FreeRADIUS and Active Directory
Dear all, I'm trying to setup my FreeRADIUS to verify user credentials from windows AD (at the moment I'm using users file). I have no experience in joining Linux based machine to windows domain, I had a look at few guides and found that the easiest way is to use "likewise-open". I've joined my radius server to the domain and noticed that likewise did not use samba's winbind or ntml_auth. Which according to wiki I've been reading is a must to enable authentication using AD. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Can I install winbind and samba manually, or should I start again and not use likewise-open at all? Thanks for your help! Tomas
Install samba and winbind. That's the proper way to pass auth to AD. Forget likewise-open. It works quite well the way that's documented in the wiki. You'll probably waste a lot of time doing it any other way. Mearl
-----Original Message----- From: freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Tomas Sent: Wednesday, February 18, 2009 6:06 AM To: FreeRadius users mailing list Subject: FreeRADIUS and Active Directory
Dear all,
I'm trying to setup my FreeRADIUS to verify user credentials from windows AD (at the moment I'm using users file). I have no experience in joining Linux based machine to windows domain, I had a look at few guides and found that the easiest way is to use "likewise-open". I've joined my radius server to the domain and noticed that likewise did not use samba's winbind or ntml_auth. Which according to wiki I've been reading is a must to enable authentication using AD.
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT
O
Can I install winbind and samba manually, or should I start again and not use likewise-open at all?
Thanks for your help! Tomas
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for that, I'll get samba and winbind working from freeradius wiki. Cheers, Tomas On Wed, 2009-02-18 at 08:54 -0600, Danner, Mearl wrote:
Install samba and winbind. That's the proper way to pass auth to AD. Forget likewise-open.
It works quite well the way that's documented in the wiki. You'll probably waste a lot of time doing it any other way.
Mearl
Hi, I believe I did all I had to enable my freeradius server to chat to windows AD ########################################################## Kerberos: root@radius:/home/radius# kinit Administrator@AD.LAB.COM Password for Administrator@AD.LAB.COM: root@radius:/home/radius# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@AD.LAB.COM Valid starting Expires Service principal 02/19/09 09:44:44 02/19/09 19:44:51 krbtgt/AD.LAB.COM@AD.LAB.COM renew until 02/20/09 09:44:44 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ########################################################## ntlm_auth: root@radius:/home/radius# ntlm_auth --request-nt-key --domain=AD.LAB.COM --username=Administrator password: NT_STATUS_OK: Success (0x0) ########################################################## I did changes to my FreeRADIUS configuration according http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (I had to change names of .pem files in eap.conf for my certificates) This is my eap.conf (less the comments and empty lines): eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/server.pem certificate_file = ${raddbdir}/certs/server.pem CA_file = ${raddbdir}/certs/ca.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random random_file = /dev/urandom } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } So here I am trying to authenticate using my AD username and the password and having no joy :( radiusd -X FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Jan 19 2009 at 13:48:26 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /home/radius/etc/raddb/radiusd.conf including configuration file /home/radius/etc/raddb/proxy.conf including configuration file /home/radius/etc/raddb/clients.conf including files in directory /home/radius/etc/raddb/modules/ including configuration file /home/radius/etc/raddb/modules/etc_group including configuration file /home/radius/etc/raddb/modules/files including configuration file /home/radius/etc/raddb/modules/expiration including configuration file /home/radius/etc/raddb/modules/detail.log including configuration file /home/radius/etc/raddb/modules/smbpasswd including configuration file /home/radius/etc/raddb/modules/chap including configuration file /home/radius/etc/raddb/modules/mschap including configuration file /home/radius/etc/raddb/modules/ippool including configuration file /home/radius/etc/raddb/modules/digest including configuration file /home/radius/etc/raddb/modules/radutmp including configuration file /home/radius/etc/raddb/modules/realm including configuration file /home/radius/etc/raddb/modules/attr_rewrite including configuration file /home/radius/etc/raddb/modules/echo including configuration file /home/radius/etc/raddb/modules/policy including configuration file /home/radius/etc/raddb/modules/mac2vlan including configuration file /home/radius/etc/raddb/modules/sql_log including configuration file /home/radius/etc/raddb/modules/preprocess including configuration file /home/radius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /home/radius/etc/raddb/modules/krb5 including configuration file /home/radius/etc/raddb/modules/pam including configuration file /home/radius/etc/raddb/modules/wimax including configuration file /home/radius/etc/raddb/modules/linelog including configuration file /home/radius/etc/raddb/modules/always including configuration file /home/radius/etc/raddb/modules/exec including configuration file /home/radius/etc/raddb/modules/inner-eap including configuration file /home/radius/etc/raddb/modules/checkval including configuration file /home/radius/etc/raddb/modules/passwd including configuration file /home/radius/etc/raddb/modules/expr including configuration file /home/radius/etc/raddb/modules/perl including configuration file /home/radius/etc/raddb/modules/detail.example.com including configuration file /home/radius/etc/raddb/modules/pap including configuration file /home/radius/etc/raddb/modules/ldap including configuration file /home/radius/etc/raddb/modules/unix including configuration file /home/radius/etc/raddb/modules/detail including configuration file /home/radius/etc/raddb/modules/counter including configuration file /home/radius/etc/raddb/modules/sradutmp including configuration file /home/radius/etc/raddb/modules/attr_filter including configuration file /home/radius/etc/raddb/modules/mac2ip including configuration file /home/radius/etc/raddb/modules/logintime including configuration file /home/radius/etc/raddb/modules/acct_unique including configuration file /home/radius/etc/raddb/eap.conf including configuration file /home/radius/etc/raddb/sql.conf including configuration file /home/radius/etc/raddb/sql/mysql/dialup.conf including configuration file /home/radius/etc/raddb/sql/mysql/counter.conf including configuration file /home/radius/etc/raddb/policy.conf including files in directory /home/radius/etc/raddb/sites-enabled/ including configuration file /home/radius/etc/raddb/sites-enabled/inner-tunnel including configuration file /home/radius/etc/raddb/sites-enabled/default including dictionary file /home/radius/etc/raddb/dictionary main { prefix = "/home/radius" localstatedir = "/home/radius/var" logdir = "/home/radius/var/log/radius" libdir = "/home/radius/lib" radacctdir = "/home/radius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/home/radius/var/run/radiusd/radiusd.pid" checkrad = "/home/radius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.0.50 { require_message_authenticator = no secret = "testing123" shortname = "Procurve2824" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/home/radius/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/home/radius/etc/raddb/certs/server.pem" certificate_file = "/home/radius/etc/raddb/certs/server.pem" CA_file = "/home/radius/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/home/radius/etc/raddb/certs/dh" random_file = "/home/radius/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/home/radius/etc/raddb/users" acctusersfile = "/home/radius/etc/raddb/acct_users" preproxy_usersfile = "/home/radius/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/home/radius/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/home/radius/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/home/radius/etc/raddb/huntgroups" hints = "/home/radius/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/home/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/home/radius/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=145, length=219 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "AD\\tomas" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x0202000d0141445c746f6d6173 Message-Authenticator = 0x6284ee873372cae375d55f623802b513 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 145 to 192.168.0.50 port 1024 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7700ab4a77313314b7c55c3e8534adf Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=146, length=304 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "AD\\tomas" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xa7700ab4a77313314b7c55c3e8534adf EAP-Message = 0x0203005019800000004616030100410100003d0301499d286e3a35671559855ef2c8bef05802fabc183a42eb4b669d9e474e085ba900001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x46b2eaa942dba96799d4336312d6c698 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 146 to 192.168.0.50 port 1024 EAP-Message = 0x0104040019c00000089b160301002a020000260301499d286cdb1f8ce8a5fb2621e05e22740ec7ed76ffc6abf318cd00d5c16dc61f00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303131393134333032365a170d3130303131393134333032365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ad98162664ec45dd610f43757b3f3a8bb0b400ca026307492cf50ba142af109378da58248572a1236fa439be790fd3ef17c1b22b9503739d7c3bc56a2240 