Hi list, I'm pretty sure this issue is straight forward but I've searched the list and cant come up with an answer. I'm usuing freeradius 2.19 on cent OS 5.5 Im trying to auth users from a NAC box (Bradford campus manager) against an AD domain using freeradius. All works fine when I point an AP at freeradius, but things fail when using our NAC to forward requests to FreeRadius. I suspect the problem is that the NAC is trying to use PAP, but im not sure how to really resolve the problem. Here are my logs: Ready to process requests. rad_recv: Access-Request packet from host 129.67.147.204 port 32960, id=174, length=78 User-Name = "SAMBA_TEST" User-Password = "password" NAS-Identifier = "pmbcm01.pmb.ox.ac.uk" NAS-IP-Address = 129.67.147.204 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/129.67.147.204/auth-detail-20110303 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/129.67.147.204/auth-detail-20110303 [auth_log] expand: %t -> Thu Mar 3 11:45:17 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SAMBA_TEST", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for SAMBA_TEST [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=SAMBA_TEST)) [ldap] expand: cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK -> cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 129.67.147.225:389, authentication 0 rlm_ldap: bind as cn=samba,cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK/password to 129.67.147.225:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK, with filter (&(sAMAccountName=SAMBA_TEST)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user SAMBA_TEST authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> SAMBA_TEST attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 174 to 129.67.147.204 port 32960 Waking up in 4.9 seconds. Cleaning up request 0 ID 174 with timestamp + Cheers, Matt
On 03/03/11 11:52, Matt Langthorpe wrote:
Hi list,
I'm pretty sure this issue is straight forward but I've searched the list and cant come up with an answer.
I'm usuing freeradius 2.19 on cent OS 5.5
Im trying to auth users from a NAC box (Bradford campus manager) against an AD domain using freeradius.
All works fine when I point an AP at freeradius, but things fail when using our NAC to forward requests to FreeRadius. I suspect the problem is that the NAC is trying to use PAP, but im not sure how to really resolve the problem.
PAP requires a password or password hash from a database/ldap, or an external "oracle" (script or service) that checks the password. Your LDAP isn't telling FreeRadius the password: [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? ...so when the "pap" module runs: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. If you're using AD, the LDAP server will not (cannot) give you a password or password hash. You'll therefore need to use Samba & the "ntlm_auth" helper binary (in "plaintext" mode, not MSCHAP) to do this. In recent versions of FreeRadius there is a file defining an "exec" module: /etc/raddb/modules/ntlm_auth ...edit the "MYDOMAIN" in that file to the correct value, and you can use it like this: authorize { ... # everything else, then right at the end update control { # If Auth-Type isn't already set (i.e. "=" versus ":=") set it Auth-Type = ntlm_auth } } authenticate { Auth-Type ntlm_auth { ntlm_auth } } Obviously Samba & Winbind will need to be configured, installed and the radius server joined to the domain.
participants (2)
-
Matt Langthorpe -
Phil Mayers