Exec and ntlm_auth

freeradius at corwyn.net freeradius at corwyn.net
Mon Nov 30 17:21:32 CET 2009 

At 11:13 PM 11/29/2009, freeradius at corwyn.net wrote:

A resummary:
Goal: Authenticate and Authorize users that telnet into the switches 
in Groups A and/or B based on their inclusion in a specific AD 
security group for A & B .

Environment:
CentOS 5.2  (IP 10.10.0.1)

freeradius2-2.1.7-2.el5
freeradius2-utils-2.1.7-2.el5
freeradius2-libs-2.1.7-2.el5
freeradius2-ldap-2.1.7-2.el5

Cisco switch running IOS 12.4 in subnet A (10.100.0.0/24)
Cisco switch running IOS 12.4 in subnet B (10.101.0.0/24)

windows Active Directory (example.com) with Security Groups A & B

Add to modules{} inradiusd.conf:
exec ntlm_auth {
                 wait = yes
                 program = "/usr/bin/ntlm_auth --request-nt-key 
--domain=example.com --username=%{mschap:User-Name} 
--password=%{User-Password}"
         }

Copy:
./raddb/sites-available/default to ./raddb/sites-available/server_A 
and link it to ./raddb/sites-enabled/server_A
./raddb/sites-available/default to ./raddb/sites-available/server_B 
and link it to ./raddb/sites-enabled/server_B

and then surround the contents of those files with
server server_A {..}
and
server server_B {..}
respectively

Add to the authenticate{} section of ./server_A and ./server_B :

ntlm_auth

Edit ./modules/ldap to:
ldap {
         server = "example.com"
         identity = "CN=user,OU=Enterprise,DC=example,DC=com"
         password = xxx
         basedn = "OU=Enterprise,DC=example,DC=com"
         filter = 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
         groupmembership_filter 
="(&(objectClass=group)(member=%{Ldap-UserDn}))"
         groupmembership_attribute = "memberOf"

         groupname_attribute = cn
         groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
         groupmembership_attribute = "memberOf"


...
}


Add to top of ./raddb/users:

DEFAULT     Ldap-Group == "UserGroup",Service-Type = 
NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15"
DEFAULT     Auth-Type = ntlm_auth


Add to ./raddb/cilents.conf:
clients disambiguate {
client localhost {
         #  Allowed values are:
         #       dotted quad (1.2.3.4)
         #       hostname    (radius.example.com)
         ipaddr = 127.0.0.1

client Cisco_A {
         ipaddr = 10.101.0.0
         netmask = 24
         secret = testing123
         virtual_server = server_A
}
client Cisco_B {
         ipaddr = 10.100.0.0
         netmask = 24
         secret = testing123
         virtual_server = server_B
}


Add to the listen{} section of radiusd.conf:
clients = disambiguate


On the cisco switches A & B:

aaa new-model
aaa group server radius RAD
  server 10.10.0.1 auth-port 1812 acct-port 1813
!
aaa authentication login default group radius line
aaa authentication enable default group radius enable
aaa authorization exec default group radius none
radius-server host 10.10.0.1 auth-port 1812 acct-port 1813 timeout 3
radius-server retransmit 2
radius-server key 7 encrypted-secret



that configuration still fails to authorize, even tho the output of 
radiusd -X looks like its working (sanitized)



rad_recv: Access-Request packet from host 10.100.0.8 port 1812, 
id=80, length=79
         NAS-IP-Address = 10.100.0.8
         NAS-Port = 1
         NAS-Port-Type = Virtual
         User-Name = "testuser"
         Calling-Station-Id = "10.100.0.5"
         User-Password = "password"
server server_cisco {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: OU=Enterprise,DC=example,DC=com -> 
OU=Enterprise,DC=example,DC=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[files]         expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=testuser)(objectClass=person))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to example.com:389, authentication 0
rlm_ldap: bind as 
CN=_radiususer,OU=Enterprise,DC=example,DC=com/wxxxxx to example.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with 
filter (&(sAMAccountname=testuser)(objectClass=person))
rlm_ldap: ldap_release_conn: Release Id: 0
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=CN\3dRick\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRickOU\3dUsers\2cOU\3dEnterprise\DC\3dexample\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with 
filter 
(&(cn=Infrastructure)(|(&(objectClass=GroupOfNames)(member=CN\3dRick\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRick\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
CN=Rick,OU=Enterprise,DC=example,DC=com, with filter (objectclass=*)
rlm_ldap: performing search in CN=Infrastructure,OU=Security 
Groups,OU=Enterprise,DC=example,DC=com, with filter (cn=Infrastructure)
rlm_ldap::ldap_groupcmp: User found in group Infrastructure
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
[ldap] performing user authorization for testuser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[ldap]  expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=testuser)(objectClass=person))
[ldap]  expand: OU=Enterprise,DC=example,DC=com -> 
OU=Enterprise,DC=example,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with 
filter (&(sAMAccountname=testuser)(objectClass=person))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure 
that the user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING! No "known good" password found for the 
user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=testuser
[ntlm_auth]     expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
+- entering group post-auth {...}
++[exec] returns noop
} # server server_cisco
Sending Access-Accept of id 80 to 10.100.0.8 port 1812
Finished request 0.
Going to the next request
Waking up in 5.0 seconds.
Cleaning up request 0 ID 80 with timestamp +7
Ready to process requests.





If I removing authorization from the Cisco config to:
no aaa authorization exec default group radius none

and then I can log in.

At the top of ./users:
rsteeves   Cleartext-Password := "xxx"
            Service-Type = NAS-Prompt-User,
            cisco-avpair = "shell:priv-lvl=15"

also succeeds in logging in, so the issues are in ldap somewhere.


But I feel like I'm CLOSE.

More information about the Freeradius-Users mailing list