freeradius with NTLM authentication

Ramzi Abdallah rabdallah at hotmail.com
Fri Oct 22 08:12:48 CEST 2010


Thank you Phil for your reply,

"What is prompting here? How is the firewall asking the user for a
password? Is this web intercept?"
exactly right the firewall is prompting the user to authenticate using
its internal captive portal page.

What I am trying to achieve here is single sign on with radius
accounting using the following scenario:
our users authenticate to the Windows Domain, and when they try to
access the internet they hit a firewall protected policy which
requires authentication. now instead of authenticating via the
firewall captive portal I want to use NTLM to check is the user is
already authenticated on the AD and if so pass the authorization to
the radius for accounting.

the firewall has the option to do NTLM authentication on the protected
policy but I am trying to fit the Radius as well for accounting
perpouses


Bellow is the debug output

rad_recv: Access-Request packet from host 193.188.X.X port 5027,
id=40, length=126
        NAS-Identifier = "WAN-HA"
        User-Name = "rsa"
        User-Password = "**********"
        NAS-IP-Address = 193.188.X.X
        NAS-Port = 1
        Called-Station-Id = "193.188.X.X"
        Calling-Station-Id = "192.168.1.74"
        Acct-Session-Id = "0fa5011f"
        Connect-Info = "web-auth"
        Fortinet-Vdom-Name = "root"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/193.188.X.X/auth-detail-20101022
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/193.188.X.X/auth-detail-20101022
[auth_log]      expand: %t -> Fri Oct 22 09:04:24 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rsa", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 71
++[files] returns ok
[sql]   expand: %{User-Name} -> rsa
[sql] sql_set_user escaped user --> 'rsa'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = 'rsa'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= 'rsa'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User rsa not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=rsa
[ntlm_auth]     expand: --password=%{User-Password} -> --password=********
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [rsa/********@] (from client vdk-f-fgwan port 1 cli 192.168.1.74)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 40 to 193.188.X.X port 5027
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 193.188.X.X port 5028,
id=41, length=98
        Acct-Status-Type = Start
        Acct-Session-Id = "0fa5011f"
        User-Name = "rsa"
        NAS-Identifier = "VDK-F-FGWAN"
        Framed-IP-Address = 30.48.67.87
        Fortinet-Client-IP-Address = 192.168.1.74
        Fortinet-Vdom-Name = "root"
        Calling-Station-Id = "192.168.1.74"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 193.188.X.X,NAS-IP-Address
= 193.188.X.X,Acct-Session-Id = "0fa5011f",User-Name = "rsa"'
[acct_unique] Acct-Unique-Session-ID = "f774c3b998804d6a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "rsa", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]        expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/193.188.X.X/detail-20101022
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/193.188.X.X/detail-20101022
[detail]        expand: %t -> Fri Oct 22 09:04:24 2010
++[detail] returns ok
++[unix] returns noop
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> rsa
  rlm_radutmp: No NAS-Port seen.  Cannot do anything.
  rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
[sql]   expand: %{User-Name} -> rsa
[sql] sql_set_user escaped user --> 'rsa'
[sql]   expand: %{Acct-Delay-Time} ->
[sql]   ... expanding second conditional
[sql]   expand:            INSERT INTO radacct
(acctsessionid,    acctuniqueid,     username,              realm,
       nasipaddress,     nasportid,              nasporttype,
acctstarttime,    acctstoptime,              acctsessiontime,
acctauthentic,    connectinfo_start,              connectinfo_stop,
acctinputoctets,  acctoutputoctets,              calledstationid,
callingstationid, acctterminatecause,              servicetype,
framedprotocol,   framedipaddress,              acctstartdelay,
acctstopdelay,    xascendsessionsvrkey)           VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,
  '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0',
'0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
             '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[attr_filter.accounting_response]       expand: %{User-Name} -> rsa
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 41 to 193.188.X.X port 5028
Finished request 1.
Cleaning up request 1 ID 41 with timestamp +123
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 40 with timestamp +123
Ready to process requests.





Regards,

Ramzi

.


On Fri, Oct 22, 2010 at 1:06 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 10/21/2010 10:40 PM, Ramzi Abdallah wrote:
>>
>> I have configured freeradius version 2.1.9 with mySQL backend and Active
>> Directory integration (NTLM) for the purpose of using it to authenticate
>> users against firewall protected policies.
>>
>>
>> So far it’s all working. When a user hits a firewall protected policy he
>> is prompted to authenticate after which the radius query the AD for the
>> username and password. If the user credentials are correct access is
>> granted.
>
> What is prompting here? How is the firewall asking the user for a password?
> Is this web intercept?
>
> If so, then the NAS is the firewall, and when a user makes an HTTP request,
> it is asking for their credentials via some kind of HTTP auth, then sending
> them to the radius server, yes?
>
>
> Also, FreeRadius can't be "querying AD for the password". The LDAP server
> embedded into Active Directory will not give up the password. How have you
> got FreeRadius configured - be precise, or better yet, post the debug output
> of a successful request.
>
>>
>> The bit that I cannot figure out is how to let the Radius use NTLM to
>> check if the user is already logged in the domain controller and if so
>> not to prompt him for his username and password via the firewall captive
>> portal. Is that doable or I missed the idea behind the Active Directory
>> integration?
>
> I'm not sure I really understand what you want, but if I do, it's
> impossible. If you can give more details about your setup I can answer
> further, but basically the firewall is doing the prompting - the firewall
> would have to implement NTLM auth, not FreeRadius.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list