I have a problem with the authorization by LDAP and Authentication with AD
Matthew Newton
mcn at freeradius.org
Mon Jul 31 13:36:04 CEST 2017
On Mon, 2017-07-31 at 12:21 +0200, I Aaaaaahhhhhh wrote:
> The Radius server is integrated into the Active Directory domain.
> I would like that only certain users connect to the AD domain.
> When I connect to the radius server via eapol_test, the authorization
> by LDAP as well as the AD authentication by AD perfectly.
> If I want to log on to the AD domain from a Windows 10 client with
> the
> same user account, this does not work.
> C5c5 is prepended to the username.
5c5c actually. Which is ASCII for "\\".
> A realm with the domain name and the content skip was created in the
> proxy.conf, as well as the ntdomain entry in the sites-enabeld /
> default, but the user name still contains C5C5.
> Here I add the debug content.
Packet 20.
Replace "suffix" in your inner-tunnel with "ntdomain".
Matthew
> (20) Received Access-Request Id 93 from 192.168.99.2:56766 to
> 192.168.99.13:1812 length 282
> (20) User-Name = "SEDLMEIER\\iah"
> (20) Service-Type = Framed-User
> (20) Called-Station-Id = "D8-84-66-1C-A0-C2"
> (20) Calling-Station-Id = "74-2B-62-85-F5-5D"
> (20) NAS-Identifier = "sed-nw-sw-01.sedlmeier.local"
> (20) NAS-Port = 5
> (20) NAS-Port-Id = "fe.1.5"
> (20) Framed-MTU = 1500
> (20) NAS-Port-Type = Ethernet
> (20) State = 0xd24e2fefd441361eca7551413078c7bf
> (20) EAP-Message =
> 0x020f00671900170303005c000000000000000243241aa425d6f7c8d71509c3b60a4
> c6b8db4cad3d64eef888d40802d40c2c86b4500c9bb1901556e079452b3643718c88c
> db7fe0a50aa320e9d9c7f849290f380b06d9730e79d4e4c2be3e04b14c604a00ccbdd
> 2
> (20) NAS-IP-Address = 0.0.0.0
> (20) Message-Authenticator = 0xa846eca9d309e94652e1c58fbaa05dce
> (20) session-state: No cached attributes
> (20) # Executing section authorize from file /etc/raddb/sites-
> enabled/default
> (20) authorize {
> (20) policy filter_username {
> (20) if (&User-Name) {
> (20) if (&User-Name) -> TRUE
> (20) if (&User-Name) {
> (20) if (&User-Name =~ / /) {
> (20) if (&User-Name =~ / /) -> FALSE
> (20) if (&User-Name =~ /@[^@]*@/ ) {
> (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (20) if (&User-Name =~ /\.\./ ) {
> (20) if (&User-Name =~ /\.\./ ) -> FALSE
> (20) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (20) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) -> FALSE
> (20) if (&User-Name =~ /\.$/) {
> (20) if (&User-Name =~ /\.$/) -> FALSE
> (20) if (&User-Name =~ /@\./) {
> (20) if (&User-Name =~ /@\./) -> FALSE
> (20) } # if (&User-Name) = notfound
> (20) } # policy filter_username = notfound
> (20) [preprocess] = ok
> (20) [chap] = noop
> (20) [mschap] = noop
> (20) [digest] = noop
> (20) suffix: Checking for suffix after "@"
> (20) suffix: No '@' in User-Name = "SEDLMEIER\iah", looking up realm
> NULL
> (20) suffix: No such realm "NULL"
> (20) [suffix] = noop
> (20) ntdomain: Checking for prefix before "\"
> (20) ntdomain: Looking up realm "SEDLMEIER" for User-Name =
> "SEDLMEIER\iah"
> (20) ntdomain: Found realm "SEDLMEIER"
> (20) ntdomain: Adding Stripped-User-Name = "iah"
> (20) ntdomain: Adding Realm = "SEDLMEIER"
> (20) ntdomain: Authentication realm is LOCAL
> (20) [ntdomain] = ok
> (20) eap: Peer sent EAP Response (code 2) ID 15 length 103
> (20) eap: Continuing tunnel setup
> (20) [eap] = ok
> (20) } # authorize = ok
> (20) Found Auth-Type = eap
> (20) # Executing group from file /etc/raddb/sites-enabled/default
> (20) authenticate {
> (20) eap: Expiring EAP session with state 0xd63550fbd63a4a59
