problems with machine authetication
wekz
fbl.list at gmail.com
Tue May 9 18:03:01 CEST 2006
Hello everybody,
last week I was working out a freeradius 1.1.1 + ldap with domain
authentication. I got it running with the help of Phil Mayers with this
configuration:
authorize {
preprocess
ntdomain
# other modules
}
realm MYDOMAIN {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
But it didn't work till I enable ntdomain_hack in the mschap module:
with_ntdomain_hack = yes
The truth is I don't understand it at all. Here's my thinking:
When someone is trying to authenticate and he belongs to a domain, in the
request packet windows sends a string like:
MYDOMAIN\\username
In the authorization part, using the realm ntdomain, the server can strip
the User-Name and use only username so it can find it in ldap.
But when it comes to the authorization module it fails. Here's part of the
log:
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
...............
rad_recv: Access-Request packet from host 192.168.51.162:1024, id=50,
length=279
Acct-Session-Id = "2a6bb0b4-00000017"
NAS-Port = 8
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1496
Framed-IP-Address = 255.255.255.254
User-Name = "MYDOMAIN\\prueba_freeradius"
Calling-Station-Id = "00-04-23-8D-4B-0E"
Service-Type = Framed-User
EAP-Message =
0x02b1006c190017030100610d895f029ebe43af255559638cf1e7e9d0639a11e7d7dfec4a794bee5fbee0a2bf64947cd8a99ad354fa03d6a0913904068c58dd975f8a122a929bc477b2af67b8907c9a4c6a2765188e878ca77f07e45a5329a20fd473989289fdfe3c23eb646b
State = 0x908673323bd5eac7e882e906e316049f
Colubris-AVPair = "ssid=aamm"
Message-Authenticator = 0x8e2b19ea1dfd0d6f0f5b4c895f619818
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
modcall[authorize]: module "preprocess" returns ok for request 14
rlm_realm: Looking up realm "MYDOMAIN" for User-Name =
"MYDOMAIN\prueba_freeradius"
rlm_realm: Found realm "MYDOMAIN"
rlm_realm: Adding Stripped-User-Name = "prueba_freeradius"
rlm_realm: Proxying request from user prueba_freeradius to realm
MYDOMAIN
rlm_realm: Adding Realm = "MYDOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 14
radius_xlat:
'/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509'
rlm_detail:
/usr/local/radius_regex/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509
modcall[authorize]: module "auth_log" returns ok for request 14
modcall[authorize]: module "chap" returns noop for request 14
modcall[authorize]: module "mschap" returns noop for request 14
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "suffix" returns noop for request 14
rlm_eap: EAP packet type response id 177 length 108
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 14
rlm_ldap: - authorize
rlm_ldap: performing user authorization for prueba_freeradius
radius_xlat: '(uid=prueba_freeradius)'
radius_xlat: 'ou=Central,dc=bcn,dc=es'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Central,dc=bcn,dc=es, with filter
(uid=prueba_freeradius)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value xxx & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user prueba_freeradius authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 14
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 14
modcall: leaving group authorize (returns updated) for request 14
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
0x02b100551a02b1005031d780cac8a727745249e57389beb21e6800000000000000004a4d93fb40b1108062905326a78ff4081fea67b75e569815004d59444f4d41494e5c7072756562615f66726565726164697573
PEAP: Setting User-Name to MYDOMAIN\prueba_freeradius
PEAP: Adding old state with dc 47
PEAP: Sending tunneled request
EAP-Message =
0x02b100551a02b1005031d780cac8a727745249e57389beb21e6800000000000000004a4d93fb40b1108062905326a78ff4081fea67b75e569815004d59444f4d41494e5c7072756562615f66726565726164697573
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "MYDOMAIN\\prueba_freeradius"
State = 0xdc47453244df028b4a9c81ff38a17be9
Acct-Session-Id = "2a6bb0b4-00000017"
NAS-Port = 8
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1496
Framed-IP-Address = 255.255.255.254
Calling-Station-Id = "00-04-23-8D-4B-0E"
Service-Type = Framed-User
Colubris-AVPair = "ssid=aamm"
NAS-IP-Address = 192.168.51.162
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
modcall[authorize]: module "preprocess" returns ok for request 14
rlm_realm: Looking up realm "MYDOMAIN" for User-Name =
"MYDOMAIN\prueba_freeradius"
rlm_realm: Found realm "MYDOMAIN"
rlm_realm: Adding Stripped-User-Name = "prueba_freeradius"
rlm_realm: Proxying request from user prueba_freeradius to realm
MYDOMAIN
rlm_realm: Adding Realm = "MYDOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 14
radius_xlat:
'/usr/local/radius_regex/var/log/radius/radacct/127.0.0.1/auth-detail-20060509'
rlm_detail:
/usr/local/radius_regex/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius_regex/var/log/radius/radacct/127.0.0.1/auth-detail-20060509
modcall[authorize]: module "auth_log" returns ok for request 14
modcall[authorize]: module "chap" returns noop for request 14
modcall[authorize]: module "mschap" returns noop for request 14
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "suffix" returns noop for request 14
rlm_eap: EAP packet type response id 177 length 85
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 14
rlm_ldap: - authorize
rlm_ldap: performing user authorization for prueba_freeradius
radius_xlat: '(uid=prueba_freeradius)'
radius_xlat: 'ou=Central,dc=bcn,dc=es'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Central,dc=bcn,dc=es, with filter
(uid=prueba_freeradius)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value xxx & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user prueba_freeradius authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 14
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 14
modcall: leaving group authorize (returns updated) for request 14
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 14
rlm_mschap: NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
rlm_mschap: Told to do MS-CHAPv2 for MYDOMAIN\prueba_freeradius with
NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 14
modcall: leaving group MS-CHAP (returns reject) for request 14
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 14
modcall: leaving group authenticate (returns reject) for request 14
auth: Failed to validate the user.
