ntlm_auth and Server 2008 R2 (or, how to select a group for a proxied request)

Meyers, Dan d.meyers at lancaster.ac.uk
Thu Nov 26 17:53:42 CET 2009


Info (For the short version of what I need, skip to the last paragraph):

For a while now we've been running a stable solution for our wireless
system 802.1x auth involving FreeRADIUS. Specifically, when a client
tries to do a PEAP/MSCHAPv2 auth the eap module of FreeRADIUS
successfully negotiates and terminates the EAP tunnel, and the MSCHAPv2
data is extracted and then shelled out to ntlm_auth which talks to our
domain controllers (Windows Server 2003) to verify whether the MSCHAPv2
encoded password is correct for the given username.

This worked fine, right up until we upgraded our domain controllers to
Windows Server 2008 R2. Suddenly, ntlm_auth stopped talking to the DC.
The message we were getting back when we tried to auth (either via
radius or on the command line with a simple ntlm_auth
--username=<username> and then specifying the password at the prompt)
was NT_STATUS_PIPE_DISCONNECTED: Named pipe dicconnected (0xc00000b0).
wbinfo -u successfully gets a list of every user the DCs know about, so
we can still talk to them (This is on Samba 3.4.0, the latest on Ubuntu
Server 9.10).

As we couldn't seem to talk to the DC directly, we instead proxied to a
Windows Server 2003 RADIUS server which was on the domain, which then
terminated the EAP tunnel and queried the DC for the info we needed.
We'd rather not need this step, but it got around the ntlm_auth issues
we were having.

The problem now, is that our authorize section in our inner-tunnel (used
when there is a PEAP connection) used the sql module to extract group
information from the user group table of the radius postgres database.
Thus we could return a radius key:value pair that would dump a user into
a group based on the returned result of the group_membership_query. As
we are now proxying the request instead of doing authorize ourselves,
this query is not getting run and every single user is ending up in the
default group. 'sql' as a module can't go into post-proxy, so i'm unsure
how to get this query to be run once the Windows server has returned OK
for a request. The Windows RADIUS server does not seem to have enough
functionality to get the group information we require.

So, I either need to work out what to do to ntlm_auth to make it play
nicely with Server 2008 R2 domain controllers for user verification, or
I need to work out how to get FreeRADIUS to do the group sql query and
add the relevant pairs before returning the result to the client after
it has got an Access-Accept from the Windows RADIUS server for the
request it proxied there. Has anyone got any experience of either of
these things?

Thanks in advance

Dan




More information about the Freeradius-Users mailing list