> (20) eap: Finished EAP session with state 0xd24e2fefd441361e
> (20) eap: Previous EAP request found for state 0xd24e2fefd441361e,
> released from the list
> (20) eap: Peer sent packet with method EAP PEAP (25)
> (20) eap: Calling submodule eap_peap to process data
> (20) eap_peap: Continuing EAP-TLS
> (20) eap_peap: [eaptls verify] = ok
> (20) eap_peap: Done initial handshake
> (20) eap_peap: [eaptls process] = ok
> (20) eap_peap: Session established. Decoding tunneled attributes
> (20) eap_peap: PEAP state phase2
> (20) eap_peap: EAP method MSCHAPv2 (26)
> (20) eap_peap: Got tunneled request
> (20) eap_peap: EAP-Message =
> 0x020f00481a020f0043312af06a1435a1a34bfca5dc612d69a1d1000000000000000
> 0aee7c918d346a026e864b8344642b61250828f7f16106ae4005345444c4d45494552
> 5c696168
> (20) eap_peap: Setting User-Name to SEDLMEIER\iah
> (20) eap_peap: Sending tunneled request to inner-tunnel
> (20) eap_peap: EAP-Message =
> 0x020f00481a020f0043312af06a1435a1a34bfca5dc612d69a1d1000000000000000
> 0aee7c918d346a026e864b8344642b61250828f7f16106ae4005345444c4d45494552
> 5c696168
> (20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (20) eap_peap: User-Name = "SEDLMEIER\\iah"
> (20) eap_peap: State = 0xd63550fbd63a4a59a7b76b3185c969aa
> (20) Virtual server inner-tunnel received request
> (20) EAP-Message =
> 0x020f00481a020f0043312af06a1435a1a34bfca5dc612d69a1d1000000000000000
> 0aee7c918d346a026e864b8344642b61250828f7f16106ae4005345444c4d45494552
> 5c696168
> (20) FreeRADIUS-Proxied-To = 127.0.0.1
> (20) User-Name = "SEDLMEIER\\iah"
> (20) State = 0xd63550fbd63a4a59a7b76b3185c969aa
> (20) WARNING: Outer and inner identities are the same. User privacy
> is compromised.
> (20) server inner-tunnel {
> (20) session-state: No cached attributes
> (20) # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> (20) authorize {
> (20) policy filter_username {
> (20) if (&User-Name) {
> (20) if (&User-Name) -> TRUE
> (20) if (&User-Name) {
> (20) if (&User-Name =~ / /) {
> (20) if (&User-Name =~ / /) -> FALSE
> (20) if (&User-Name =~ /@[^@]*@/ ) {
> (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (20) if (&User-Name =~ /\.\./ ) {
> (20) if (&User-Name =~ /\.\./ ) -> FALSE
> (20) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (20) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) -> FALSE
> (20) if (&User-Name =~ /\.$/) {
> (20) if (&User-Name =~ /\.$/) -> FALSE
> (20) if (&User-Name =~ /@\./) {
> (20) if (&User-Name =~ /@\./) -> FALSE
> (20) } # if (&User-Name) = notfound
> (20) } # policy filter_username = notfound
> (20) [chap] = noop
> (20) [mschap] = noop
> (20) suffix: Checking for suffix after "@"
> (20) suffix: No '@' in User-Name = "SEDLMEIER\iah", looking up realm
> NULL
> (20) suffix: No such realm "NULL"
> (20) [suffix] = noop
> (20) update control {
> (20) &Proxy-To-Realm := LOCAL
> (20) } # update control = noop
> (20) eap: Peer sent EAP Response (code 2) ID 15 length 72
> (20) eap: No EAP Start, assuming it's an on-going EAP conversation
> (20) [eap] = updated
> (20) files: Searching for user in group "CN=Radius
> lokal,OU=lokale,OU=Gruppen,OU=spezielle
> Konten,OU=Mitarbeiter,DC=sedlmeier,DC=local"
> rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle
> for 61 seconds
> rlm_ldap (ldap): Reserved connection (0)
> (20) files: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-
> Name}})
> (20) files: --> (samaccountname=SEDLMEIER\5c5ciah)
> (20) files: Performing search in
> "OU=Mitarbeiter,DC=sedlmeier,DC=local" with filter
> "(samaccountname=SEDLMEIER\5c5ciah)", scope "sub"
> (20) files: Waiting for search result...
