Freeradius How to integrate ActiveDirectory[ADIntegrationWindowsXP NTLM Tutorial]

darkblue darkblue2000 at gmail.com
Sat Dec 3 06:11:42 CET 2005


hey, guys
I have built up the whole environment, very close to success, but still have
a problem when the suppliant create tls tunnel with radius server, the
following is the log:

  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure, rejecting.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 55
modcall: group authenticate returns invalid for request 55
auth: Failed to validate the user.

any suggestion?
I had imported the root.p12 to winxp, copy the whole certs from freeradius's
source package to /usr/local/etc/raddb/certs/


2005/12/3, freeradius-users-request at lists.freeradius.org
<freeradius-users-request at lists.freeradius.org
>:
>
> Send Freeradius-Users mailing list submissions to
>        freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>        freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>        freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>   1. Re: Freeradius How to integrate Active
>      Directory[ADIntegrationWindowsXP NTLM Tutorial] (Nicolas Baradakis)
>   2. Re: IPv6 Support (Nicolas Baradakis)
>   3. EAP/TLS Configuration - Addition (Madhuraka Godahewa)
>   4. Re: EAP/TLS Configuration - Addition (Zoltan Ori)
>   5. Re: Freeradius How to integrate Active
>      Directory[ADIntegrationWindowsXP NTLM Tutorial] (darkblue)
>   6. RE: Freeradius How to integrate Active Directory and return
>      group     attribute to VPN Concentrator (Alhagie Puye)
>   7. Re: Configuring a proxied and local authentication  (Alan DeKok)
>   8. RE: Freeradius How to integrate Active Directory [AD
>      Integration       WindowsXP NTLM Tutorial] (Bohannan, Chad W)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 2 Dec 2005 12:41:39 +0100
> From: Nicolas Baradakis <nbk at sitadelle.com >
> Subject: Re: Freeradius How to integrate Active
>        Directory[ADIntegrationWindowsXP NTLM Tutorial]
> To: darkblue <darkblue2000 at gmail.com>
> Cc: freeradius-users at lists.freeradius.org
> Message-ID: <20051202114139.GB7382 at asuka.tech.sitadelle.com>
> Content-Type: text/plain; charset=us-ascii
>
> darkblue wrote:
>
> > I have upgrade my libs, but when execute dpkg-buildpackage -uc
> > -b(under root privilege), some error show out:
> > .....
> > /bin/bash: line 1: dpatch: command not found
> > make: *** [unpatch] Error 127
> >
> > any idea?
>
> apt-get install dpatch
>
> --
> Nicolas Baradakis
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 2 Dec 2005 13:03:14 +0100
> From: Nicolas Baradakis <nbk at sitadelle.com>
> Subject: Re: IPv6 Support
> To: FreeRadius users mailing list
>        < freeradius-users at lists.freeradius.org>
> Message-ID: <20051202120314.GC7382 at asuka.tech.sitadelle.com>
> Content-Type: text/plain; charset=us-ascii
>
> Paulo Alexandre Caceres Ferreira wrote:
>
> > How I can test IPv6 Freeradius authentication?
> > You know any IPv6 RADIUS client to interact with Freeradius and perform
> an
> > IPv6 authentication?
>
> There is a program called "radclient" in the FreeRADIUS source tree.
>
> --
> Nicolas Baradakis
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 02 Dec 2005 19:53:09 -0800 (PST)
> From: Madhuraka Godahewa <maduraka at electroteks.com>
> Subject: EAP/TLS Configuration - Addition
> To: FreeRADIUS < freeradius-users at lists.freeradius.org>
> Message-ID: <1133581989.439116a523cff at mail-egn.electroteks.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Again,
>
> This email refers to the earlier email sent with the subject "EAP/TLS
> Configuration".
>
> After having some trouble with the Windows XP and freeRADIUS, I was able
> to
> connect to the AP. But, in the configuration (Windows XP), I removed the
> check
> mark at 'Validate Server Certificate'. Then, suddenly, it started working.
>
> Anybody knows the reason for this?
>
>
> Further, after establishing the connection, I terminated the connection
> (by
> disabling the network connection). Then, I tried to connect again (by
> enabling). But, this time, the user machine connected to the AP
> automatically
> (without asking for the credentials.). It seems like something has cached
> these
> entries.
>
> Anybody knows how to clear this cache?
>
>
> Thanking You.,
>
>
> --------------------------------------------------------------------------------
