Freeradius 3.x with LDAP authentication

Thu Aug 17 03:50:50 CEST 2017

Dear, I've tried to understand what you said and I've made some changes:

* I've deleted the the content of /etc/freeradius/users corresponding to
ldap-group attribute

* I've added the ldap-group clauses in
/etc/freeradius/sites-available/default and inner-tunnel, as you said. I
have not the ultimate clause yet, so the clause is a noop if users belong
to the Group1 group:

Authorize {
...
        if (LDAP-Group == Group1) {
                noop
        }
        else {
                reject
        }
}

* Restart freeradius in debug mode, and execute the command below in order
to check the inner tunnel behaviour:

$ radtest -t mschap adam 1234abcd localhost:18120 0 testing123

But I fail again...

Here I show you the log for success test (Alan Dekok's guide exactly
without LDAP authorization) and after that the log for failure test (adding
LDAP support as described above), in order to confirm that mschap in the
success test does not have the "NOT TRUSTED SAM ACCOUNT" error appearing in
the failure case, being the same AD in both cases:

1) SUCCESS:

Wed Aug 16 12:17:15 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 12:17:15 2017 : Info: +group authorize {
Wed Aug 16 12:17:15 2017 : Info: ++[chap] = noop
Wed Aug 16 12:17:15 2017 : Info: ++[mschap] = noop
Wed Aug 16 12:17:15 2017 : Info: [suffix] No '@' in User-Name = "adam",
looking up realm NULL
Wed Aug 16 12:17:15 2017 : Info: [suffix] No such realm "NULL"
Wed Aug 16 12:17:15 2017 : Info: ++[suffix] = noop
Wed Aug 16 12:17:15 2017 : Info: ++update control {
Wed Aug 16 12:17:15 2017 : Info: ++} # update control = noop
Wed Aug 16 12:17:15 2017 : Info: [eap] EAP packet type response id 8 length
69
Wed Aug 16 12:17:15 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Wed Aug 16 12:17:15 2017 : Info: ++[eap] = updated
Wed Aug 16 12:17:15 2017 : Info: ++[files] = noop
Wed Aug 16 12:17:15 2017 : Info: ++[expiration] = noop
Wed Aug 16 12:17:15 2017 : Info: ++[logintime] = noop
Wed Aug 16 12:17:15 2017 : Info: ++[pap] = noop
Wed Aug 16 12:17:15 2017 : Info: +} # group authorize = updated
Wed Aug 16 12:17:15 2017 : Info: Found Auth-Type = EAP
Wed Aug 16 12:17:15 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 12:17:15 2017 : Info: +group authenticate {
Wed Aug 16 12:17:15 2017 : Info: [eap] Request found, released from the list
Wed Aug 16 12:17:15 2017 : Info: [eap] EAP/mschapv2
Wed Aug 16 12:17:15 2017 : Info: [eap] processing type mschapv2
Wed Aug 16 12:17:15 2017 : Info: [mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 12:17:15 2017 : Info: [mschapv2] +group MS-CHAP {
Wed Aug 16 12:17:15 2017 : Info: [mschap] Creating challenge hash with
username: adam
Wed Aug 16 12:17:15 2017 : Info: [mschap] Client is using MS-CHAPv2 for
adam, we need NT-Password
Wed Aug 16 12:17:15 2017 : Info: [mschap]       expand:
--username=%{mschap:User-Name:-None} -> --username=adam
Wed Aug 16 12:17:15 2017 : Info: [mschap] No NT-Domain was found in the
User-Name.
Wed Aug 16 12:17:15 2017 : Info: [mschap]       expand: %{mschap:NT-Domain}
->
Wed Aug 16 12:17:15 2017 : Info: [mschap]       ... expanding second
conditional
Wed Aug 16 12:17:15 2017 : Info: [mschap]       expand:
--domain=%{%{mschap:NT-Domain}:-D-HOLOMIT} -> --domain=
Wed Aug 16 12:17:15 2017 : Info: [mschap] Creating challenge hash with
username: adam
Wed Aug 16 12:17:15 2017 : Info: [mschap]       expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=845cda3e640fcd8a
Wed Aug 16 12:17:15 2017 : Info: [mschap]       expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=23b6b6f4e5bc4601f0f7ddeaec6876cf596fdeac5c26f359
Wed Aug 16 12:17:16 2017 : *Debug: Exec output: NT_KEY:
E10EE54A9C762F08F75E4008F93F109E*
Wed Aug 16 12:17:16 2017 : *Debug: Exec plaintext: NT_KEY:
E10EE54A9C762F08F75E4008F93F109E*
Wed Aug 16 12:17:16 2017 : Info: [mschap] Exec: program returned: 0
Wed Aug 16 12:17:16 2017 : Info: [mschap] adding MS-CHAPv2 MPPE keys
Wed Aug 16 12:17:16 2017 : Info: ++[mschap] = ok
Wed Aug 16 12:17:16 2017 : Info: +} # group MS-CHAP = ok
Wed Aug 16 12:17:16 2017 : Debug: MSCHAP Success
Wed Aug 16 12:17:16 2017 : Info: ++[eap] = handled
Wed Aug 16 12:17:16 2017 : Info: +} # group authenticate = handled

