freeradius with Active Directory via winbind or MAC address access
Vieri
rentorbuy at yahoo.com
Wed Nov 29 15:04:17 CET 2017
Hi,
I would like to allow access when user authentication is approved by AD through winbind, OR when the MAC address is in a local file.
I'm trying to follow this guide:
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
but also this other guide:
https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
My software versions:
freeradius-3.0.14
samba-4.5.10
Samba/winbind works fine:
# ntlm_auth --username=user --domain=DOMAIN
Password:
NT_STATUS_OK: Success (0x0)
freeradius build.log looks good:
checking for wbclient.h in /usr/include/samba-4.0/... yes
checking for wbcCtxAuthenticateUserEx in -lwbclient... yes
# grep winbind_ /etc/raddb/mods-available/mschap | grep -v ^#
winbind_username = "%{mschap:User-Name}"
winbind_domain = "DOMAIN"
# tail -n 6 /etc/raddb/clients.conf
client 10.215.144.92 {
ipv4addr = 10.215.144.92
secret = testrad
shortname = testsys
require_message_authenticator = no
}
>From 10.215.144.92:
# radtest -t mschap user password 10.215.144.91 0 testrad
Sent Access-Request Id 181 from 0.0.0.0:39653 to 10.215.144.91:1812 length 132
User-Name = "user"
MS-CHAP-Password = "password"
NAS-IP-Address = 10.215.144.92
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "user"
MS-CHAP-Challenge = 0x5e0a69983fa65564
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005b82652f1e38b465daebf5a3fb1a2697b12af97676f7c721
Received Access-Reject Id 181 from 10.215.144.91:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
Radius log:
(0) Received Access-Request Id 181 from 10.215.144.92:39653 to 10.215.144.91:1812 length 132
(0) User-Name = "user"
(0) NAS-IP-Address = 10.215.144.92
(0) NAS-Port = 0
(0) Message-Authenticator = 0x1905f61891b983253895b1d8d33976d8
(0) MS-CHAP-Challenge = 0x5e0a69983fa65564
(0) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005b82652f1e38b465daebf5a3fb1a2697b12af97676f7c721
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy rewrite_calling_station_id = noop
(0) if (!EAP-Message) {
(0) if (!EAP-Message) -> TRUE
(0) if (!EAP-Message) {
(0) authorized_macs: EXPAND %{Calling-Station-ID}
(0) authorized_macs: -->
(0) [authorized_macs] = noop
(0) if (!ok) {
(0) if (!ok) -> TRUE
(0) if (!ok) {
(0) [reject] = reject
(0) } # if (!ok) = reject
(0) } # if (!EAP-Message) = reject
(0) } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> user
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 181 from 10.215.144.91:1812 to 10.215.144.92:39653 length 20
# grep user /etc/raddb/radiusd.conf | grep -v '#'
user = radius
I cannot find any subdir named 'winbindd_privileged':
# ls /var/lock/samba/
brlock.tdb mutex.tdb smbXsrv_session_global.tdb
g_lock.tdb names.tdb smbXsrv_tcon_global.tdb
gencache_notrans.tdb printer_list.tdb smbXsrv_version_global.tdb
leases.tdb serverid.tdb smb_krb5
locking.tdb smbXsrv_client_global.tdb smbd_cleanupd.tdb
msg.lock smbXsrv_open_global.tdb
Why is my radtest above not getting an Access-Accept?
Thanks,
Vieri
More information about the Freeradius-Users
mailing list