authenticate Cisco devices against AD via Freeradius

aquilinux aquilinux at gmail.com
Wed Sep 21 17:07:07 CEST 2016 

Thanks for your reply Alan, it was trivial...
btw even if radius server answers with a Access-Accept the NAS is rejecting
with "authorization failed".

>From Radius
Ready to process requests
(0) Received Access-Request Id 73 from 192.168.105.222:1812 to
172.20.2.199:1812 length 80
(0)   NAS-IP-Address = 192.168.105.222
(0)   NAS-Port = 1
(0)   NAS-Port-Type = Virtual
(0)   User-Name = "testrad"
(0)   Calling-Station-Id = "172.20.17.151"
(0)   User-Password = "testrad123"
(0) # Executing section authorize from file
/usr/etc/raddb/sites-enabled/vr-test-netdev
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) auth_log: EXPAND
/usr/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /usr/var/log/radius/radacct/
192.168.105.222/auth-detail-20160921
(0) auth_log:
/usr/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /usr/var/log/radius/radacct/192.168.105.222/auth-detail-20160921
(0) auth_log: EXPAND %t
(0) auth_log:    --> Wed Sep 21 17:04:02 2016
(0)     [auth_log] = ok
(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
--domain=EA-MILANO --username=%{mschap:User-Name}
--password=%{User-Password}
--require-membership-of=S-1-5-21-486643733-1688716086-2075228900-512:
(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth:    --> --username=testrad
(0) ntlm_auth: EXPAND --password=%{User-Password}
(0) ntlm_auth:    --> --password=testrad123
(0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success
(0x0)'
(0) ntlm_auth: Program executed successfully
(0)     [ntlm_auth] = ok
(0)     if (ok) {
(0)     if (ok)  -> TRUE
(0)     if (ok)  {
(0)       update control {
(0)         Auth-Type := Accept
(0)       } # update control = noop
(0)     } # if (ok)  = noop
(0)     [files] = noop
(0)     [unix] = notfound
(0)     return
(0)   } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/usr/etc/raddb/sites-enabled/vr-test-netdev
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0)     [exec] = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 73 from 172.20.2.199:1812 to 192.168.105.222:1812
length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 73 with timestamp +12
Ready to process requests

>From Cisco 2950:
Username: testrad
Password:
% Authorization failed.
Connection closed by foreign host.

thanks.

On Wed, Sep 21, 2016 at 3:04 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 21, 2016, at 5:08 AM, aquilinux <aquilinux at gmail.com> wrote:
> >
> > Hi all, i currently use my radius server (3.0.11) to do things such
> > EAP-TTLS, MSCHAPv2, CHAP in order to authenticate different users on
> > devices/machines/etc...
> > I managed to configure a virtual router for doing PAP against local USERS
> > (in users file) following a guide about IOS+Freeradius. Works perfectly.
> > What i'd like to do now is to authenticate users from the Cisco IOS
> device
> > against AD (via ldap, mschap or whatever). The device i'm using only
> > support PAP.
> > The radius server is joined to the AD domain, getent passwd retrives all
> > the AD users.
> > Is it possible? (i know, i have a lot of imagination :-))
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html




-- 
"Madness, like small fish, runs in hosts, in vast numbers of instances."

Nessuno mi pettina bene come il vento.

More information about the Freeradius-Users mailing list