EAP-Message = 0xdf4fd855dfabba9ffe67ebc9ef0772e1036cc8fd8c275e0eae813442b6bf713746f7caa8af848002c6edfa5596eab50667945e95a7e7befaf1139d04ed6a453c062b1e4849b21597302c4c730ef9b69e6934d8336d607baf2c61b9cf544b58d2633d34804e705a1c675be9887f32e0d677317e3635c17f65c18bcd6c8b3033d351dfa77b36ea7feca91b41a707ca37452102f40a18a0832dcdc4cd8a5a2c01e4c8a62bdce1f0b886193c155ef4c8bbbf8ad66d51573c6eb0a21966d47ac9c1a5f4230203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100352858d2b93777f989 EAP-Message = 0x37da2562908c3391559a6f1bd9b0e41adef4c2cfc393c0b9668ceaf6df7227112867a48853e921a9da6783fda2614d07cc0b011a11b4feacb4b61d43628e2d2c4e95e747fa03849decf26051807a9e51136df5f81f698fe88f6d1a8ad5a2151ed4f45a8385e02cb9e3d3b10cd6103212d488d27126e8e6a974cc5c282813abd411657bf5be22f91dbc7a58d08237b38915736ed1f01ebb384f91eadda353743ca7d4e62b23e85e60d04c58c280dbea9cd505bf234cfaee1a0a51754954c9e3e6f7960d0a9a9f85243199d986671a1db32e5fcca17b62ce9bb1ff312500f1ffd8874de9fe53c828ec2a3fdb8a2e186a28c5b59c53dcce9b0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7700ab4a67413314b7c55c3e8534adf Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=147, length=230 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "AD\\tomas" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xa7700ab4a67413314b7c55c3e8534adf EAP-Message = 0x020400061900 Message-Authenticator = 0xaa295b159651be4a3e1a80fde7805ea7 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 147 to 192.168.0.50 port 1024 EAP-Message = 0x010503fc19400094a001b5eb25441d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303131393134333032365a170d3130303131393134333032365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a987d28b942573bad6f47cc07eed6c6dcdad586632c29f838248874e1ad78ef744cf491992803212afca36a03f2a06be90c1da8bca6032b677a48dd26e6449d498b3e83d5569dca2b7a743fa3d96007884ed81616e0ad61f51dca6814fac86c6120d71ceddc0dd9798711b36dd8005 EAP-Message = 0x85a94e3cd2ab01503bd1f2a702e10d06aa6c16c62c0cefe59f96c89307137c5e1d5fce113e0c0da426c435f454f1e83437c48b74f52a68e67ab0236e1f63bcce0289f57d98147134ec577b2faa50155611f8280bd7a5768e09c2fccb6b2ad0d7050d44292c988df7e1571ce10baa2105ca2e553deab5ea75728e7b090aaf2918540d48769fdb597d2df70d6b1855ebfb690203010001a381fb3081f8301d0603551d0e0416041472880f64c1fc1753474b579032ea3663716e23543081c80603551d230481c03081bd801472880f64c1fc1753474b579032ea3663716e2354a18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090094a001b5eb25441d300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100699e12dabf9c108ba7200bee0c69f2ff01ac37886fdd207b3ccde9311f7684959ed3dfda0936a2781ac286612ef24d987159c2b28e9d756b53701e15967b73c3f82c8517cbfefa2d3e9ac1275e180c97ccbb EAP-Message = 0x5f8391f0cafc40c7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7700ab4a57513314b7c55c3e8534adf Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=148, length=230 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "AD\\tomas" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xa7700ab4a57513314b7c55c3e8534adf EAP-Message = 0x020500061900 Message-Authenticator = 0x34ca3ab594dd2c388a8df2f3da5faed6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 148 to 192.168.0.50 port 1024 EAP-Message = 0x010600b51900290a8a1becaa5f95acd275a8b07d4ce8e2b56745877efd21ca5cee0c39bd7e66d625688c05a22f43c49f90c057109d12adf008cfe513d4219f84bcd4e123caf1548e368bff658efb2f8c8c674a2e5ec896136ea044eeef99fd52220ecb2ee8192aeacb6bac2e30b29b670e2532924a6cd60dae38584514d46c38e550a52dd719060d7468bc87833fc6e65fba911ee8610e5ca515ecf58705dee114e2954fced9276ff4e6356f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7700ab4a47613314b7c55c3e8534adf Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=149, length=546 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "AD\\tomas" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xa7700ab4a47613314b7c55c3e8534adf EAP-Message = 0x020601401980000001361603010106100001020100575cf08b5efe3bfa2b102efb0ccb399c4342bf15303bcda0d80a24e279d3dd313a533bf8ea78b9c5b24c7d260ab666177e58e7c1aff14556f6fafa12206b50b5adf1f13fe7f5ec5e00829b8bee526b4bf5ef581d553c074759eb470f7a7cc565f48a14cef18ad00135bcf3b62960458c46e867f50d9edc063cf647eec87a752b75f4af5645330f7f053632f8b16f32987a90da3e59273e34d8a78dc788d0abe7a5673aafccd6b1ca9d45c1d54468cbdc3799c2e3cccc16711f6a0d003dd76d65aaf855fd7b548f48f11d6631461cbefc6e086929d1fac902eaf2e60b9956a0b72d4bef20b370d3b1 EAP-Message = 0x642d63cce135fa576f57f33de4bb616254ea741a3a8208811403010001011603010020f1391a72bcb5f269d5ada83203e8331fee69e6868c4a8d0d31943c7c6305ec99 Message-Authenticator = 0x1a1423af25e5958dee7cd9461c03528e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 149 to 192.168.0.50 port 1024 EAP-Message = 0x0107003119001403010001011603010020b495378da34cbeed0a1086ff1286b15a94a2192612e0c0297da1b7de831a43f9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7700ab4a37713314b7c55c3e8534adf Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=150, length=230 