Freeradius + AD authentication passing Domain+User
Alejandro Cabrera Obed
aco1967 at gmail.com
Wed Jun 21 20:12:49 CEST 2017
Dear Alan, I'm following your guide "Configuring Authentication with Active
Directory" (http://deployingradius.com/documents/configuration/active_
directory.html) in order to analyze my configurations issues.
Please I will show you the most important parts of the tutorial, and I will
tell you what I put or what I get from the tests, so you can comment below
if you can:
*1) Configuring Freeradius to use ntlm_auth, in
/etc/freeradius/modules/ntlm_**auth:*
exec ntlm_auth {
wait = yes
program = "*/usr/bin/ntlm_auth* --request-nt-key
--domain=*DOMAIN.COM
<http://DOMAIN.COM>* --username=%{mschap:User-Name}
--password=%{User-Password}"
}
But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not
the following authenticate sections at all:
authenticate {
...
ntlm_auth
...
}
If I have to put them, what do I have to add in the "..." lines you don't
specify???
*2) After that, you recommend to use the testing command:*
$ radtest *user* *password* localhost 0 testing123
This user correspond to my domain "DOMAIN.COM", or is a local user in order
to test the config ???
*3) Configuring Freeradius to use ntlm_auth for MSCHAP*
In /etc/freeradius/modules/mschap file I put:
ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-*DOMAIN.COM
<http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
After that I start the Freeradius service in debug mode, and I use radtest
command to send a MSCHAP authentication request. I have Freeradius 2.2.5,
so I execute:
$ radtest -t mschap bob hello localhost 0 testing123
Is bob/hello a username/password from DOMAIN.COM ???
If I execute this in this way:
Sending Access-Request of id 220 to 127.0.0.1 port 1812
User-Name = "alejandro at domain.com <alcabrera at g-bapro.net>"
NAS-IP-Address = 192.168.1.250
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0xdb6688ffc58b6208
MS-CHAP-Response = 0x0001000000000000000000000000
0000000000000000000000007cf9df3af3b49e1fa7eb2697b78da21f1e9dde3f44a6493a
r
ad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=220,
length=38
MS-CHAP-Error = "\000E=691 R=1"
Please I'll be waiting for your feedback, special thanks !!!
Alejandro
2017-06-15 14:05 GMT-03:00 Alan DeKok <aland at deployingradius.com>:
>
> > On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967 at gmail.com>
> wrote:
> >
> > Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi
> users
> > from cell phones and notebooks.
> >
> > In the case of cell phones, the users type the corresponding usernames
> and
> > passwords and after that Freeradius passes it to the AD and everything
> > works OK.
>
> That's good.
>
> > In the case of the notebooks, the Windows users are logged into our DC
> > domain, then they type the username or username at domain or
> domain\username
> > with the corresponding passwords but in theses cases they can't
> > authenticate against the AD (there is a reject message in the Freradius
> > log).
>
> So... what is the reject message?
>
> Please post the full debug output as suggested in the FAQ, "man" pages,
> wiki, and daily on this list.
>
> > In case they are not logged into the domain, and they are local users
> > in the notebooks, if they type just their usernames (without domain) they
> > authenticate OK.
>
> That's good.
>
> > So how can I authenticate Windows users against the AD when they are
> logged
> > into the domain??? Do I have to define a special directive in a config
> file
> > from freeradius, winbind or samba?
>
> It's not magic. But it DOES require that you read the debug output.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
--
// Alejandro //
More information about the Freeradius-Users
mailing list