authenticate Cisco devices against AD via Freeradius

aquilinux aquilinux at gmail.com
Wed Sep 21 17:11:24 CEST 2016 

nevermind.... got it working.
i had commented out some useful entries in "user" file.
thanks!

On Wed, Sep 21, 2016 at 5:07 PM, aquilinux <aquilinux at gmail.com> wrote:

> Thanks for your reply Alan, it was trivial...
> btw even if radius server answers with a Access-Accept the NAS is
> rejecting with "authorization failed".
>
> From Radius
> Ready to process requests
> (0) Received Access-Request Id 73 from 192.168.105.222:1812 to
> 172.20.2.199:1812 length 80
> (0)   NAS-IP-Address = 192.168.105.222
> (0)   NAS-Port = 1
> (0)   NAS-Port-Type = Virtual
> (0)   User-Name = "testrad"
> (0)   Calling-Station-Id = "172.20.17.151"
> (0)   User-Password = "testrad123"
> (0) # Executing section authorize from file /usr/etc/raddb/sites-enabled/
> vr-test-netdev
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0) auth_log: EXPAND /usr/var/log/radius/radacct/%{
> %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (0) auth_log:    --> /usr/var/log/radius/radacct/19
> 2.168.105.222/auth-detail-20160921
> (0) auth_log: /usr/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to
> /usr/var/log/radius/radacct/192.168.105.222/auth-detail-20160921
> (0) auth_log: EXPAND %t
> (0) auth_log:    --> Wed Sep 21 17:04:02 2016
> (0)     [auth_log] = ok
> (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
> --domain=EA-MILANO --username=%{mschap:User-Name}
> --password=%{User-Password} --require-membership-of=S-1-5-
> 21-486643733-1688716086-2075228900-512:
> (0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
> (0) ntlm_auth:    --> --username=testrad
> (0) ntlm_auth: EXPAND --password=%{User-Password}
> (0) ntlm_auth:    --> --password=testrad123
> (0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success
> (0x0)'
> (0) ntlm_auth: Program executed successfully
> (0)     [ntlm_auth] = ok
> (0)     if (ok) {
> (0)     if (ok)  -> TRUE
> (0)     if (ok)  {
> (0)       update control {
> (0)         Auth-Type := Accept
> (0)       } # update control = noop
> (0)     } # if (ok)  = noop
> (0)     [files] = noop
> (0)     [unix] = notfound
> (0)     return
> (0)   } # authorize = ok
> (0) Found Auth-Type = Accept
> (0) Auth-Type = Accept, accepting the user
> (0) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/
> vr-test-netdev
> (0)   post-auth {
> (0)     update {
> (0)       No attributes updated
> (0)     } # update = noop
> (0)     [exec] = noop
> (0)   } # post-auth = noop
> (0) Sent Access-Accept Id 73 from 172.20.2.199:1812 to
> 192.168.105.222:1812 length 0
> (0) Finished request
> Waking up in 4.9 seconds.
> (0) Cleaning up request packet ID 73 with timestamp +12
> Ready to process requests
>
> From Cisco 2950:
> Username: testrad
> Password:
> % Authorization failed.
> Connection closed by foreign host.
>
> thanks.
>
> On Wed, Sep 21, 2016 at 3:04 PM, Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Sep 21, 2016, at 5:08 AM, aquilinux <aquilinux at gmail.com> wrote:
>> >
>> > Hi all, i currently use my radius server (3.0.11) to do things such
>> > EAP-TTLS, MSCHAPv2, CHAP in order to authenticate different users on
>> > devices/machines/etc...
>> > I managed to configure a virtual router for doing PAP against local
>> USERS
>> > (in users file) following a guide about IOS+Freeradius. Works perfectly.
>> > What i'd like to do now is to authenticate users from the Cisco IOS
>> device
>> > against AD (via ldap, mschap or whatever). The device i'm using only
>> > support PAP.
>> > The radius server is joined to the AD domain, getent passwd retrives all
>> > the AD users.
>> > Is it possible? (i know, i have a lot of imagination :-))
>>
>> http://deployingradius.com/documents/configuration/active_directory.html
>>
>>   Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>
>
>
> --
> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>
> Nessuno mi pettina bene come il vento.
>



-- 
"Madness, like small fish, runs in hosts, in vast numbers of instances."

Nessuno mi pettina bene come il vento.

More information about the Freeradius-Users mailing list