Active Directory/freeradius/enterasys - combination
T.Robers at heidelberg.de
T.Robers at heidelberg.de
Tue Oct 13 13:21:22 CEST 2009
Hello,
I know there was a threat with the same subject 3 years ago, but in
addition we need mac-authentication (printers,..),too.
The Mac-auth is ok:
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.255.101 port 49169,
id=98, length=158
User-Name = "00-13-20-73-D0-45"
Service-Type = Framed-User
Called-Station-Id = "00-1F-45-19-9C-68"
Calling-Station-Id = "00-13-20-73-D0-45"
NAS-Identifier = "D2_Zi31_Tom"
NAS-IP-Address = 172.16.255.101
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "ge.1.1"
User-Password = "hdpasswd"
Message-Authenticator = 0xc2baf30d011d595efa42357331abcc6c
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/172.16.255.101/auth-detail-20091013
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013
[auth_log] expand: %t -> Tue Oct 13 11:59:35 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "00-13-20-73-D0-45", looking up realm
NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "00-13-20-73-D0-45", looking up realm
NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 213
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "hdpasswd"
[pap] Using clear text password "hdpasswd"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [00-13-20-73-D0-45/hdpasswd] (from client 172.16.255.101 port
1 cli 00-13-20-73-D0-45)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 98 to 172.16.255.101 port 49169
Framed-Filter-Id = "Enterasys:version=1:policy=Mitarbeiter"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 98 with timestamp +31
Ready to process requests.
Now I need a username/password auth against AD.
Ntlm-auth works very well.
If I activate ldap in /etc/raddb/modules:
rad_recv: Access-Request packet from host 172.16.255.101 port 49169,
id=191, length=167
User-Name = "DNT1\\testtom"
Service-Type = Framed-User
Called-Station-Id = "00-1F-45-19-9C-68"
Calling-Station-Id = "00-13-20-73-D0-45"
NAS-Identifier = "D2_Zi31_Tom"
NAS-IP-Address = 172.16.255.101
NAS-Port = 1
NAS-Port-Id = "ge.1.1"
Framed-MTU = 1500
NAS-Port-Type = Ethernet
State = 0x113208ad123411cced08469153aa8038
EAP-Message = 0x020600061900
Message-Authenticator = 0x27fe716e0b83c7d08f295275043550f4
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/172.16.255.101/auth-detail-20091013
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013
[auth_log] expand: %t -> Tue Oct 13 13:16:13 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DNT1\testtom", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "DNT1" for User-Name = "DNT1\testtom"
[ntdomain] Found realm "DNT1"
[ntdomain] Adding Stripped-User-Name = "testtom"
[ntdomain] Adding Realm = "DNT1"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 191 to 172.16.255.101 port 49169
EAP-Message =
0x010700b519003082a52b18d9963104cec8ab3f3ddc453b55e1519bcf57d5178ca7fbc8
1d20727b3d75c92c438dbafd9a5544e5443ad544f16869af57ef84883eebc730362387c9
e6357c18fcb15a8e862e2b6c2ea1871b8756414a7ba875ff9416143a5baf78b6a9f7c93d
c023f5edd6c8da55e646513482e5a39f9ccb7c480d68b7e965247b4accf8c1fa07b08368
80301de9e7058a5b891fd8f9e8443517e0eb83847723441ae98c447e7416030100040e00
0000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x113208ad153511cced08469153aa8038
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 187 with timestamp +63
Cleaning up request 2 ID 188 with timestamp +63
Cleaning up request 3 ID 189 with timestamp +63
Cleaning up request 4 ID 190 with timestamp +63
Cleaning up request 5 ID 191 with timestamp +63
Ready to process requests.
The server don't do ldap.
What is my mistake ?
First the server should do a ntlm-auth and then check an ldap-group in
AD.
Version 2.1.6-rpm and CentOS 5.3.
Thank you
Tom
More information about the Freeradius-Users
mailing list