freeradius auth in win AD

Thu Jun 16 16:04:32 CEST 2016

On Thu, Jun 16, 2016 at 02:19:47PM +0200, Zenon Matuszyk wrote:
...
> ++[mschap] returns noop
> ++[digest] returns noop
> [eap] EAP packet type response id 3 length 29
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
>   [ldap] Entering ldap_groupcmp()
> [files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
> [files]         expand: %{Stripped-User-Name} ->
> [files]         ... expanding second conditional
> [files]         expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
> [files]         expand:
> (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (userPrincipalName=aa.aa at stud.wcc.domain.pl)
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection

You should probably move the LDAP searches to later on in the
inner tunnel or post-auth to save hammering the LDAP server so
much.

> ++[pap] returns noop
> Found Auth-Type = ntlm_auth
> Found Auth-Type = EAP
> Warning:  Found 2 auth-types on request for user 'aa.aa at stud.wcc.domain.pl'

This isn't good. Find out what is setting Auth-Type to ntlm_auth
and get rid of it. You're doing PEAP/EAP-MSCHAPv2 so Auth-Type
should be set to EAP (as the eap module does for you).

> [mschapv2] # Executing group from file
> /etc/freeradius-eduroam//sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: aa.aa at stud.wcc.domain.pl
> [mschap] Told to do MS-CHAPv2 for aa.aa at stud.wcc.domain.pl with NT-Password
> [mschap]        expand: %{Stripped-User-Name} ->

You've not got Stripped-User-Name...

> [mschap]        ... expanding second conditional
> [mschap]        expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
> [mschap]        expand: --username=%{%{Stripped-User-Name}:-%{User-Name}} ->
> --username=aa.aa at stud.wcc.domain.pl

...so ntlm_auth is being called with User-Name, which is
aa.aa at stud.wcc.domain.pl.

It's likely it needs to be called with "aa.aa" instead - test with
calling ntlm_auth yourself on the command line to see what works.

Then set up Stripped-User-Name. In FreeRADIUS 3 you should be able
to call the "split_username_nai" policy to do this for you, or
otherwise either write your own unlang or use the realm (suffix)
module to split it off.

Matthew

-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>