from DOMAIN.COM ???
If I execute this in this way:
Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>" NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0xdb6688ffc58b6208 MS-CHAP-Response = 0x0001000000000000000000000000 0000000000000000000000007cf9df3af3b49e1fa7eb2697b78da21f1e9dde3f44a6493a r ad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=220, length=38 MS-CHAP-Error = "\000E=691 R=1"
Please I'll be waiting for your feedback, special thanks !!!
Alejandro
2017-06-15 14:05 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi users from cell phones and notebooks.
In the case of cell phones, the users type the corresponding usernames and passwords and after that Freeradius passes it to the AD and everything works OK.
That's good.
In the case of the notebooks, the Windows users are logged into our DC domain, then they type the username or username@domain or domain\username with the corresponding passwords but in theses cases they can't authenticate against the AD (there is a reject message in the Freradius log).
So... what is the reject message?
Please post the full debug output as suggested in the FAQ, "man" pages, wiki, and daily on this list.
In case they are not logged into the domain, and they are local users in the notebooks, if they type just their usernames (without domain) they authenticate OK.
That's good.
So how can I authenticate Windows users against the AD when they are logged into the domain??? Do I have to define a special directive in a config file from freeradius, winbind or samba?
It's not magic. But it DOES require that you read the debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro // - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 21, 2017, at 2:12 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
*1) Configuring Freeradius to use ntlm_auth, in /etc/freeradius/modules/ntlm_**auth:*
exec ntlm_auth { wait = yes program = "*/usr/bin/ntlm_auth* --request-nt-key --domain=*DOMAIN.COM <http://DOMAIN.COM>* --username=%{mschap:User-Name} --password=%{User-Password}" }
But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not the following authenticate sections at all:
authenticate { ... ntlm_auth ... }
If I have to put them, what do I have to add in the "..." lines you don't specify???
The "..." is a place-holder. It indicates other things in that section. it does' t mean insert a literal "..."
*2) After that, you recommend to use the testing command:*
$ radtest *user* *password* localhost 0 testing123
This user correspond to my domain "DOMAIN.COM", or is a local user in order to test the config ???
If you're testing a user in AD, you should run radtest with a user in AD.
*3) Configuring Freeradius to use ntlm_auth for MSCHAP*
In /etc/freeradius/modules/mschap file I put:
ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-*DOMAIN.COM <http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
After that I start the Freeradius service in debug mode, and I use radtest command to send a MSCHAP authentication request. I have Freeradius 2.2.5, so I execute:
$ radtest -t mschap bob hello localhost 0 testing123
Is bob/hello a username/password from DOMAIN.COM ???
If I execute this in this way:
Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>"
Is the account in AD called "alejandro@domain.com"? Or is it just alejandro ? Again... if you're testing a user in AD, you just need to test with the username that's in AD. There is simply no reason to do anything else.
NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0xdb6688ffc58b6208 MS-CHAP-Response = 0x0001000000000000000000000000 0000000000000000000000007cf9df3af3b49e1fa7eb2697b78da21f1e9dde3f44a6493a r ad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=220, length=38 MS-CHAP-Error = "\000E=691 R=1"
And all of the FAQ, web pages, "man" pages and EVERYTHING ELSE says to look at / post the debug output of the server. NOT the output of "radtest". Alan DeKok.
Hi all, On Thu, Jun 22, 2017 at 4:11 PM Alan DeKok <aland@deployingradius.com> wrote:
Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>"
Is the account in AD called "alejandro@domain.com"? Or is it just alejandro ?
Again... if you're testing a user in AD, you just need to test with the username that's in AD. There is simply no reason to do anything else.
Remember that AD has TWO usernames: the sAMAccountName (old style NetBios) and the userPrincipalName (new style, kerberos), the latest also includes the domain. BUT windbind (and ntlm_auth) uses the sAMAccountName username, so be sure to pass that name and not the new userPrincipalName. Cheers, Enrico
Thanks to all, Iwill try later and I will follow your advice. Any failure, I'll keep in touch with you again. Regards!!! 2017-06-22 11:46 GMT-03:00 Enrico Polesel <epol.lists@gmail.com>:
Hi all,
On Thu, Jun 22, 2017 at 4:11 PM Alan DeKok <aland@deployingradius.com> wrote:
Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>"
Is the account in AD called "alejandro@domain.com"? Or is it just alejandro ?
Again... if you're testing a user in AD, you just need to test with the username that's in AD. There is simply no reason to do anything else.
Remember that AD has TWO usernames: the sAMAccountName (old style NetBios) and the userPrincipalName (new style, kerberos), the latest also includes the domain.