2) FAILURE

rad_recv: Access-Request packet from host 127.0.0.1 port 56467, id=90,
length=135
        User-Name = "adam"
        NAS-IP-Address = 172.22.88.223
        NAS-Port = 0
        Message-Authenticator = 0xb38b49322db530f2191b85452fdf0195
        MS-CHAP-Challenge = 0xe1248c7251ea7e63
        MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000d594e0a1673248f8e3a3b358381b78ed47891d8cd0fea851
Wed Aug 16 22:21:45 2017 : Info: server inner-tunnel {
Wed Aug 16 22:21:45 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 22:21:45 2017 : Info: +group authorize {
Wed Aug 16 22:21:45 2017 : Info: ++[chap] = noop
Wed Aug 16 22:21:45 2017 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type  = mschap'
Wed Aug 16 22:21:45 2017 : Info: ++[mschap] = ok
Wed Aug 16 22:21:45 2017 : Info: [suffix] No '@' in User-Name = "adam",
looking up realm NULL
Wed Aug 16 22:21:45 2017 : Info: [suffix] No such realm "NULL"
Wed Aug 16 22:21:45 2017 : Info: ++[suffix] = noop
Wed Aug 16 22:21:45 2017 : Info: ++update control {
Wed Aug 16 22:21:45 2017 : Info: ++} # update control = noop
Wed Aug 16 22:21:45 2017 : Info: [eap] No EAP-Message, not doing EAP
Wed Aug 16 22:21:45 2017 : Info: ++[eap] = noop
Wed Aug 16 22:21:45 2017 : Info: ++[files] = noop
Wed Aug 16 22:21:45 2017 : Info: [ldap] performing user authorization for
adam
Wed Aug 16 22:21:45 2017 : Info: [ldap]         expand:
%{Stripped-User-Name} ->
Wed Aug 16 22:21:45 2017 : Info: [ldap]         ... expanding second
conditional
Wed Aug 16 22:21:45 2017 : Info: [ldap]         expand: %{User-Name} -> adam
Wed Aug 16 22:21:45 2017 : Info: [ldap]         expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Wed Aug 16 22:21:45 2017 : Info: [ldap]         expand:
OU=users,DC=d-holomit,DC=com -> OU=users,DC=d-holomit,DC=com
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] attempting LDAP reconnection
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] (re)connect to
host1.holimit.com:389, authentication 0
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] bind as
cn=connect,ou=users,dc=d-holomit,dc=com/wP67yh345 to host1.holomit.com:389
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] waiting for bind result ...
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] Bind was successful
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] performing search in
OU=users,DC=d-holomit,DC=com, with filter (sAMAccountName=adam)
Wed Aug 16 22:21:45 2017 : Info: [ldap] No default NMAS login sequence
Wed Aug 16 22:21:45 2017 : Info: [ldap] looking for check items in
directory...
Wed Aug 16 22:21:45 2017 : Info: [ldap] looking for reply items in
directory...
Wed Aug 16 22:21:45 2017 : Debug: WARNING: No "known good" password was
found in LDAP.  Are you sure that the user is configured correctly?
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 22:21:45 2017 : Info: ++[ldap] = ok
Wed Aug 16 22:21:45 2017 : Info: ++[expiration] = noop
Wed Aug 16 22:21:45 2017 : Info: ++[logintime] = noop
Wed Aug 16 22:21:45 2017 : Info: ++[pap] = noop
Wed Aug 16 22:21:45 2017 : Info: ++? if (LDAP-Group == Group1)
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] Entering ldap_groupcmp()
Wed Aug 16 22:21:45 2017 : Info:        expand:
OU=users,DC=d-holomit,DC=com -> OU=users,DC=d-holomit,DC=com
Wed Aug 16 22:21:45 2017 : Info:        expand:
(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dInfraestructura\2cOU\3dG.
Infraestructura\2cOU\3dusers\3dd-holomit\2cDC\3dcom)))
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] performing search in
OU=users,DC=d-holomit,DC=com, with filter
(&(cn=Group1)(|(&(objectClass=group)(member=CN\3dAdam\3dUsers\2cOU\3dd-holomit\2cDC\3dcom)))
Wed Aug 16 22:21:45 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
group Group1
Wed Aug 16 22:21:45 2017 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 22:21:45 2017 : Info: ? Evaluating (LDAP-Group == Group1) -> TRUE
Wed Aug 16 22:21:45 2017 : Info: ++? if (LDAP-Group == Group1) -> TRUE
Wed Aug 16 22:21:45 2017 : Info: ++if (LDAP-Group == Group1) {
Wed Aug 16 22:21:45 2017 : Info: +++[noop] = noop
Wed Aug 16 22:21:45 2017 : Info: ++} # if (LDAP-Group == Group1) = noop
Wed Aug 16 22:21:45 2017 : Info: ++ ... skipping else for request 0:
Preceding "if" was taken
Wed Aug 16 22:21:45 2017 : Info: +} # group authorize = ok
Wed Aug 16 22:21:45 2017 : Info: Found Auth-Type = MSCHAP
Wed Aug 16 22:21:45 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 22:21:45 2017 : Info: +group MS-CHAP {
Wed Aug 16 22:21:45 2017 : Info: [mschap] Client is using MS-CHAPv1 with
NT-Password
Wed Aug 16 22:21:45 2017 : Info: [mschap]       expand:
--username=%{mschap:User-Name:-None} -> --username=adam
Wed Aug 16 22:21:45 2017 : Info: [mschap] No NT-Domain was found in the
User-Name.
Wed Aug 16 22:21:45 2017 : Info: [mschap]       expand: %{mschap:NT-Domain}
->
Wed Aug 16 22:21:45 2017 : Info: [mschap]       ... expanding second
conditional
Wed Aug 16 22:21:45 2017 : Info: [mschap]       expand:
--domain=%{%{mschap:NT-Domain}:-D-HOLOMIT} -> --domain=D-HOLOMIT
Wed Aug 16 22:21:45 2017 : Info: [mschap]  mschap1: e1
Wed Aug 16 22:21:45 2017 : Info: [mschap]       expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=e1248c7251ea7e63
Wed Aug 16 22:21:45 2017 : Info: [mschap]       expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=d594e0a1673248f8e3a3b358381b78ed47891d8cd0fea851
Wed Aug 16 22:21:45 2017 : *Debug: Exec output: No trusted SAM account
(0xc000018b) *
Wed Aug 16 22:21:45 2017 : *Debug: Exec plaintext: No trusted SAM account
(0xc000018b)*
Wed Aug 16 22:21:45 2017 : Info: [mschap] Exec: program returned: 1
Wed Aug 16 22:21:45 2017 : Info: [mschap] External script failed.
Wed Aug 16 22:21:45 2017 : Info: [mschap] MS-CHAP-Response is incorrect.
Wed Aug 16 22:21:45 2017 : Info: ++[mschap] = reject
Wed Aug 16 22:21:45 2017 : Info: +} # group MS-CHAP = reject
Wed Aug 16 22:21:45 2017 : Info: Failed to authenticate the user.
Wed Aug 16 22:21:45 2017 : Info: } # server inner-tunnel
Wed Aug 16 22:21:45 2017 : Info: Using Post-Auth-Type REJECT
Wed Aug 16 22:21:45 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 22:21:45 2017 : Info: +group REJECT {
Wed Aug 16 22:21:45 2017 : Info: [attr_filter.access_reject]    expand:
%{User-Name} -> adam
Wed Aug 16 22:21:45 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Aug 16 22:21:45 2017 : Info: ++[attr_filter.access_reject] = updated
Wed Aug 16 22:21:45 2017 : Info: +} # group REJECT = updated
Wed Aug 16 22:21:45 2017 : Info: Delaying reject of request 0 for 1 seconds
Wed Aug 16 22:21:45 2017 : Debug: Going to the next request
Wed Aug 16 22:21:45 2017 : Debug: Waking up in 0.8 seconds.
Wed Aug 16 22:21:46 2017 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 90 to 127.0.0.1 port 56467
        MS-CHAP-Error = "\000E=691 R=1"

