FreeRADIUS +Active Directory + PAM

Jonathan van der Wat jonathan.vanderwatt at inet.co.za
Fri Jun 1 14:52:49 CEST 2012


Greetings list,

I am trying to configure PAM on my remote Linux servers to authenticate 
via FreeRADIUS to Active Directory. I have followed the instructions at 
http://deployingradius.com/documents/configuration/active_directory.html 
to the letter and am able to successfully run radtest against the 
FreeRADIUS server :

running *radtest -t mschap jonathanv /mypassword/ localhost 0 
testing123*, returns the following:

rad_recv: Access-Request packet from host 127.0.0.1 port 57650, id=252, 
length=117
     User-Name = "jonathanv"
     NAS-IP-Address = 172.16.132.254
     NAS-Port = 0
     MS-CHAP-Challenge = 0x3ab2e0ada92d1a3b
     MS-CHAP-Response = 
0x0001000000000000000000000000000000000000000000000000d868800a8540b1a1823945859c18d2596202279141f6daea
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "jonathanv", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]     expand: --username=%{mschap:User-Name:-None} -> 
--username=jonathanv
[mschap] No NT-Domain was found in the User-Name.
[mschap]     expand: %{mschap:NT-Domain} ->
[mschap]     ... expanding second conditional
[mschap]     expand: --domain=%{%{mschap:NT-Domain}:-MSAD} -> --domain=MSAD
[mschap]  mschap1: 3a
[mschap]     expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=3ab2e0ada92d1a3b
[mschap]     expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=d868800a8540b1a1823945859c18d2596202279141f6daea
Exec-Program output: NT_KEY: 74910D7B290EDE12A3926DCD2EA68453
Exec-Program-Wait: plaintext: NT_KEY: 74910D7B290EDE12A3926DCD2EA68453
Exec-Program: returned: 0
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 252 to 127.0.0.1 port 57650
     MS-CHAP-MPPE-Keys = 
0x000000000000000074910d7b290ede12a3926dcd2ea684530000000000000000
     MS-MPPE-Encryption-Policy = 0x00000001
     MS-MPPE-Encryption-Types = 0x00000006
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 252 with timestamp +269
Ready to process requests.

However, now, I would like to configure PAM on a test Linux (CentOS 6) 
box to authenticate Active Directory users (system-auth, password-auth 
and ssh) via the FreeRADIUS server. I have installed the *pam_radius* 
package from the EPEL repository on my test box and have configured 
*/etc/pam_radius.conf* file like so:

172.16.132.254 /*mypassword*/*//*       3

...172.16.132.254 being my FreeRADIUS server...

To test SSH authentication I have added the following line to the 
*/etc/pam.d/sshd* file:

*auth       required     pam_radius_auth.so*

On the FreeRADIUS server I have configured the following in clients.conf :
*
client 172.16.132.140 {
         secret = /mypassword/
         shortname = jonathan-c6
         nastype = other
}*

...172.16.132.140 being the test box...

When attempting to ssh to the test box as an Active Directory user I 
receive the following debug output:

rad_recv: Access-Request packet from host 172.16.132.140 port 32768, 
id=12, length=95
     User-Name = "jonathanv"
     User-Password = "\010\n\r\177INCORRECT"
     NAS-IP-Address = 172.16.132.140
     NAS-Identifier = "sshd"
     NAS-Port = 4369
     NAS-Port-Type = Virtual
     Service-Type = Authenticate-Only
     Calling-Station-Id = "172.16.132.148"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jonathanv", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
*ERROR: No authenticate method (Auth-Type) found for the request: 
Rejecting the user*
Failed to authenticate the user.
   WARNING: Unprintable characters in the password.       Double-check 
the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> jonathanv
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 12 to 172.16.132.140 port 32768
Waking up in 4.9 seconds.
Cleaning up request 3 ID 12 with timestamp +1336
Ready to process requests.

 From this output it's clear to me that neither MSCHAP, or any other 
Auth-Type for that matter, are being used. I know I'm missing something 
here, but really not sure what. Some advice would be much appreciated!

Greetings,

Jonathan


Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and automatically archived by Mimecast SA (Pty) Ltd, an innovator in Software as a Service (SaaS) for business.  Mimecast Unified Email Management (UEM) offers email continuity, security, archiving and compliance with all current legislation.  To find out more, visit http://www.mimecast.co.za/uem-ppc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120601/976e10a7/attachment.html>


More information about the Freeradius-Users mailing list