Authenticate via AD and via local "users" file
Hi everyone, I'm using a pfsense server as captive portal to authenticate users on my WiFi network. The captive portal is set to interrogate my freeradius server. My freeradius server can already authenticate users via my AD using winbind. I also need local account (via "users" file) to create some temporary "WiFi" account for guests. My problem is that it seems that when freeradius receive an mschap request, it only interrogate the AD and do not check the local "users" file : *Radtest output :* *root@radius:/etc/freeradius/3.0# radtest test hello localhost 0 testing123Sent Access-Request Id 221 from 0.0.0.0:55019 <http://0.0.0.0:55019> to 127.0.0.1:1812 <http://127.0.0.1:1812> length 74 User-Name = "test" User-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello"Received Access-Accept Id 221 from 127.0.0.1:1812 <http://127.0.0.1:1812> to 0.0.0.0:0 <http://0.0.0.0:0> length 20root@radius:/etc/freeradius/3.0# radtest -t mschap test hello localhost 0 testing123Sent Access-Request Id 57 from 0.0.0.0:45981 <http://0.0.0.0:45981> to 127.0.0.1:1812 <http://127.0.0.1:1812> length 130 User-Name = "test" MS-CHAP-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" MS-CHAP-Challenge = 0x721c5f615cce85ee MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fd35479230547ed1afaabb4620398d1ab297fc558976fbe5Received Access-Reject Id 57 from 127.0.0.1:1812 <http://127.0.0.1:1812> to 0.0.0.0:0 <http://0.0.0.0:0> length 61 MS-CHAP-Error = "\000E=648 R=0 C=36f192b64ad8bf50 V=2"(0) -: Expected Access-Accept got Access-Reject* *freeradius -X output :* *1) Received Access-Request Id 57 from 127.0.0.1:45981 <http://127.0.0.1:45981> to 127.0.0.1:1812 <http://127.0.0.1:1812> length 130(1) User-Name = "test"(1) NAS-IP-Address = 127.0.1.1(1) NAS-Port = 0(1) Message-Authenticator = 0x2ac9eeb221acb45d57e63c7670667269(1) MS-CHAP-Challenge = 0x721c5f615cce85ee(1) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fd35479230547ed1afaabb4620398d1ab297fc558976fbe5(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(1) authorize {(1) policy filter_username {(1) if (&User-Name) {(1) if (&User-Name) -> TRUE(1) if (&User-Name) {(1) if (&User-Name =~ / /) {(1) if (&User-Name =~ / /) -> FALSE(1) if (&User-Name =~ /@[^@]*@/ ) {(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(1) if (&User-Name =~ /\.\./ ) {(1) if (&User-Name =~ /\.\./ ) -> FALSE(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(1) if (&User-Name =~ /\.$/) {(1) if (&User-Name =~ /\.$/) -> FALSE(1) if (&User-Name =~ /@\./) {(1) if (&User-Name =~ /@\./) -> FALSE(1) } # if (&User-Name) = notfound(1) } # policy filter_username = notfound(1) [preprocess] = ok(1) [chap] = noop(1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'(1) [mschap] = ok(1) [digest] = noop(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "test", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) eap: No EAP-Message, not doing EAP(1) [eap] = noop(1) files: users: Matched entry test at line 1(1) [files] = ok(1) [expiration] = noop(1) [logintime] = noop(1) pap: WARNING: Auth-Type already set. Not setting to PAP(1) [pap] = noop(1) } # authorize = ok(1) Found Auth-Type = mschap(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(1) authenticate {(1) mschap: Found Cleartext-Password, hashing to create NT-Password(1) mschap: Found Cleartext-Password, hashing to create LM-Password(1) mschap: Client is using MS-CHAPv1 with NT-Password(1) mschap: EXPAND %{mschap:User-Name}(1) mschap: --> testrlm_mschap (mschap): Reserved connection (0)(1) mschap: sending authentication request user='test' domain='lan.domain.tld'rlm_mschap (mschap): Released connection (0)rlm_mschap (mschap): Need 5 more connections to reach 10 sparesrlm_mschap (mschap): Opening additional connection (5), 1 of 27 pending slots used(1) mschap: ERROR: No such user [0xC0000064](1) mschap: ERROR: Password has expired. User should retry