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "AD\\tomas" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xa7700ab4a37713314b7c55c3e8534adf EAP-Message = 0x020700061900 Message-Authenticator = 0x9eac8aa44c87e5f81ddbb063c1a035df +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 150 to 192.168.0.50 port 1024 EAP-Message = 0x01080020190017030100156326f7e95daa4403b150b4d521beb8d093cbd081e3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7700ab4a27813314b7c55c3e8534adf Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=151, length=260 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "AD\\tomas" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xa7700ab4a27813314b7c55c3e8534adf EAP-Message = 0x02080024190017030100193dd421cda8cc1de66a7b0b59210efb5ca9d83c3ff457175d04 Message-Authenticator = 0x691b308cd5d03042fefeac42e8e0f48d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 36 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - AD\tomas [peap] Got tunneled request EAP-Message = 0x0208000d0141445c746f6d6173 server { PEAP: Got tunneled identity of AD\tomas PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to AD\tomas Sending tunneled request EAP-Message = 0x0208000d0141445c746f6d6173 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "AD\\tomas" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry AD\tomas at line 206 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900221a0109001d106bec785af6d4a846f669bb11bc7e7f6141445c746f6d6173 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45c7e91c455641081f4392f87dbe9b5 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900221a0109001d106bec785af6d4a846f669bb11bc7e7f6141445c746f6d6173 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc45c7e91c455641081f4392f87dbe9b5 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 151 to 192.168.0.50 port 1024 EAP-Message = 0x010900391900170301002e6fca7a90a0460e344377af0758cf4bce22ea505a7d792f6205364e13335debd60d8c6db5cf055f9b3f63ba4f7c3d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7700ab4a17913314b7c55c3e8534adf Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=152, length=314 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "AD\\tomas" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xa7700ab4a17913314b7c55c3e8534adf EAP-Message = 0x0209005a1900170301004faad232040b1f6cccf41600b3a8dd5770d01f143ad5c343d50640de3f45460e946e6c6b801b5579f1cfe37c467deb86c87b4e34e1887859ebed92d93894b4d899c70d0d548e108231fe98af12711890 Message-Authenticator = 0x6343ce9f44b16b4a87de883a0f0d2906 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 90 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900431a0209003e312b850019e93cb20c529c6765c7a7797f0000000000000000c42c055a3b0f699414e441217450fc8c08739b1fdf908d0d0041445c746f6d6173 server { PEAP: Setting User-Name to AD\tomas Sending tunneled request EAP-Message = 0x020900431a0209003e312b850019e93cb20c529c6765c7a7797f0000000000000000c42c055a3b0f699414e441217450fc8c08739b1fdf908d0d0041445c746f6d6173 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "AD\\tomas" State = 0xc45c7e91c455641081f4392f87dbe9b5 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry AD\tomas at line 206 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 152 to 192.168.0.50 port 1024 EAP-Message = 0x010a00261900170301001bb96920ded224eba0158d4d22140428c0ef2269ff50fc41776ab22a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7700ab4a07a13314b7c55c3e8534adf Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=153, length=262 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "AD\\tomas" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xa7700ab4a07a13314b7c55c3e8534adf EAP-Message = 0x020a00261900170301001bc2d3a7dd4ad6836c4a105f8303ad99757ed6a51e896ea183e104a1 Message-Authenticator = 0x3ac13246949bddb5666ab5a4b7b1e16b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> AD\tomas attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 153 to 192.168.0.50 port 1024 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 145 with timestamp +11 Cleaning up request 1 ID 146 with timestamp +11 Cleaning up request 2 ID 147 with timestamp +11 Cleaning up request 3 ID 148 with timestamp +11 Cleaning up request 4 ID 149 with timestamp +11 Cleaning up request 5 ID 150 with timestamp +11 Cleaning up request 6 ID 151 with timestamp +11 Cleaning up request 7 ID 152 with timestamp +11 Waking up in 0.9 seconds. Cleaning up request 8 ID 153 with timestamp +11 Ready to process requests. I am really new in this RADIUS business and would really appreciate if somebody could point me to the right direction. Thanks very much! Tomas
I believe I did all I had to enable my freeradius server to chat to windows AD
I did changes to my FreeRADIUS configuration according http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I have news for you - you haven't done any of this: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Con...
Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no *> with_ntdomain_hack = no* }
Also no ntlm_auth configured in mschap module (raddb/modules/mschap). So:
[mschapv2] +- entering group MS-CHAP {...} [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
Server asks about the hack.
[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject
And it isn't using ntlm_auth. You have an updated manual (relevant to freeradius 2.x) at: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP
On Thu, 2009-02-19 at 11:33 +0100, tnt@kalik.net wrote:
I have news for you - you haven't done any of this:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Con...
Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no *> with_ntdomain_hack = no* }
Also no ntlm_auth configured in mschap module (raddb/modules/mschap). So:
[mschapv2] +- entering group MS-CHAP {...} [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
Server asks about the hack.
[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject
And it isn't using ntlm_auth.
You have an updated manual (relevant to freeradius 2.x) at:
http://deployingradius.com/documents/configuration/active_directory.html
Ivan, thanks for pointing this out, I did not understand where do I need to configure mschap so I've just appended ntlm_auth and nt hack strings to the end of radiusd.conf, I've removed that now and updated modules/mschap file, when radius starts I can clearly see it now picks it up: Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username= %{Stripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } and it works!I authenticate My question now is, how do I login to AD using a new user that has never logged on to the box before? I'm getting an error saying domain AD unavailable, but if I use username that I used to login before 802.1x enforcement all is looking good... Thanks all for your help!
My question now is, how do I login to AD using a new user that has never logged on to the box before? I'm getting an error saying domain AD unavailable, but if I use username that I used to login before 802.1x enforcement all is looking good...
I am not sure what the problem is from your description. If it's complaining about the domain try using alternative for username - %{mschap:User-Name}. That is documented above the ntlm_auth line in mschap module. Try and see if that helps. Ivan Kalik Kalik Informatika ISP
On Thu, 2009-02-19 at 13:34 +0100, tnt@kalik.net wrote:
I am not sure what the problem is from your description. If it's complaining about the domain try using alternative for username - %{mschap:User-Name}. That is documented above the ntlm_auth line in mschap module. Try and see if that helps.
Ivan, Thanks for reply. My problem is that my windows box has no way of communicating with AD server to verify user credentials for initial login screen (reason for that is because switch port state is uncontrolled and no other but EAPOL traffic can pass through) Is there any way setting my windows box so that user gets authenticated against radius and then AD using single sign on without doing any hacks to MS GINA or stuff like that?
My problem is that my windows box has no way of communicating with AD server to verify user credentials for initial login screen (reason for that is because switch port state is uncontrolled and no other but EAPOL traffic can pass through) Is there any way setting my windows box so that user gets authenticated against radius and then AD using single sign on without doing any hacks to MS GINA or stuff like that?
What does Windows box have to do with this? Enable port based authentication (802.1x) on the switch. Set it to use freeradius integrated with AD. Switch will pass credentials to freeradius and it will pass them to AD. From what you are saying (only EAPOL can pass through the port) it is more-or-less set that way. Ivan Kalik Kalik Informatika ISP
On Feb 19, 2009, at 8:28 AM, Tomas wrote:
My problem is that my windows box has no way of communicating with AD server to verify user credentials for initial login screen (reason for that is because switch port state is uncontrolled and no other but EAPOL traffic can pass through) Is there any way setting my windows box so that user gets authenticated against radius and then AD using single sign on without doing any hacks to MS GINA or stuff like that?
