Active Directory AUTHENTICATION with LDAP AUTHORIZATION

Tom Yard tomyyard at gmail.com
Wed Aug 16 21:06:55 CEST 2017


Dear both Alans, thanks for your advice.

Before planning the tests, I need your help on these topics:

1) In the first implementation for authentication like Alan Dekok's guide,
I setup default and inner-tunnel servers. Now if I enable ldap for
authorization, do I have to enable ldap in the default virtual server and
also in the inner-tunnel virtual server ??? Or just in default file ???

2) I can't understand this comment from you: "but why are you running ldap
in the outer phase?" Can you explain to me in more detail please ???

Thanks again!!!



2017-08-16 15:23 GMT-03:00 Alan Buxey <alan.buxey at gmail.com>:

> hi,
>
>
> > THIS DEBUG IS THE ONE CORRESPONDING TO JUST ONE ATTEMPT OF
> AUTHENTICATION,
>
> no its not. you have a machine auth there followed by a user auth -
> ensure your client is configured to only do user authentication
>
> > IT'S SO LONG...I APOLOGIZE FOR THIS
>
> thats fine - this is fine - the debug may be long but a lot of it can
> be scanned over quickly once you understand
> what is going on - visit some sites about PEAP to see the flow - then
> look at the conversation that is going on with FreeRADIUS...each
> packet
> request/reply being part of the conversation....little hello, then EAP
> to construct secure tunnel (then lots of those EAP-Message attributes
> appear,
> then the MSCHAPv2 inside the PEAP (a few more packets) then end of
> session, access accept etc.
>
> >         User-Name = "host/host44.d-holomit.com"
>
> machine auth attempt
>
>
> > Wed Aug 16 12:32:25 2017 : Debug:   [ldap] performing search in
> > OU=holomit,DC=d-holomit,DC=com, with filter (sAMAccountName=host/
> > host44.d-holomit.com)
> > Wed Aug 16 12:32:25 2017 : Debug:   [ldap] object not found
> > Wed Aug 16 12:32:25 2017 : Debug: rlm_ldap::ldap_groupcmp: search failed
> > Wed Aug 16 12:32:25 2017 : Debug:   [ldap] ldap_release_conn: Release
> Id: 0
>
> machine not in AD (well, not in THAT location anyway ;-)  )
>
>
> > Sending Access-Reject of id 188 to 172.22.88.223 port 32769
> >         EAP-Message = 0x04050004
> >         Message-Authenticator = 0x00000000000000000000000000000000
>
> end of that one.... now the user auth
>
>
> >         User-Name = "tyard"
>
> user auth
>
>
> > Wed Aug 16 12:32:37 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
> > group cn=wifi,ou=WI-FI,ou=in,ou=services,ou=holomit,dc=d-holomit,dc=com
>
> this user was found - but why are you running ldap in the outer phase?
>  anyone can spoof the outer
> packet....you only trust the inner-tunnel for EAP...
>
> ...and onwards
>
> > Wed Aug 16 12:32:37 2017 : Info: [eap] Continuing tunnel setup.
> > Wed Aug 16 12:32:37 2017 : Info: ++[eap] = ok
> > Wed Aug 16 12:32:37 2017 : Info: +} # group authorize = ok
> > Wed Aug 16 12:32:37 2017 : Info: Found Auth-Type = EAP
> > Wed Aug 16 12:32:37 2017 : Info: # Executing group from file
> > /etc/freeradius/sites-enabled/default
> > Wed Aug 16 12:32:37 2017 : Info: +group authenticate {
> > Wed Aug 16 12:32:37 2017 : Info: [eap] Request found, released from the
> list
> > Wed Aug 16 12:32:37 2017 : Info: [eap] EAP/peap
> > Wed Aug 16 12:32:37 2017 : Info: [eap] processing type peap
> > Wed Aug 16 12:32:37 2017 : Info: [peap] processing EAP-TLS
>
> okay PEAP being started
>
> some delays to responses....did you get a cert prompt? you really need
> to configure your client with correct CA and RADIUS server cert..
> there are plenty of 802.1X configuration tools
>
> now the MSCHAPv2 in the inner-tunnel
>
> > Wed Aug 16 12:32:43 2017 : Info: [eap] processing type mschapv2
> > Wed Aug 16 12:32:43 2017 : Info: [mschapv2] # Executing group from file
> > /etc/freeradius/sites-enabled/inner-tunnel
> > Wed Aug 16 12:32:43 2017 : Info: [mschapv2] +group MS-CHAP {
> > Wed Aug 16 12:32:43 2017 : Info: [mschap] Creating challenge hash with
> > username: tyard
> > Wed Aug 16 12:32:43 2017 : Info: [mschap] Client is using MS-CHAPv2 for
> > tyard, we need NT-Password
> > Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> > --username=%{mschap:User-Name:-None} -> --username=tyard
> > Wed Aug 16 12:32:43 2017 : Info: [mschap] No NT-Domain was found in the
> > User-Name.
> > Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> %{mschap:NT-Domain}
> > ->
> > Wed Aug 16 12:32:43 2017 : Info: [mschap]       ... expanding second
> > conditional
> > Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> > --domain=%{%{mschap:NT-Domain}:-d-holomit} -> --domain=d-holomit
> > Wed Aug 16 12:32:43 2017 : Info: [mschap] Creating challenge hash with
> > username: tyard
> > Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> > --challenge=%{mschap:Challenge:-00} -> --challenge=c7e9749f9a9488cc
> > Wed Aug 16 12:32:43 2017 : Info: [mschap]       expand:
> > --nt-response=%{mschap:NT-Response:-00} ->
> > --nt-response=1d818e8388886074e15547872eddf3f58cd2da004dcc5817
> > Wed Aug 16 12:32:43 2017 : Debug: Exec output: No trusted SAM account
> > (0xc000018b)
> > Wed Aug 16 12:32:43 2017 : Debug: Exec plaintext: No trusted SAM account
> > (0xc000018b)
> > Wed Aug 16 12:32:43 2017 : Info: [mschap] Exec: program returned: 1
> > Wed Aug 16 12:32:43 2017 : Info: [mschap] External script failed.
> > Wed Aug 16 12:32:43 2017 : Info: [mschap] FAILED: MS-CHAP2-Response is
> > incorrect
>
> ..and from now on its a fail/reject.  cause? the user with the doamin
> of "d-holmit" did not have a trusted account in
> this AD...is that domain correct? i'd advise against using
> %{mschap:NT-Domain}  - the domain provided by the user
> in the MSCHAP - and just hardcode it in the ntlm_auth
>
>
> however. the easiest part here is to just use radtst directly against
> the inner-tunnel on the server itself... in inner-tunnel,
> by default, you have a listener directive  localhost on port 18120 or
> such.  so all you do is use that as your server target
> with radtest or such....meaning your mschap request hits inner-tunnel
> directly (as if EAP had been set up nicely by the client)..
> and thus you can test your policies and inner-tunnel very easily.  at
> that point, mschapv2 will be working and you can look
> at ldap and what policies/unlang you need there. one bit at a time
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list