authentication(1) [mschap] = reject(1) } # authenticate = reject(1) Failed to authenticate the user(1) Using Post-Auth-Type Reject(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(1) Post-Auth-Type REJECT {(1) attr_filter.access_reject: EXPAND %{User-Name}(1) attr_filter.access_reject: --> test(1) attr_filter.access_reject: Matched entry DEFAULT at line 11(1) [attr_filter.access_reject] = updated(1) [eap] = noop(1) policy remove_reply_message_if_eap {(1) if (&reply:EAP-Message && &reply:Reply-Message) {(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE(1) else {(1) [noop] = noop(1) } # else = noop(1) } # policy remove_reply_message_if_eap = noop(1) } # Post-Auth-Type REJECT = updated(1) Delaying response for 1.000000 secondsWaking up in 0.3 seconds.Waking up in 0.6 seconds.(1) Sending delayed response(1) Sent Access-Reject Id 57 from 127.0.0.1:1812 <http://127.0.0.1:1812> to 127.0.0.1:45981 <http://127.0.0.1:45981> length 61(1) MS-CHAP-Error = "\000E=648 R=0 C=36f192b64ad8bf50 V=2"Waking up in 3.9 seconds.(1) Cleaning up request packet ID 57 with timestamp +19* Does anyone has an idea how i can use both authentication methods (AD and "local") simultaneously ? Thanks in advance. Regards, *Benjamin Dupalut* Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr
On Feb 28, 2018, at 12:53 PM, DUPALUT, Benjamin <benjamin.dupalut@esiee.fr> wrote:
I'm using a pfsense server as captive portal to authenticate users on my WiFi network. The captive portal is set to interrogate my freeradius server.
My freeradius server can already authenticate users via my AD using winbind. I also need local account (via "users" file) to create some temporary "WiFi" account for guests.
How do you decide which one to use?
My problem is that it seems that when freeradius receive an mschap request, it only interrogate the AD and do not check the local "users" file :
Because you configured it to do that...
*Radtest output :*
Don't post that. Read this: http://wiki.freeradius.org/list-help
*freeradius -X output :*
With lots and lots of blank space, and debug output which is massively reformatted and unreadable. The short answer is that if you set a "known good" password for the user, and tell it to *not* use NTLM-Auth: bob Cleartext-Password := "password", MS-CHAP-Use-NTLM-Auth := no Then the MS-CHAP module will do that. This is documented in the comments in raddb/mods-available/mschap. Please read that for further information. Alan DeKok.
Hi Alan, Thank you for your reply and your advices. It works now. Cordialement, *Benjamin Dupalut* Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr 2018-02-28 19:02 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Feb 28, 2018, at 12:53 PM, DUPALUT, Benjamin <benjamin.dupalut@esiee.fr> wrote:
I'm using a pfsense server as captive portal to authenticate users on my WiFi network. The captive portal is set to interrogate my freeradius server.
My freeradius server can already authenticate users via my AD using winbind. I also need local account (via "users" file) to create some temporary "WiFi" account for guests.
How do you decide which one to use?
My problem is that it seems that when freeradius receive an mschap request, it only interrogate the AD and do not check the local "users" file :
Because you configured it to do that...
*Radtest output :*
Don't post that. Read this: http://wiki.freeradius.org/list-help
*freeradius -X output :*
With lots and lots of blank space, and debug output which is massively reformatted and unreadable.
The short answer is that if you set a "known good" password for the user, and tell it to *not* use NTLM-Auth:
bob Cleartext-Password := "password", MS-CHAP-Use-NTLM-Auth := no
Then the MS-CHAP module will do that.
This is documented in the comments in raddb/mods-available/mschap. Please read that for further information.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (2)
-
Alan DeKok -
DUPALUT, Benjamin