Freeradius and AD
Aniss Nazerian
aniss.nazerian at vxu.se
Tue Apr 20 10:00:58 CEST 2010
Hi,
I have a problem with authenticating users against an AD.
I'm connecting to a WPA2-Ent with PEAP and MS-CHAPv2
But it wont just work.
Any ideas?
freeradius is running in "SUSE enterprise 11-64bit"
Here is the output from "radiusd -f -X" (the relative parts)
FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Feb
23 2009 at 21:43:09
...
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 2048
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "*****"
nastype = "other"
}
client ***** {
require_message_authenticator = no
secret = "*****"
shortname = "*****"
nastype = "other"
}
client ***** {
require_message_authenticator = no
secret = "*****"
shortname = "WLC-1"
nastype = "cisco"
}
client ***** {
require_message_authenticator = no
secret = "*****"
shortname = "WLC-2"
nastype = "cisco"
}
client ***** {
require_message_authenticator = no
secret = "*****"
shortname = "WLC-3"
nastype = "cisco"
}
client ***** {
require_message_authenticator = no
secret = "*****"
shortname = "*****"
}
client ***** {
require_message_authenticator = no
secret = "*****"
shortname = "*****"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = yes
dead_time = 120
wake_all_if_all_dead = no
}
realm LOCAL {
}
realm NULL {
nostrip
authhost = LOCAL
accthost = LOCAL
}
realm XXX.YY {
authhost = LOCAL
accthost = LOCAL
}
realm student.XXX.YY {
authhost = LOCAL
accthost = LOCAL
}
home_server r1 {
ipaddr = *****
port = 1812
type = "auth+acct"
secret = "*****"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server r2 {
ipaddr = *****
port = 1812
type = "auth+acct"
secret = "*****"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server_pool e {
type = fail-over
home_server = r1
home_server = r2
}
realm DEFAULT {
pool = e
nostrip
}
radiusd: #### Instantiating modules ####
instantiate {
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--domain=%{%{mschap:NT-Domain}:-XXX.YY}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/XX.pem"
certificate_file = "/etc/raddb/certs/XX.pem"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = yes
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_sql_log
Module: Instantiating sql_log
sql_log {
path = "/var/log/radius/radacct/sql-relay"
Post-Auth = "INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', '%S');"
sql_user_name = "%{%{User-Name}:-DEFAULT}"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
...
[suffix] Looking up realm "XXX.YY" for User-Name = "XXX at XXX.YY"
[suffix] Found realm "XXX.YY"
[suffix] Adding Stripped-User-Name = "XXX"
[suffix] Adding Realm = "XXX.YY"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message =
0x020700481a0207004331e30f33d1e124710448204a6e25d9755400000000000000008df3fed6694b35de41b212cb1934fa5f3424d673bf77a35e00616e6161646d406c6e752e7365
server (null) {
PEAP: Setting User-Name to XXX at XXX.YY
Sending tunneled request
EAP-Message =
0x020700481a0207004331e30f33d1e124710448204a6e25d9755400000000000000008df3fed6694b35de41b212cb1934fa5f3424d673bf77a35e00616e6161646d406c6e752e7365
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "XXX at XXX.YY"
State = 0x6d8c88d76d8b92c17ae789947f3c59f7
Calling-Station-Id = "00-21-00-d1-4b-12"
Called-Station-Id = "00-27-0d-0b-73-30:e"
NAS-Port = 29
NAS-IP-Address = ******
NAS-Identifier = "WLC-03"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "402"
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm "XXX.YY" for User-Name = "XXX at XXX.YY"
[suffix] Found realm "XXX.YY"
[suffix] Adding Stripped-User-Name = "XXX"
[suffix] Adding Realm = "XXX.YY"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 72
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for XXX at XXX.YY with NT-Password
[mschap] expand: %{Stripped-User-Name} -> XXX
[mschap] expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=XXX
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-XXX.YY} ->
--domain=XXX.YY
[mschap] mschap2: 4f
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=dfa47fd86ca54f4c
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=8df3fed6694b35de41b212cb1934fa5f3424d673bf77a35e
Exec-Program output: NT_KEY: 2EBA93A16D9710267492F18DCECF976B
Exec-Program-Wait: plaintext: NT_KEY: 2EBA93A16D9710267492F18DCECF976B
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800331a0307002e533d33463938464544443536383339444238354239373630333137383231354144323643383837304239
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6d8c88d76c8492c17ae789947f3c59f7
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800331a0307002e533d33463938464544443536383339444238354239373630333137383231354144323643383837304239
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6d8c88d76c8492c17ae789947f3c59f7
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 146 to ****** port 32768
EAP-Message =
0x0108005b1900170301005059a0d3a675e31e8fc6d47fda4b7492977ebdc0452c0e942ba1b5551f62eacf262f6d53617f01affe37c82f4fc57a26b67e4b7a866ede35f70531f854cbb3ca25414eafac826012bf9f069e4d4304f358
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x61d6d78867dece39fc17cc5aff936f9d
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 140 with timestamp +281
Cleaning up request 1 ID 141 with timestamp +281
Cleaning up request 2 ID 142 with timestamp +281
Cleaning up request 3 ID 143 with timestamp +282
Cleaning up request 4 ID 144 with timestamp +282
Cleaning up request 5 ID 145 with timestamp +282
Cleaning up request 6 ID 146 with timestamp +282
Ready to process requests.
--
Aniss Nazerian, IT-Department, Linnaeus University
Phone: +46-470-708183, E-mail:aniss.nazerian at vxu.se
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
More information about the Freeradius-Users
mailing list