FreeRadius proxy to MS-NPS for MSCHAPv2 authentication.
Jan Hugo Prins
jhp at jhprins.org
Wed May 16 13:16:18 CEST 2012
Hi Alan,
> Possibly. However, not all packets will contain such a username.
> They might by "anonymous".
>
> As always, read the debug output to be sure.
>
So, far all the packets going from the radius server to the DC contain
the user-name and the packets coming from the Aruba to the radius server
also contain the username, so that seems to be ok for now.
>> If this is going to work my next problem is adding some things to
>> access-accept replies. I need to add:
>> Aruba-User-Vlan = <vlanid>
>> Aruba-User-Role = <authenticated-role>
> That's what the "post-proxy" section is for. Add the attributes there.
>
I found this and it indeed seems to work.
> Operator-Name. It's a standard attribute that MS doesn't understand
> properly. The solution is to (a) not proxy it, or (b) update the MS
> dictionaries.
I haven't seen this attribute yet, but I will keep my eye open for it.
The problem I'm now facing is that I don't seem to get any
authentication working. When I use radtest to test the whole radius
setup from radius server to DC I get the following which looks ok to me:
[root at radius01 ~]# radtest -x -t mschap user01 at poc.domain.fqdn xxxxxxxx
172.30.20.16 1812 aixiYax2Vee8pho0
Sending Access-Request of id 241 to 172.30.20.16 port 1812
User-Name = "user01 at poc.domain.fqdn"
NAS-IP-Address = 172.30.20.16
NAS-Port = 1812
MS-CHAP-Challenge = 0x57c171011e737fa4
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000038394ec2dac9ab3d2e76d71779feccca5b80108550e82002
rad_recv: Access-Accept packet from host 172.30.20.16 port 1812, id=241,
length=175
Aruba-User-Vlan = 2268
Aruba-User-Role = "authenticated"
Class =
0x7e02069e0000013700010200c0a8c91600000000000000000000000001cd31e856b2bb200000000000000051
MS-CHAP-MPPE-Keys =
0x0000000000000000bd1380861c3ea33604446d6b3e05c99d57c171011e737fa4
MS-CHAP-Domain = "\000POC"
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
But when I try to do the same from my laptop trying to do 802.1x through
the Aruba it works fine authenticating directly to my radius server /
openldap combination but proxying to the AD fails. I have attached the
logfiles of the radius server.
On the AD I get an error in the eventlog telling the folloing:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/16/2012 12:53:50 PM
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC01.poc.philips.bb
Description:
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: POC\user01
Account Name: user01 at poc.domain2.fqdn
Account Domain: POC
Fully Qualified Account Name: POC\user01
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.30.27.1
NAS IPv6 Address: -
NAS Identifier: 172.30.27.1
NAS Port-Type: -
NAS Port: -
RADIUS Client:
Client Friendly Name: Radius01
Client IP Address: 172.30.20.16
Authentication Details:
Connection Request Policy Name: Use Windows authentication for
all users
Network Policy Name: Aruba authentication
Authentication Provider: Windows
Authentication Server: DC01.poc.domain2.fqdn
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system
event log for additional information.
Does anyone have an idea what problem I'm facing here?
Jan Hugo Prins
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd.log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120516/8629de51/attachment-0001.ksh>
More information about the Freeradius-Users
mailing list