MSCHAP Authentication and LDAP Group Membership checking

kesm0724 kevin.smith at emp.shentel.com
Fri Sep 5 12:56:42 CEST 2008 

Hello All,

I am very, very new to Freeradius (as well as Radius) ;) - disclaimer.  We
are trying to move away from using IAS to Freeradius.  We have approx 50
switches/routers which I have not had a problem with getting to work with
Freeradius including group checking using LDAP. 

The issue I have is getting our Cisco VPN Concentrator to authenticate users
who are in a certain Active Directory group.  I have configured Samba to
join our domain - all that is working without issue.  The problem apparently
is when logging in via the Cisco VPN client:


Here is my debug:

ad_recv: Access-Request packet from host 10.2.1.6 port 1059, id=83,
length=191
        User-Name = "voila\\webtest"
        NAS-Port = 1151
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Called-Station-Id = "123.201.6.78"
        Calling-Station-Id = "123.201.6.76"
        Tunnel-Client-Endpoint:0 = "123.201.6.76"
        MS-CHAP-Challenge = 0x0ebafb8a5ab6b2be73f9a983a6a3f5d3
        MS-CHAP2-Response =
0x0000db98fa3162973c0f68121500631c0c8d00000000000000005808068d4047ef8a58e79d488a62d41e89128aabd6d88c52
        NAS-IP-Address = 10.2.1.6
        NAS-Port-Type = Virtual
+- entering group authorize
++[preprocess] returns ok
        expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/usr/local/var/log/radius/radacct/10.2.1.6/auth-detail-20080904
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/10.2.1.6/auth-detail-20080904
        expand: %t -> Thu Sep  4 17:55:54 2008
++[auth_log] returns ok
++[chap] returns noop
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
    rlm_realm: No '@' in User-Name = "voila\webtest", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
    rlm_realm: No '"' in User-Name = "voila\webtest", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[ntdomain] returns noop
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=voila,dc=com -> dc=voila,dc=com
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=voila\5cwebtest)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=voila\5cwebtest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=voila,dc=com -> dc=voila,dc=com
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=voila\5cwebtest)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=voila\5cwebtest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for voila\webtest
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=voila\5cwebtest)
        expand: dc=voila,dc=com -> dc=voila,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=voila\5cwebtest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type mschap
auth: type "MSCHAP"
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for webtest with NT-Password
        expand: --domain=%{mschap:NT-Domain} -> --domain=voila
        expand: --username=%{mschap:User-Name} -> --username=webtest
 mschap2: 0e
        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=dcdc37024aecaec1
        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=5808068d4047ef8a58e79d488a62d41e89128aabd6d88c52
Exec-Program output: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D
Exec-Program-Wait: plaintext: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 83 to 10.2.1.6 port 1059
        MS-CHAP2-Success =
0x00533d31364230314341364638323331333730333334393432393943303539423539334346434433314336
        MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0
        MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 83 with timestamp +888
Ready to process requests.

It appears that MSCHAP is used to verify the password but LDAP is not
properly checking the "VPN-Users" AD group....I believe it is not stripping
the domain portion off correctly as I see the domain name appended to
(sAMAccountName=voila\5cwebtest)

My users File entries:

(The first entry I would like to be used by the concentrator to search the
group and if the user is a member allow them access - of course
authenticating the provided password)

DEFAULT LDAP-Group == "vpn-users"
        Fall-Through = Yes

This entry is for our network switches/routers - this appears to be working
without any issue.

DEFAULT LDAP-Group == "Radius-Admin"
        Service-Type = Login-User,
        cisco-avpair = "shell:priv-lvl=15",
        Fall-Through = Yes

If I login from my network devices it performs the ldap searches without
issue and authenticates/authorizes the user - You can see this below:

rlm_ldap: performing search in dc=voila,dc=com, with filter
(&(cn=vpn-users)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))))
rlm_ldap::ldap_groupcmp: User found in group vpn-users
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 178
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=voila,dc=com -> dc=voila,dc=com
        expand:
(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
->
(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(&(cn=Radius-Admin)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))))
rlm_ldap::ldap_groupcmp: User found in group Radius-Admin
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 181
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for zkms
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=zkms)
        expand: dc=voila,dc=com -> dc=voila,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=zkms)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
rlm_ldap: user zkms authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by "zkms" with password "Omitted"
rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com
rlm_ldap: (re)connect to control.voila.com:389, authentication 1
rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to
control.voila.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user zkms authenticated succesfully


Thanks in advance for any pointers.....



-- 
View this message in context: http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list