machine authentication (was: Windows-Domain login without local users)
Michael Messner
michael.messner_edv at inode.at
Mon Nov 13 10:13:25 CET 2006
hey freeRADIUS users,
the testlab looks like
Windows 2003 (AD) <---> Freeradius <---> Enterasys switch/Cisco WLAN <--->
Linux/MS-Client
802.1x via PEAP works, so the next step is machine authentication to get
also a 802.1x Domain login.
like in this post
(http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-November/058021.html)
we have upgradet our releases:
Samba: Version 3.0.23c
FreeRADIUS Version 1.1.2
the supplicant is the original Windows supplicant and machine
authentication is activated.
Because we are working with the policy system from enterasys the normal
user authentication starts with a ldap request to the active directory for
group to policy mapping.
Therefore we have such user-entries:
DEFAULT LDAP-Group == "CN=adminrole,CN=users,DC=isalab,DC=local",
Huntgroup-Name == "enterasys", Realm == ISALAB.local
Filter-ID == "Enterasys:version=1:mgmt=su:policy=adminrole",
Reply-Message = "Welcome %{Stripped-User-Name:-%{User-Name:-None}}
in the %{Realm} - Domain, there are no restrictions for you in
this
network",
Fall-Through = No
So there will be the LDAP request for the group adminrole and then it will
be sent to the switch with the above filter-ID.
This works good for user-auth, but with machine auth now there are
problems because I see the machine LDAP-request now for
host/it88.isalab.local and that fails:
=============================================
....
Nov 9 15:30:02 Xradius radius: rlm_ldap: object not found or got
ambiguous search result
Nov 9 15:30:02 Xradius radius: rlm_ldap::ldap_groupcmp: search failed
Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_release_conn: Release Id: 0
Nov 9 15:30:02 Xradius radius: rlm_ldap: Entering ldap_groupcmp()
Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_get_conn: Checking Id: 0
Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_get_conn: Got Id: 0
Nov 9 15:30:02 Xradius radius: rlm_ldap: object not found or got
ambiguous search result
Nov 9 15:30:02 Xradius radius: rlm_ldap::ldap_groupcmp: search failed
Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_release_conn: Release Id: 0
Nov 9 15:30:02 Xradius radius: rlm_ldap: - authorize
Nov 9 15:30:02 Xradius radius: rlm_ldap: performing user authorization
for host/it88.isalab.local
Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_get_conn: Checking Id: 0
Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_get_conn: Got Id: 0
Nov 9 15:30:02 Xradius radius: rlm_ldap: object not found or got
ambiguous search result
Nov 9 15:30:02 Xradius radius: rlm_ldap: search failed
Nov 9 15:30:02 Xradius radius: rlm_ldap: ldap_release_conn: Release Id: 0
Nov 9 15:30:02 Xradius radius: Login incorrect (rlm_ldap: User not
found): [host/it88.isalab.local/<no User-Password attribute>] (from client
enterasys port 31005 cli 00-04-75-18-1B-82)
Nov 9 15:30:20 Xradius radius: rad_recv: Access-Request packet from host
141.201.43.115:41722, id=8, length=167
Nov 9 15:30:20 Xradius radius: Sending Access-Reject of id 10 to
141.201.43.115 port 41721
Nov 9 15:30:20 Xradius radius: Reply-Message = "Authentication
failed ... no access"
Nov 9 15:30:20 Xradius radius: Sending Access-Reject of id 35 to
141.201.43.115 port 41720
Nov 9 15:30:20 Xradius radius: Reply-Message = "Authentication
failed ... no access"
Nov 9 15:30:20 Xradius radius: Message-Authenticator =
0x59025dcce5cd0abfa5433e98b7716282
Nov 9 15:30:20 Xradius radius: User-Name = "host/it88.isalab.local"
Nov 9 15:30:20 Xradius radius: NAS-IP-Address = 141.201.43.115
Nov 9 15:30:20 Xradius radius: Called-Station-Id =
"00-E0-63-93-75-B3"
Nov 9 15:30:20 Xradius radius: NAS-Port = 31005
Nov 9 15:30:20 Xradius radius: NAS-Port-Id = "fe.3.5"
Nov 9 15:30:20 Xradius radius: NAS-Port-Type = Ethernet
Nov 9 15:30:20 Xradius radius: Service-Type = Framed-User
Nov 9 15:30:20 Xradius radius: Calling-Station-Id =
"00-04-75-18-1B-82"
Nov 9 15:30:20 Xradius radius: EAP-Message =
0x0201001b01686f73742f697438382e6973616c61622e6c6f63616c
Nov 9 15:30:20 Xradius radius: Framed-MTU = 1300
=============================================
Then I've tested a bit with ntlm_auth:
16:11:57 Xradius /etc/raddb [root]ntlm_auth --request-key
--domain=ISALAB.LOCAL --username=host/it88.isalab.local
password:
NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
... so I think this is the wrong request!
with:
16:12:38 Xradius /etc/raddb [root]ntlm_auth --request-key
--domain=ISALAB.LOCAL --username=it88$
password:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
I get the wrong password, so I think this user/machine is available!
any ideas how to go on?!?
thanks mIke
More information about the Freeradius-Users
mailing list