Tomas, it sounds like you want the following behavior: 1.) machine boots up 2.) machine 802.1x authenticates, opening switch port for AD communication 3.) user enters credentials into OS login screen 4.) machine authenticates user against AD 5.) machine does a 802.1x re-auth with the user's credentials Windows does support this and (surprise) it actually works well. Assuming you're using the native Windows 802.1x supplicant and have the non-domain case working, you can get the above behavior by enabling the following options in the supplicant: (how you do this varies a bit across Windows versions) 'Authenticate as computer when computer information is available' 'Automatically use my Windows logon name and password (and domain if any)' Mike Loosbrock Bethel University Network Services 651-638-6723
On Thu, 2009-02-19 at 10:23 -0600, Mike Loosbrock wrote:
Tomas, it sounds like you want the following behavior:
1.) machine boots up 2.) machine 802.1x authenticates, opening switch port for AD communication 3.) user enters credentials into OS login screen 4.) machine authenticates user against AD 5.) machine does a 802.1x re-auth with the user's credentials
Windows does support this and (surprise) it actually works well. Assuming you're using the native Windows 802.1x supplicant and have the non-domain case working, you can get the above behavior by enabling the following options in the supplicant: (how you do this varies a bit across Windows versions)
'Authenticate as computer when computer information is available' 'Automatically use my Windows logon name and password (and domain if any)' Mike, Thanks for your mail, I was ticking all options and seeing what was on the output, now that you said it all makes sense. I was missing the step where machine authenticates to allow user to communicate with AD and then once user logged on it re authenticates using user credentials. I tried this option and radius does pick it up, this is the radiusd -X dump from when computer provides host credentials:
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=69, length=241 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x0202001801686f73742f5043312e61642e6c61622e636f6d Message-Authenticator = 0x776191bf1a6b8a58e704fcc7f112ed60 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 24 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 69 to 192.168.0.50 port 1024 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0af9084d66de98b8605bce83 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=70, length=315 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0af9084d66de98b8605bce83 EAP-Message = 0x0203005019800000004616030100410100003d0301499d8a5a7d404fc4ab8f844caf1a6187a856c227b0377058d45002bbdd6e2c1000001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x241c09d55aa981883ee4362b927d07de +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 70 to 192.168.0.50 port 1024 EAP-Message = 0x0104040019c00000089b160301002a020000260301499d8a58bba910884add8b8f1fe3e14750cad38df17838aea2ce7022e4beb19900000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303131393134333032365a170d3130303131393134333032365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ad98162664ec45dd610f43757b3f3a8bb0b400ca026307492cf50ba142af109378da58248572a1236fa439be790fd3ef17c1b22b9503739d7c3bc56a2240 EAP-Message = 0xdf4fd855dfabba9ffe67ebc9ef0772e1036cc8fd8c275e0eae813442b6bf713746f7caa8af848002c6edfa5596eab50667945e95a7e7befaf1139d04ed6a453c062b1e4849b21597302c4c730ef9b69e6934d8336d607baf2c61b9cf544b58d2633d34804e705a1c675be9887f32e0d677317e3635c17f65c18bcd6c8b3033d351dfa77b36ea7feca91b41a707ca37452102f40a18a0832dcdc4cd8a5a2c01e4c8a62bdce1f0b886193c155ef4c8bbbf8ad66d51573c6eb0a21966d47ac9c1a5f4230203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100352858d2b93777f989 EAP-Message = 0x37da2562908c3391559a6f1bd9b0e41adef4c2cfc393c0b9668ceaf6df7227112867a48853e921a9da6783fda2614d07cc0b011a11b4feacb4b61d43628e2d2c4e95e747fa03849decf26051807a9e51136df5f81f698fe88f6d1a8ad5a2151ed4f45a8385e02cb9e3d3b10cd6103212d488d27126e8e6a974cc5c282813abd411657bf5be22f91dbc7a58d08237b38915736ed1f01ebb384f91eadda353743ca7d4e62b23e85e60d04c58c280dbea9cd505bf234cfaee1a0a51754954c9e3e6f7960d0a9a9f85243199d986671a1db32e5fcca17b62ce9bb1ff312500f1ffd8874de9fe53c828ec2a3fdb8a2e186a28c5b59c53dcce9b0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0bfe084d66de98b8605bce83 Finished request 1. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=71, length=241 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0bfe084d66de98b8605bce83 EAP-Message = 0x020400061900 Message-Authenticator = 0x754b846a5d7bac3eca4db244a105c150 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 71 to 192.168.0.50 port 1024 EAP-Message = 0x010503fc19400094a001b5eb25441d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303131393134333032365a170d3130303131393134333032365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a987d28b942573bad6f47cc07eed6c6dcdad586632c29f838248874e1ad78ef744cf491992803212afca36a03f2a06be90c1da8bca6032b677a48dd26e6449d498b3e83d5569dca2b7a743fa3d96007884ed81616e0ad61f51dca6814fac86c6120d71ceddc0dd9798711b36dd8005 EAP-Message = 0x85a94e3cd2ab01503bd1f2a702e10d06aa6c16c62c0cefe59f96c89307137c5e1d5fce113e0c0da426c435f454f1e83437c48b74f52a68e67ab0236e1f63bcce0289f57d98147134ec577b2faa50155611f8280bd7a5768e09c2fccb6b2ad0d7050d44292c988df7e1571ce10baa2105ca2e553deab5ea75728e7b090aaf2918540d48769fdb597d2df70d6b1855ebfb690203010001a381fb3081f8301d0603551d0e0416041472880f64c1fc1753474b579032ea3663716e23543081c80603551d230481c03081bd801472880f64c1fc1753474b579032ea3663716e2354a18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090094a001b5eb25441d300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100699e12dabf9c108ba7200bee0c69f2ff01ac37886fdd207b3ccde9311f7684959ed3dfda0936a2781ac286612ef24d987159c2b28e9d756b53701e15967b73c3f82c8517cbfefa2d3e9ac1275e180c97ccbb EAP-Message = 0x5f8391f0cafc40c7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec08ff084d66de98b8605bce83 Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=72, length=241 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec08ff084d66de98b8605bce83 EAP-Message = 0x020500061900 Message-Authenticator = 0x7200ea239f30f92d11b58c76655ad4fb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 72 to 192.168.0.50 port 1024 EAP-Message = 0x010600b51900290a8a1becaa5f95acd275a8b07d4ce8e2b56745877efd21ca5cee0c39bd7e66d625688c05a22f43c49f90c057109d12adf008cfe513d4219f84bcd4e123caf1548e368bff658efb2f8c8c674a2e5ec896136ea044eeef99fd52220ecb2ee8192aeacb6bac2e30b29b670e2532924a6cd60dae38584514d46c38e550a52dd719060d7468bc87833fc6e65fba911ee8610e5ca515ecf58705dee114e2954fced9276ff4e6356f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec09fc084d66de98b8605bce83 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=73, length=557 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec09fc084d66de98b8605bce83 EAP-Message = 0x0206014019800000013616030101061000010201002e446a1e1961458dd8e5acb4e19897d89de14c3158e19151e4509d6bb4dca4efa7e283033caa3019f9bf1afe77f99c1c536a8c2f75f2f8614e9e342c5a5e6dc0d029c80bfff7506597e02e0b3a0fe6f3fe046e7385c9b3e05051a35894ca657047a6062ad444a3f890fe9b1f9c7afbbe4d6a8433b3d559ce1b40d12f1f29011b37ef8e5cb8a414d3965aabc42e7de7ea728c9b22274dfaa023ab8b5ff86f6166afbbb7ce36e824718f0c3289ca940d0d14465ad08a78d0e766b230af25592c4598e26951d321c3d0fc0921eb108fa5199e534e226d4ae76ea264eedf266737c9232f6806b398a476 EAP-Message = 0xef755b865824774bb734b3c2f218a0ad56ae8eab81f7b98d1403010001011603010020c0f20daf8800695c5f253ff3ec26d5626dc59e775f59146cab0c6bc20acca753 Message-Authenticator = 0x3b50b4e11df88b6c16d59122cd3faaf9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 73 to 192.168.0.50 port 1024 EAP-Message = 0x01070031190014030100010116030100202c741f5c88031ac271a7f0d07e7620d7d88bcd2ec486b8192b2c4819bfbe399d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0efd084d66de98b8605bce83 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=74, length=241 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0efd084d66de98b8605bce83 EAP-Message = 0x020700061900 Message-Authenticator = 0x836425394ba770ff12cb284673a5e7f4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 74 to 192.168.0.50 port 1024 EAP-Message = 0x01080020190017030100158ddb5d04f12d39356ecbda6080235bad81d9d8ec7d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0ff2084d66de98b8605bce83 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=75, length=282 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0ff2084d66de98b8605bce83 EAP-Message = 0x0208002f19001703010024983cfbd91304532cb0b0939d4d772c3e6c3d20d8b69de28f1f3cf4924ea0a7693c322c6b