> Madhuraka Godahewa
> Telecommunications Engineer
> Research and Development Unit
> Electroteks Global Networks (Pvt.) Ltd.
>
> Mobile: + 94-777-647055
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 2 Dec 2005 08:40:00 -0500
> From: Zoltan Ori <z.ori at morehead-st.edu>
> Subject: Re: EAP/TLS Configuration - Addition
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: < 200512020840.00682.z.ori at morehead-st.edu>
> Content-Type: text/plain;  charset="iso-8859-1"
>
> On Friday 02 December 2005 22:53, Madhuraka Godahewa wrote:
>
> > After having some trouble with the Windows XP and freeRADIUS, I was able
> to
> > connect to the AP. But, in the configuration (Windows XP), I removed the
> > check mark at 'Validate Server Certificate'. Then, suddenly, it started
> > working.
> >
> > Anybody knows the reason for this?
> >
>
> You don't have a copy of the root certificate on the supplicant or have
> not
> selected to use it?
>
> >
> > Further, after establishing the connection, I terminated the connection
> (by
> > disabling the network connection). Then, I tried to connect again (by
> > enabling). But, this time, the user machine connected to the AP
> > automatically (without asking for the credentials.). It seems like
> > something has cached these entries.
> >
> > Anybody knows how to clear this cache?
> >
>
> It's in the registry under HKEY_CURRENT_USER\Software\Microsoft\EAPOL.
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 2 Dec 2005 23:12:15 +0800
> From: darkblue <darkblue2000 at gmail.com>
> Subject: Re: Freeradius How to integrate Active
>        Directory[ADIntegrationWindowsXP NTLM Tutorial]
> To: freeradius-users at lists.freeradius.org
> Message-ID: <2c8195ff0512020712m52aac54bl at mail.gmail.com >
> Content-Type: text/plain; charset=ISO-8859-1
>
> thanks
> I could not wait to complie from source tarball.
> I will try the build deb some time later, anyway, thanks very much.
>
> 2005/12/2, Nicolas Baradakis < nbk at sitadelle.com>:
> > darkblue wrote:
> >
> > > I have upgrade my libs, but when execute dpkg-buildpackage -uc
> > > -b(under root privilege), some error show out:
> > > .....
> > > /bin/bash: line 1: dpatch: command not found
> > > make: *** [unpatch] Error 127
> > >
> > > any idea?
> >
> > apt-get install dpatch
> >
> > --
> > Nicolas Baradakis
> >
> >
>
>
> --
> He is nothing
>
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 2 Dec 2005 10:50:31 -0500
> From: "Alhagie Puye" < APuye at datawave.com>
> Subject: RE: Freeradius How to integrate Active Directory and return
>        group   attribute to VPN Concentrator
> To: "FreeRadius users mailing list"
>        < freeradius-users at lists.freeradius.org>
> Message-ID:
>        <6B865826E860EF42B3A387A03F39539606D7A0A9 at EX0004.AllstreamITS.local
> >
> Content-Type: text/plain;       charset="us-ascii"
>
> > >-----Original Message-----
> > >From: freeradius-users-bounces at lists.freeradius.org
> > >[mailto:freeradius-users-bounces at lists.freeradius.org] On
> > >Behalf Of Dusty Doris
> > >Sent: November 30, 2005 7:16 AM
> > >To: FreeRadius users mailing list
> > >Subject: RE: Freeradius How to integrate Active Directory
> > >and return group attribute to VPN Concentrator
> > >
> > >> Radiusd.conf:
> > >>
> > >>                filter =
> > >>
> > >"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(membe
> > >rOf=CN=rp
> > >> tp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))"
> > >>
> > >> This works fine. However I can't get it to return any
> > >replyItems. Has
> > >> anyone gotten this to work with Active Directory? All the
> > >docs I see
> > >> on the Net refeerence OpenLDAP. I'm sure there is a lot of
> > >folks out
> > >> there running Windows 2000/2003 Active Directory.
> > >>
> > >> I have spent a couple of days on this not having much
> > >luck. Here are a
> > >> few questions that would help me a bit.
> > >>
> > >> 1) Do I need groupname_attribute to get this to work?
> > >>
> > >> 2) What about groupmembership_filter and groupmembership_attribute?
> > >>
> > >> My ldap.attrmap looks like this:
> > >>
> > >> replyItem       Class                           groupofnames
> > >> replyItem       Class                           group
> > >>
> > >> I think the above is correct. Can some shed some light on this?
> > >
> > >Is group and groupofnames something that is an attribute of