Special thanks !!!

Adam

2017-08-16 13:28 GMT-03:00 Alan DeKok <aland at deployingradius.com>:

> On Aug 16, 2017, at 4:05 PM, Adam Cage <adamcage27 at gmail.com> wrote:
> >
> > Dear Alan and people, I'm near the solution of my problem but I'm still
> > having a problem.
> >
> > Following the Alan Dekok tutorial about Authentication with Active
> > Directory with ntlm_auth and mschap, everything work OK. In this case, I
> > have no LDAP support at all, no authorization, just authentication.
>
>   That's fine.  The guide deals with one issue at a time.
>
>   If you can get AD authentication working, then adding LDAP authorization
> is about 10 minutes.
>
> > But the problem comes when I setup the LDAP support to Authorization when
> > checking if user is or not in a given group with the Ldap-Group
> attribute.
>
>   Put those checks into the virtual server, not in the "users" file.
>
>   What LDAP group checks are you doing?
>
>   This kind of thing will work:
>
> authorize {
>         ...
>         if (LDAP-Group != admins) {
>                 reject
>         }
>         ...
> }
>
> > As I said previously, after configured ldap module and
> > /etc/sites-available/default and inner-tunnel with LDAP for
> authorization,
>
>   To do *what*?  Be specific.
>
>   In most case, if you can write the requirements down in simple English,
> you can translate those to "unlang" policy rules pretty directly.
>
> > --nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
> > Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account *
> > (0xc000018b)
> > Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM
> account*
> > (0xc000018b)
>
>   That's an error produced by AD, not FreeRADIUS.
>
> > Can you tell me why mschap auth is ok without LDAP support and it's wrong
> > with LDAP support???
>
>   Since you didn't say what you did for LDAP authorization, I have no idea
> what's going wrong.
>
>   But from the error message above, it *is* clear that the user isn't
> allowed to use AD authentication.  That is an issue entirely separate from
> LDAP authorization.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>