Login incorrect: [prueba_freeradius/<no User-Password attribute>] (from
client localhost port 8 cli 00-04-23-8D-4B-0E)
PEAP: Got tunneled reply RADIUS code 3
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
MS-CHAP-Error = "\261E=691 R=1"
EAP-Message = 0x04b10004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x8153428 3
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
MS-CHAP-Error = "\261E=691 R=1"
EAP-Message = 0x04b10004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 14
modcall: leaving group authenticate (returns handled) for request 14
Sending Access-Challenge of id 50 to 192.168.51.162 port 1024
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x01b200261900170301001b6c9a8c161b62aec589f4a4f92e58f4c76ec7ae250761970d9213c7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa18cd510394250c8136571f619e429e0
Finished request 14
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.51.162:1024, id=36,
length=209
Acct-Session-Id = "2a6bb0b4-00000017"
NAS-Port = 8
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1496
Framed-IP-Address = 255.255.255.254
User-Name = "MYDOMAIN\\prueba_freeradius"
Calling-Station-Id = "00-04-23-8D-4B-0E"
Service-Type = Framed-User
EAP-Message =
0x02b200261900170301001bd89d386a7c80dcf210c271671421915148555085d02e7c2a34149e
State = 0xa18cd510394250c8136571f619e429e0
Colubris-AVPair = "ssid=aamm"
Message-Authenticator = 0xacf972ea063d9318ee2b2dad1613cc3c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
modcall[authorize]: module "preprocess" returns ok for request 15
rlm_realm: Looking up realm "MYDOMAIN" for User-Name =
"MYDOMAIN\prueba_freeradius"
rlm_realm: Found realm "MYDOMAIN"
rlm_realm: Adding Stripped-User-Name = "prueba_freeradius"
rlm_realm: Proxying request from user prueba_freeradius to realm
MYDOMAIN
rlm_realm: Adding Realm = "MYDOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 15
radius_xlat:
'/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509'
rlm_detail:
/usr/local/radius_regex/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509
modcall[authorize]: module "auth_log" returns ok for request 15
modcall[authorize]: module "chap" returns noop for request 15
modcall[authorize]: module "mschap" returns noop for request 15
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "suffix" returns noop for request 15
rlm_eap: EAP packet type response id 178 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 15
rlm_ldap: - authorize
rlm_ldap: performing user authorization for prueba_freeradius
radius_xlat: '(uid=prueba_freeradius)'
radius_xlat: 'ou=Central,dc=bcn,dc=es'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Central,dc=bcn,dc=es, with filter
(uid=prueba_freeradius)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value xxx & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user prueba_freeradius authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 15
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 15
modcall: leaving group authorize (returns updated) for request 15
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 15
modcall: leaving group authenticate (returns invalid) for request 15
auth: Failed to validate the user.
Login incorrect: [prueba_freeradius/<no User-Password attribute>] (from
client ap port 8 cli 00-04-23-8D-4B-0E)
Delaying request 15 for 1 seconds
Finished request 15
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 36 to 192.168.51.162 port 1024
After reading the comments of with_ntdomain_hack, what i get is this: The
first time windows sends the id, the User-Name = MYDOMAIN\\username, but
when he response the access-challenge the User-Name = username.
I wonder why the server expects MYDOMAIN\\username.
After the realm the server will only see User-Name = username in
ldap-authorization. And as windows sends for replying the challenge only
username, I thought this second time realm was not going to be aplicable.
So I think I don't understand this operation.
And as I don't understand it I can't work out a new configuration like:
freeradius 1.1.1 + ldap + machine authentication.
User-Name = host/username
I have tried it making a new realm with this configuration
radiusd.conf
realm hostdm {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
authorize {
preprocess
hostdm
# other modules
}
proxy.conf:
realm host {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
But I got me into the same situation as with ntdomain +
with_ntdomain_hack=no.
Then I try with the hints file:
DEFAULT User-Name =~ "^([^/]+)/([^/]+)"
User-Name := `%{2}`
But the same. So I don't know what to do. Is there another feature like
with_ntdomain_hack for this ?
I could put some logs if needed.
If there is something unintelligible please tell me, because my english is
terrible, as you can notice.
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060509/d83a243c/attachment.html>
More information about the Freeradius-Users
mailing list