> > >a user?  When freeradius searches for reply items it is
> > >searching for attributes of that user.
> > >
> > >eg:
> > >
> > >dn: cn=someuser,...
> > >group: somegroup
> > >
> > >Should then add
> > >
> > >Class = somegroup
> > >
> > >to the reply items.
> > >
> > >If you want to make reply items attached to a group, rather
> > >than in individual, you will need to set the User-Profile attribute.
> > >
> > >For example,
> > >
> > >dn: cn=somegroup,ou=groups,...
> > >group: somegroup
> > >
> > >Then in the users file.
> > >
> > >DEFAULT Ldap-Group == somegroup, User-Profile :=
> > >"cn=somegroup,ou=groups,..."
> > >
> > >You may be able to do this dynamically using xlat or
> > >something like huntgroups too.  If you want an example, send
> > >us an example of a user and group from AD in ldif format and
> > >an example of a radius packet that you would expect in the
> > >reply and I'll see if I can come up with an idea for ya.
>
> I'm still waiting for some help with this.....I have sent all the
> information that you requested.
> I have gotten it to return the group name but it is also returning the
> username as well and the username is returned after the group name. Is
> there is way to return just the groupname?
> I really would like to resolve this issue ones and for all.
>
> I'm really surprised that there are not folks on the list who have
> Active Directory users that they want to use to lock VPN users into
> groups on the VPN Concentrator. If really there isn't, I would put a
> howto on this when I get it working and post it on the list.
>
> Here is my latest output:
>
> rlm_ldap: performing search in CN=itops,OU=Information
> Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave, with filter
> (cn=itops)
> rlm_ldap::ldap_groupcmp: User found in group itops
> rlm_ldap: ldap_release_conn: Release Id: 0
>    users: Matched entry DEFAULT at line 163
> modcall[authorize]: module "files" returns ok for request 1
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for apuye
> radius_xlat:  '(&(sAMAccountName=apuye)(objectclass=user))'
> radius_xlat:  'DC=corp,DC=van,DC=dwave'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in DC=corp,DC=van,DC=dwave, with filter
> (&(sAMAccountName=apuye)(objectclass=user))
> rlm_ldap: performing search in CN=itops,ou=Information
> Technology,ou=Datawave Users,dc=corp,dc=van,dc=dwave, with filter
> (objectclass=group)
> rlm_ldap: Adding samaccountname as Class, value itops & op=11
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: Adding samaccountname as Class, value apuye & op=11
> rlm_ldap: user apuye authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 1
> modcall: group authorize returns ok for request 1
> rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 1
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "apuye" with password "XXXXXXXXXXX"
> rlm_ldap: user DN: CN=Alhagie Puye,OU=Information Technology,OU=DataWave
> Users,DC=corp,DC=van,DC=dwave
> rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 1
> rlm_ldap: bind as CN=Alhagie Puye,OU=Information Technology,OU=DataWave
> Users,DC=corp,DC=van,DC=dwave/XXXXXXXXXX to huckster.corp.van.dwave:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user apuye authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 1
> modcall: group Auth-Type returns ok for request 1
> Sending Access-Accept of id 4 to 10.99.1.50:1031
>        Class = 0x6170757965
> Finished request 1
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 1 ID 4 with timestamp 438e98b2
> Nothing to do.  Sleeping until we see a request.
>
> Thanks,
> Alhagie.
> > >
> > >
> > >
> > >-
> > >List info/subscribe/unsubscribe? See
> > >http://www.freeradius.org/list/users.html
> > >
>
>
> This message (including any attachments) is confidential, may be
> privileged and is only intended for the person to whom it is addressed.  If
> you have received it by mistake please notify the sender by return e-mail
> and delete this message from your system.  Any unauthorized use or
> dissemination of this message in whole or in part is strictly
> prohibited.  E-mail communications are inherently vulnerable to interception
> by unauthorized parties and are susceptible to change.  We will use
> alternate communication means upon request.
>
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 02 Dec 2005 12:16:46 -0500