> (20) files: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> Need 7 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (8), 1 of 29 pending
> slots used
> rlm_ldap (ldap): Connecting to ldap://sed-vm-dc-
> 01.sedlmeier.local:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (20) files: users: Matched entry DEFAULT at line 48
> (20) [files] = ok
> rlm_ldap (ldap): Reserved connection (7)
> (20) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-
> Name}})
> (20) ldap: --> (samaccountname=SEDLMEIER\5c5ciah)
> (20) ldap: Performing search in
> "OU=Mitarbeiter,DC=sedlmeier,DC=local"
> with filter "(samaccountname=SEDLMEIER\5c5ciah)", scope "sub"
> (20) ldap: Waiting for search result...
> (20) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (7)
> (20) [ldap] = notfound
> (20) [expiration] = noop
> (20) [logintime] = noop
> (20) pap: WARNING: Auth-Type already set. Not setting to PAP
> (20) [pap] = noop
> (20) } # authorize = updated
> (20) Found Auth-Type = Reject
> (20) Auth-Type = Reject, rejecting user
> (20) Failed to authenticate the user
> (20) Using Post-Auth-Type Reject
> (20) # Executing group from file /etc/raddb/sites-enabled/inner-
> tunnel
> (20) Post-Auth-Type REJECT {
> (20) attr_filter.access_reject: EXPAND %{User-Name}
> (20) attr_filter.access_reject: --> SEDLMEIER\\iah
> (20) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (20) [attr_filter.access_reject] = updated
> (20) update outer.session-state {
> (20) No attributes updated
> (20) } # update outer.session-state = noop
> (20) } # Post-Auth-Type REJECT = updated
> (20) } # server inner-tunnel
> (20) Virtual server sending reply
> (20) eap_peap: Got tunneled reply code 3
> (20) eap_peap: Got tunneled reply RADIUS code 3
> (20) eap_peap: Tunneled authentication was rejected
> (20) eap_peap: FAILURE
> (20) eap: Sending EAP Request (code 1) ID 16 length 46
> (20) eap: EAP session adding &reply:State = 0xd24e2fefd55e361e
> (20) [eap] = handled
> (20) } # authenticate = handled
> (20) Using Post-Auth-Type Challenge
> (20) # Executing group from file /etc/raddb/sites-enabled/default
> (20) Challenge { ... } # empty sub-section is ignored
> (20) Sent Access-Challenge Id 93 from 192.168.99.13:1812 to
> 192.168.99.2:56766 length 0
> (20) EAP-Message =
> 0x0110002e1900170303002343321548245ec020494ccfac9bdaeb65e6d6b730b817a
> d0e5a713d9147d8907ee86758
> (20) Message-Authenticator = 0x00000000000000000000000000000000
> (20) State = 0xd24e2fefd55e361eca7551413078c7bf
> (20) Finished request
> Waking up in 0.8 seconds.
--
Matthew
More information about the Freeradius-Users
mailing list