freeradius auth in win AD

Zenon Matuszyk zenon.matuszyk at networkers.pl
Mon Jun 27 12:10:54 CEST 2016




W dniu 2016-06-16 o 16:04, Matthew Newton pisze:
> On Thu, Jun 16, 2016 at 02:19:47PM +0200, Zenon Matuszyk wrote:
> ...
>> ++[mschap] returns noop
>> ++[digest] returns noop
>> [eap] EAP packet type response id 3 length 29
>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>> ++[eap] returns updated
>>    [ldap] Entering ldap_groupcmp()
>> [files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
>> [files]         expand: %{Stripped-User-Name} ->
>> [files]         ... expanding second conditional
>> [files]         expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
>> [files]         expand:
>> (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
>> (userPrincipalName=aa.aa at stud.wcc.domain.pl)
>>    [ldap] ldap_get_conn: Checking Id: 0
>>    [ldap] ldap_get_conn: Got Id: 0
>>    [ldap] attempting LDAP reconnection
> You should probably move the LDAP searches to later on in the
> inner tunnel or post-auth to save hammering the LDAP server so
> much.
>
>
>> ++[pap] returns noop
>> Found Auth-Type = ntlm_auth
>> Found Auth-Type = EAP
>> Warning:  Found 2 auth-types on request for user 'aa.aa at stud.wcc.domain.pl'
> This isn't good. Find out what is setting Auth-Type to ntlm_auth
> and get rid of it. You're doing PEAP/EAP-MSCHAPv2 so Auth-Type
> should be set to EAP (as the eap module does for you).
>
>> [mschapv2] # Executing group from file
>> /etc/freeradius-eduroam//sites-enabled/inner-tunnel
>> [mschapv2] +- entering group MS-CHAP {...}
>> [mschap] Creating challenge hash with username: aa.aa at stud.wcc.domain.pl
>> [mschap] Told to do MS-CHAPv2 for aa.aa at stud.wcc.domain.pl with NT-Password
>> [mschap]        expand: %{Stripped-User-Name} ->
> You've not got Stripped-User-Name...
>
>> [mschap]        ... expanding second conditional
>> [mschap]        expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
>> [mschap]        expand: --username=%{%{Stripped-User-Name}:-%{User-Name}} ->
>> --username=aa.aa at stud.wcc.domain.pl
> ...so ntlm_auth is being called with User-Name, which is
> aa.aa at stud.wcc.domain.pl.
ok, but i have user:

DistinguishedName : CN=aa aa,CN=Users,DC=wcc,DC=local
GivenName         : aa
Name              : aa aa
ObjectClass       : user
SamAccountName    : s87030702814
Surname           : aa
UserPrincipalName : aa.aa at stud.wcc.domain.pl

and UserPrincipalName is aa.aa at stud.wcc.domain.pl  and login must be 
aa.aa at stud.wcc.domain.pl

this is auth for eduroam, and SamAccountName is too short and we must 
use UserPrincipalName


>
> It's likely it needs to be called with "aa.aa" instead - test with
> calling ntlm_auth yourself on the command line to see what works.
>
> Then set up Stripped-User-Name. In FreeRADIUS 3 you should be able
> to call the "split_username_nai" policy to do this for you, or
> otherwise either write your own unlang or use the realm (suffix)
> module to split it off.
>
> Matthew
>
>

-- 
Z powa┼╝aniem / Yours sincerely
Zenon Matuszyk
mobile: 00 48 797 004 938
e-mail: zenon.matuszyk at networkers.pl
www: http://www.networkers.pl




More information about the Freeradius-Users mailing list