> From: "Alan DeKok" <aland at ox.org>
> Subject: Re: Configuring a proxied and local authentication
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: < 20051202171647.EF63016CC1 at mail.nitros9.org>
>
> Samuel Degrande <Samuel.Degrande at lifl.fr> wrote:
> > I don't find a way to add a NAS-Identifier value inside the proxied
> > request, so that B server could check it...
>
> That's because the NAS didn't send it.  FreeRADIUS doesn't add one,
> so...
>
> > I tried:
> > <username> Proxy-To-Realm := <realm>, NAS-Identifier := <id>
> > and
> > <username> Proxy-To-Realm := <realm>, NAS-Identifier += <id>
>
> That won't work in the "users" file.  You have to set the
> NAS-Identifier in the preproxy_users file.
>
> > How to configure the A server so that if B rejects the request, then
> > A will check in a local user base (through pam) ?
>
> That's a little harder.  The server isn't designed to do that easily.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 2 Dec 2005 12:46:47 -0500
> From: "Bohannan, Chad W" <Chad_Bohannan at reyrey.com>
> Subject: RE: Freeradius How to integrate Active Directory [AD
>        Integration     WindowsXP NTLM Tutorial]
> To: "FreeRadius users mailing list"
>        < freeradius-users at lists.freeradius.org>
> Message-ID:
>        <7EA2A14F52A15A49807388D4A6AD624613619741 at OH18CL07VE1.reyrey.com >
> Content-Type: text/plain;       charset="us-ascii"
>
> We were able to move past this particular problem. For anyone who may
> have a similar issue....
>
> Port 512 (tcp&udp for EZEC service) need to be allowed in addition to
> the standard 137-139, 445, & 389. So if you are running TCP wrappers or
> ip tables make certain it is allowed....
>
> cheers
>
>
>
> -----Original Message-----
> From: Bohannan, Chad W
> Sent: Thursday, December 01, 2005 11:27 AM
> To: 'charles schwartz'; 'FreeRadius users mailing list'
> Subject: RE: Freeradius How to integrate Active Directory [AD
> Integration WindowsXP NTLM Tutorial]
>
>
>
> Hello,
>        I am attempting to have FR authenticate administrative access
> for my Cisco gear against AD. The problem I am having is this. When I
> attempt to join the realm <<net ads join -U UID>> the command appears
> successful and from the AD side, the system has joined (visable in AD),
> however the proccess hangs on the FR side. If I stop the process and
> reissue the command, I get the following output and the process again
> hangs:
>
> [2005/12/01 11:08:36, 0] libads/ldap.c:ads_add_machine_acct(1405)
> ads_add_machine_acct: Host account for rws-radius01 already exists -
> modifying old account
>
>
> <<ntlm_auth --request-nt-key --domain=mydomain --username= \myuid>>
>
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> (0xc00000da)
>
>
> <<wbinfo -a UID%PASSWD>>
>
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user UID%PASSWD with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
> error messsage was: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Could not authenticate user UID with challenge/response
>
> I am sure there is something simple I have overlooked, but I am unable
> to find it at this point. Any suggestions would be much appreciated.
>
>
> Chad
>
> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org
> [mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
> charles schwartz
> Sent: Tuesday, November 22, 2005 11:28 AM
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius How to integrate Active Directory [AD Integration
> WindowsXP NTLM Tutorial]
>
>
> Hi list,
>
> A lot of people on this list would like to integrate Active Directory
> with FreeRADIUS in order to provide a transparent user authentication
> login process.
>
> There are at least 2 ways to integrate AD: LDAP and NTLM.
> I've written a tutorial about how to do this with NTLM (winbind,
> ntlm_auth). The Windows supplicants are configured to work with PEAP and
> MSCHAPv2.
>
> You can download it from here:
> http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf
>
> Good luck!
>
> Regards,
> Charles Schwartz
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
> End of Freeradius-Users Digest, Vol 8, Issue 10
> ***********************************************
>



--
He is nothing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051203/1e04d2e5/attachment.html>


More information about the Freeradius-Users mailing list