Message-Authenticator = 0x7f75ae3a85f1a2bdace3ca4bc5464379 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 47 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - host/PC1.ad.lab.com [peap] Got tunneled request EAP-Message = 0x0208001801686f73742f5043312e61642e6c61622e636f6d server { PEAP: Got tunneled identity of host/PC1.ad.lab.com PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to host/PC1.ad.lab.com Sending tunneled request EAP-Message = 0x0208001801686f73742f5043312e61642e6c61622e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/PC1.ad.lab.com" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 24 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0109002d1a0109002810f5213060b5e6a38d27ae3961f3d34ee0686f73742f5043312e61642e6c61622e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb08a8815b08392f63ecb6ffeec36b954 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0109002d1a0109002810f5213060b5e6a38d27ae3961f3d34ee0686f73742f5043312e61642e6c61622e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb08a8815b08392f63ecb6ffeec36b954 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 75 to 192.168.0.50 port 1024 EAP-Message = 0x0109004419001703010039f9c7f47443128903a5e5a22ede2d1aaec9668c2fd70d46c81b18a00c363273462985c798989290e6b211f69ff0403f525dafad780de72e1866 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0cf3084d66de98b8605bce83 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=76, length=336 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0cf3084d66de98b8605bce83 EAP-Message = 0x020900651900170301005a1b964fc1f42dc9e5bb99bf5516c1b7c4ce78e5beb05a42e9b322057dae200118db520386410c1c57e55d502731a8ddffcc1c7afca094ae7e096e19937333c547200c1aa9b9ceee4a7bc0620d5f9abe3dcd83f9247522c611cfbc Message-Authenticator = 0x2fa9e102cac1e2270c3f4e400ae6843e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 101 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0209004e1a0209004931a17d769cab8bd37e3959ebc65ebb59660000000000000000559d2b1923d94810ff460021cedd68b8f7781c6897efa07200686f73742f5043312e61642e6c61622e636f6d server { PEAP: Setting User-Name to host/PC1.ad.lab.com Sending tunneled request EAP-Message = 0x0209004e1a0209004931a17d769cab8bd37e3959ebc65ebb59660000000000000000559d2b1923d94810ff460021cedd68b8f7781c6897efa07200686f73742f5043312e61642e6c61622e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/PC1.ad.lab.com" State = 0xb08a8815b08392f63ecb6ffeec36b954 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 78 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for host/PC1.ad.lab.com with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=host/PC1.ad.lab.com [mschap] mschap2: f5 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ef47e24d23623e97 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=559d2b1923d94810ff460021cedd68b8f7781c6897efa072 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 76 to 192.168.0.50 port 1024 EAP-Message = 0x010a00261900170301001b0bfeccd328b5dc469dcf83e1b9d348eb615a7ac5bf99afb97bdc16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0df0084d66de98b8605bce83 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=77, length=273 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0df0084d66de98b8605bce83 EAP-Message = 0x020a00261900170301001b0e5f0e679c59798c9e65fd41ac3a3b0cf1fff77179ba6a12d58168 Message-Authenticator = 0x82b00465e77de1d0c986cc30f34fd571 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/PC1.ad.lab.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 77 to 192.168.0.50 port 1024 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 0 ID 69 with timestamp +63 Waking up in 0.1 seconds. Cleaning up request 1 ID 70 with timestamp +63 Cleaning up request 2 ID 71 with timestamp +63 Cleaning up request 3 ID 72 with timestamp +63 Cleaning up request 4 ID 73 with timestamp +63 Cleaning up request 5 ID 74 with timestamp +63 Cleaning up request 6 ID 75 with timestamp +63 Cleaning up request 7 ID 76 with timestamp +63 Waking up in 0.9 seconds. Cleaning up request 8 ID 77 with timestamp +63 Ready to process requests. Do I need to change my modules/mschap config? Currently I have: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Thanks ever so much for your help! Regards, Tomas
participants (4)
-
Danner, Mearl -
Mike Loosbrock -
tnt@kalik.net -
Tomas