Freeradius 3.x with LDAP authentication
Alan Buxey
alan.buxey at gmail.com
Wed Aug 16 20:25:15 CEST 2017
see my other recent reply about accounts in AD - if you want to
verify, you can use ntlm_auth directly on the command
line the same as FR is doing (check its debug to see what parameters)
- expect that the account information is wrong...wrong domain etc.
alan
On 16 August 2017 at 15:05, Adam Cage <adamcage27 at gmail.com> wrote:
> Dear Alan and people, I'm near the solution of my problem but I'm still
> having a problem.
>
> Following the Alan Dekok tutorial about Authentication with Active
> Directory with ntlm_auth and mschap, everything work OK. In this case, I
> have no LDAP support at all, no authorization, just authentication. At this
> point I success because I obtain an ACCEP-ACCEPT response packet, let's see:
>
> $ radtest -t mschap adam 1234abcd localhost 0 testing123
> Sending Access-Request of id 233 to 127.0.0.1 port 1812
> User-Name = "adam"
> NAS-IP-Address = 10.10.10.1
> NAS-Port = 0
> Message-Authenticator = 0x00000000000000000000000000000000
> MS-CHAP-Challenge = 0x9c705e7afe5513e7
> MS-CHAP-Response =
> 0x00010000000000000000000000000000000000000000000000008319855335ab46ea32fd6382fb68640c6c27a0e929182371
> rad_recv: *Access-Accept* packet from host 127.0.0.1 port 1812, id=233,
> length=84
> MS-CHAP-MPPE-Keys =
> 0x0000000000000000997c9fae0cc86f9d48d2cbb81915e1630000000000000000
> MS-MPPE-Encryption-Policy = 0x00000001
> MS-MPPE-Encryption-Types = 0x00000006
>
> But the problem comes when I setup the LDAP support to Authorization when
> checking if user is or not in a given group with the Ldap-Group attribute.
> As I said previously, after configured ldap module and
> /etc/sites-available/default and inner-tunnel with LDAP for authorization,
> I execute the same radtest command "radtest -t mschap adam 1234abcd
> localhost 0 testing123" and this is the freeradius debug output when it
> fail:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 35229, id=117,
> length=135
> User-Name = "adam"
> NAS-IP-Address = 10.10.10.1
> NAS-Port = 0
> Message-Authenticator = 0x38de9478053289444c4ad85736b70bfd
> MS-CHAP-Challenge = 0xb4d7849d65d481d0
> MS-CHAP-Response =
> 0x00010000000000000000000000000000000000000000000000000fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
> Wed Aug 16 10:51:56 2017 : Info: # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> Wed Aug 16 10:51:56 2017 : Info: +group authorize {
> Wed Aug 16 10:51:56 2017 : Info: ++[preprocess] = ok
> Wed Aug 16 10:51:56 2017 : Info: ++[chap] = noop
> Wed Aug 16 10:51:56 2017 : Info: [mschap] Found MS-CHAP attributes.
> Setting 'Auth-Type = mschap'
> Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = ok
> Wed Aug 16 10:51:56 2017 : Info: ++[digest] = noop
> Wed Aug 16 10:51:56 2017 : Info: [suffix] No '@' in User-Name = "adam",
> looking up realm NULL
> Wed Aug 16 10:51:56 2017 : Info: [suffix] No such realm "NULL"
> Wed Aug 16 10:51:56 2017 : Info: ++[suffix] = noop
> Wed Aug 16 10:51:56 2017 : Info: [eap] No EAP-Message, not doing EAP
> Wed Aug 16 10:51:56 2017 : Info: ++[eap] = noop
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] Entering ldap_groupcmp()
> Wed Aug 16 10:51:56 2017 : Info: [files] expand:
> OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
> Wed Aug 16 10:51:56 2017 : Info: [files] expand:
> %{Stripped-User-Name} ->
> Wed Aug 16 10:51:56 2017 : Info: [files] ... expanding second
> conditional
> Wed Aug 16 10:51:56 2017 : Info: [files] expand: %{User-Name} -> adam
> Wed Aug 16 10:51:56 2017 : Info: [files] expand:
> (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (sAMAccountName=adam)
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] attempting LDAP reconnection
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] (re)connect to
> mitwpdcs01.company.com:389, authentication 0
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] bind as cn=wspsf,ou=Proxy para
> Apps,ou=Internos,ou=Servicios,ou=users,dc=company,dc=com/wP67yh345 to
> mitwpdcs01.company.com:389
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] waiting for bind result ...
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] Bind was successful
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
> OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
> Wed Aug 16 10:51:56 2017 : Info: [files] expand:
> (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
> (|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dusers\2cOU\2cDC\3dcompany\2cDC\3dcom)))
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
> cn=group1,ou=wifi,dc=company,dc=com, with filter
> (|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dUsers\2cOU\3dcompany\2cDC\3dcom)))
> Wed Aug 16 10:51:56 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
> group cn=group1,ou=wifi,dc=company,dc=com
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
> Wed Aug 16 10:51:56 2017 : Info: [files] users: Matched entry DEFAULT at
> line 207
> Wed Aug 16 10:51:56 2017 : Info: ++[files] = ok
> Wed Aug 16 10:51:56 2017 : Info: [ldap] performing user authorization for
> adam
> Wed Aug 16 10:51:56 2017 : Info: [ldap] expand:
> %{Stripped-User-Name} ->
> Wed Aug 16 10:51:56 2017 : Info: [ldap] ... expanding second
> conditional
> Wed Aug 16 10:51:56 2017 : Info: [ldap] expand: %{User-Name} -> adam
> Wed Aug 16 10:51:56 2017 : Info: [ldap] expand:
> (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (sAMAccountName=adam)
> Wed Aug 16 10:51:56 2017 : Info: [ldap] expand:
> OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
> OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
> Wed Aug 16 10:51:56 2017 : Info: [ldap] No default NMAS login sequence
> Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for check items in
> directory...
> Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for reply items in
> directory...
> Wed Aug 16 10:51:56 2017 : Debug: WARNING: No "known good" password was
> found in LDAP. Are you sure that the user is configured correctly?
> Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
> Wed Aug 16 10:51:56 2017 : Info: ++[ldap] = ok
> Wed Aug 16 10:51:56 2017 : Info: ++[expiration] = noop
> Wed Aug 16 10:51:56 2017 : Info: ++[logintime] = noop
> Wed Aug 16 10:51:56 2017 : Info: [pap] WARNING! No "known good" password
> found for the user. Authentication may fail because of this.
> Wed Aug 16 10:51:56 2017 : Info: ++[pap] = noop
> Wed Aug 16 10:51:56 2017 : Info: +} # group authorize = ok
> Wed Aug 16 10:51:56 2017 : Info: Found Auth-Type = MSCHAP
> Wed Aug 16 10:51:56 2017 : Info: # Executing group from file
> /etc/freeradius/sites-enabled/default
> Wed Aug 16 10:51:56 2017 : Info: +group MS-CHAP {
> Wed Aug 16 10:51:56 2017 : Info: [mschap] Client is using MS-CHAPv1 with
> NT-Password
> Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
> --username=%{mschap:User-Name:-None} -> --username=adam
> Wed Aug 16 10:51:56 2017 : Info: [mschap] No NT-Domain was found in the
> User-Name.
> Wed Aug 16 10:51:56 2017 : Info: [mschap] expand: %{mschap:NT-Domain}
> ->
> Wed Aug 16 10:51:56 2017 : Info: [mschap] ... expanding second
> conditional
> Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
> --domain=%{%{mschap:NT-Domain}:-company} -> --domain=company
> Wed Aug 16 10:51:56 2017 : Info: [mschap] mschap1: b4
> Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
> --challenge=%{mschap:Challenge:-00} -> --challenge=b4d7849d65d481d0
> Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
> --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
> Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account *
> (0xc000018b)
> Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM account*
> (0xc000018b)
> Wed Aug 16 10:51:56 2017 : Info: [mschap] Exec: program returned: 1
> Wed Aug 16 10:51:56 2017 : Info: [mschap] External script failed.
> Wed Aug 16 10:51:56 2017 : Info: [mschap] MS-CHAP-Response is incorrect.
> Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = reject
> Wed Aug 16 10:51:56 2017 : Info: +} # group MS-CHAP = reject
> Wed Aug 16 10:51:56 2017 : Info: Failed to authenticate the user.
> Wed Aug 16 10:51:56 2017 : Info: Using Post-Auth-Type REJECT
> Wed Aug 16 10:51:56 2017 : Info: # Executing group from file
> /etc/freeradius/sites-enabled/default
> Wed Aug 16 10:51:56 2017 : Info: +group REJECT {
> Wed Aug 16 10:51:56 2017 : Info: [attr_filter.access_reject] expand:
> %{User-Name} -> adam
> Wed Aug 16 10:51:56 2017 : Debug: attr_filter: Matched entry DEFAULT at
> line 11
> Wed Aug 16 10:51:56 2017 : Info: ++[attr_filter.access_reject] = updated
> Wed Aug 16 10:51:56 2017 : Info: +} # group REJECT = updated
> Wed Aug 16 10:51:56 2017 : Info: Delaying reject of request 3 for 1 seconds
> Wed Aug 16 10:51:56 2017 : Debug: Going to the next request
> Wed Aug 16 10:51:56 2017 : Debug: Waking up in 0.8 seconds.
> Wed Aug 16 10:51:57 2017 : Info: Sending delayed reject for request 3
> Sending Access-Reject of id 117 to 127.0.0.1 port 35229
> MS-CHAP-Error = "\000E=691 R=1"
>
>
> Can you tell me why mschap auth is ok without LDAP support and it's wrong
> with LDAP support???
>
> Thanks a lot again.
>
> ADAM
>
>
> 2017-08-15 13:41 GMT-03:00 Alan DeKok <aland at deployingradius.com>:
>
>> On Aug 15, 2017, at 5:58 PM, Adam Cage <adamcage27 at gmail.com> wrote:
>> >
>> > Dear all, finally I have followed as you said: Authentication with samba,
>> > winbind, ntlm_auth and Authorization with LDAP, but I fails. I post my
>> main
>> > config LDAP files and the debug output in order to get your help please:
>>
>> Please don't post configuration files. We ask for the debug output for
>> a reason: it's all we need.
>>
>> > */etc/freeradius/users:*
>> >
>> > DEFAULT Ldap-Group == "cn=group1,ou=wifi,dc=company,dc=com"
>> > Service-Type = Login-User
>> >
>> > DEFAULT Auth-Type := Reject
>>
>> You're not telling the server how to authenticate the user.
>>
>> > $ radtest adam 1234abcd 127.0.0.1 0 testing123
>>
>> Which is just a PAP request...
>>
>> > And I fail, this is the debug output:
>> ...
>> > Tue Aug 15 12:38:27 2017 : Debug: WARNING: No "known good" password was
>> > found in LDAP. Are you sure that the user is configured correctly?
>>
>> That's just Active Directory not supplying the password...
>>
>> > Tue Aug 15 12:38:27 2017 : Info: *ERROR: No authenticate method
>> (Auth-Type)
>> > found for the request: Rejecting the user*
>> > Tue Aug 15 12:38:27 2017 : Info: Failed to authenticate the user.
>>
>> And you haven't told the server how to authenticate the user.
>>
>> Follow the guide on deployingradius.com. It *will* work.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list