BUT windbind (and ntlm_auth) uses the sAMAccountName username, so be sure to pass that name and not the new userPrincipalName.
Cheers, Enrico - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro //
Dear people, before doing the new test tomorrow with the AD authentication useing Freeradius, I need your help: I need to authenticate the Windows company users from their corresponding notebooks to our AD, through our Freeradius 2.2.5 server, and without certificate validation (I don’t install the CA certificate in any notebook at the moment). My AD administrator tell me that the defined domain in the Windows DC server is "company.com" but because it's an “old fashion” Windows server the company users authenticate from notebooks and desktops in this way: COMPANY\username So I replace all the "company.com" strings in my configuration files from samba, kerberos and freeradius for just "company". Is it OK what I do??? Please if you can give me the link of a step-by-step guide on Freeradius + AD auth, because there are seceral guides and they vary from one to another. Thanks again!!! 2017-06-22 11:49 GMT-03:00 Alejandro Cabrera Obed <aco1967@gmail.com>:
Thanks to all, Iwill try later and I will follow your advice.
Any failure, I'll keep in touch with you again.
Regards!!!
2017-06-22 11:46 GMT-03:00 Enrico Polesel <epol.lists@gmail.com>:
Hi all,
On Thu, Jun 22, 2017 at 4:11 PM Alan DeKok <aland@deployingradius.com> wrote:
Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>"
Is the account in AD called "alejandro@domain.com"? Or is it just alejandro ?
Again... if you're testing a user in AD, you just need to test with the username that's in AD. There is simply no reason to do anything else.
Remember that AD has TWO usernames: the sAMAccountName (old style NetBios) and the userPrincipalName (new style, kerberos), the latest also includes the domain.
BUT windbind (and ntlm_auth) uses the sAMAccountName username, so be sure to pass that name and not the new userPrincipalName.
Cheers, Enrico - List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
-- // Alejandro //
-- // Alejandro //
On Jun 25, 2017, at 5:14 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Is it OK what I do???
Please if you can give me the link of a step-by-step guide on Freeradius + AD auth, because there are seceral guides and they vary from one to another.
This is documented: See https://freeradius.org/doc/ It points to an Active Directory guide. Alan DeKok.
Please, is there any problem if I'm using Daloradius in order to have a friendly management interface of Freeradius? For example, if I test PAP following the guide " http://deployingradius.com/documents/configuration/pap.html", if I add the user "bob" with password "hello" defined in the /etc/freeradius/users file, it doesn't work. But if I define the same user/pass pair in Daloradius (with MySQL), the PAP test works OK because I receive an Access-Accept package. Do you think it's better to work without Daloradius or it's the same in order to achieve the AD authentication that I need ? Thanks a lot again. 2017-06-25 18:46 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
Is it OK what I do???
Please if you can give me the link of a step-by-step guide on Freeradius
On Jun 25, 2017, at 5:14 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote: +
AD auth, because there are seceral guides and they vary from one to another.
This is documented: See https://freeradius.org/doc/
It points to an Active Directory guide.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro //
On Jun 26, 2017, at 12:20 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Please, is there any problem if I'm using Daloradius in order to have a friendly management interface of Freeradius?
daloradius is old and unsupported. Maybe try another one? More importantly, you don't need a GUI to configure FreeRADIUS. You may need a GUI to edit SQL table entries, but almost anything can do that.
For example, if I test PAP following the guide " http://deployingradius.com/documents/configuration/pap.html", if I add the user "bob" with password "hello" defined in the /etc/freeradius/users file, it doesn't work. But if I define the same user/pass pair in Daloradius (with MySQL), the PAP test works OK because I receive an Access-Accept package.
See the FAQ for "it doesn't work". Alan DeKok.
Hi guys , I would like to run some external script after inserting new accounting data on my mysql database. So far radius + mysql + accounting is already working. So , Im looking some documentation about exec module now but I would like to ask: Can anyone point some doc ? Can the external script delay the radius daemon process or does it run on different thread ? Regards ; Leandro.
On Jun 26, 2017, at 3:30 PM, Leandro <ingrogger@gmail.com> wrote:
Hi guys , I would like to run some external script after inserting new accounting data on my mysql database. So far radius + mysql + accounting is already working. So , Im looking some documentation about exec module now but I would like to ask: Can anyone point some doc ?
raddb/mods-available/exec
Can the external script delay the radius daemon process or does it run on different thread ?
It delays the server. The "exec" module runs like any other module. *Don't* do even one second of delay in the "exec" module. It's bad. Alan DeKok/
participants (5)
-
Alan Buxey -
Alan DeKok -
Alejandro Cabrera Obed -
Enrico Polesel -
Leandro