Active Directory AUTHENTICATION with LDAP AUTHORIZATION

Alan DeKok aland at deployingradius.com
Wed Aug 16 18:32:35 CEST 2017 

On Aug 16, 2017, at 6:22 PM, Tom Yard <tomyyard at gmail.com> wrote:
> 
> Hi everybody, I have implemented a Freeradius server that works perfectly
> because the users are authenticated ok for wifi, with this features:
> 
> * Active Directory authentication in accordance with Alan Dekok's tutorial
> step-by-step
> * No group authorization
> * Client machines and phones configured with WPA-WPA2 enterprise AES /
> 802.1X
> * Freeradius debug OK where I can see eap/peap/mschap lines

  That's good...

> After seeing a question in this mailing list about group authorization,
> this morning I've tried to implement LDAP support in order to use the
> "Ldap_Group" attribute to search users in some groups of our Active
> Directory service and let them to access certains SSID. I've installed
> freeradius-ldap package, and configured the ldap module and modify the
> default and inner-tunnel files adding ldap to authorize sections. At time
> of testing the new implementation, it fails because the users can't
> authenticate. So here is my debug output in order to get your help please:

  The general approach is to test each piece in isolation.  i.e. if you add "ldap" to the inner-tunnel virtual server, then test *just* the inner-tunnel server until you get an Access-Accept.

  That has the nice side-effect of giving you much smaller debug logs, which are therefore easier to read.

> THIS DEBUG IS THE ONE CORRESPONDING TO JUST ONE ATTEMPT OF AUTHENTICATION,
> IT'S SO LONG...I APOLOGIZE FOR THIS

  It's fine to have a long debug output. It's *much* better than posting 3 lines and asking "What's wrong?"
> 
> Wed Aug 16 12:32:25 2017 : Info: [peap] <<< TLS 1.0 Alert [length 0002],
> fatal unknown_ca
> Wed Aug 16 12:32:25 2017 : Error: TLS Alert read:fatal:unknown CA
> Wed Aug 16 12:32:25 2017 : Error:     TLS_accept: failed in unknown state
> Wed Aug 16 12:32:25 2017 : Error: rlm_eap: SSL error error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

  This message means that the client doesn't know about the CA which is configured on the server.

  Follow the guide, and add the CA certificate to the client.

> Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> --challenge=%{mschap:Challenge:-00} -> --challenge=c7e9749f9a9488cc
> Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=1d818e8388886074e15547872eddf3f58cd2da004dcc5817
> Wed Aug 16 12:32:43 2017 : Debug: Exec output: No trusted SAM account
> (0xc000018b)
> Wed Aug 16 12:32:43 2017 : Debug: Exec plaintext: No trusted SAM account
> (0xc000018b)

  And that's not a FreeRADIUS message.  That's from AD.

  Alan DeKok.

More information about the Freeradius-Users mailing list