AD Auth Question

Martin, Jeremy jmartin at emcc.edu
Mon Jan 1 02:20:52 CET 2018


So I greatly appreciate the pointers and help thus far but unfortunately this part of the the project keeps running into wall after wall.  So I decided to take a step back and start with a single domain on a nice clean install but come up with the same error from the inner-tunnel test.  

&Module-Failure-Message += 'Rejected: User-Name contains multiple ..s’

When researching this error it seems to point to issues people had when upgrading from v2 to v3 but this is not the case in this instance and am not able to find any useful information after many hours of exhausting the resources that I did find.  

So I now have two questions:

1. As we are largely required to use FR due to the MD5 EAP requirement of a solution we need to support and the difficulties and other issues of getting this implemented I am seriously considering the viability of the product without commercial support options.  Does anyone have any rough idea of cost for the commercial support option for a FR server in a educational production environment?

2. In the event we decide to go the commercial route, and honestly I am heavily leaning that way after the amount of time invested this weekend, I still really need to do a proof of concept before coming so any pointers on the following error?

 radtest -t mschap testuser simplepass 127.0.0.1:18120 0 testing123

 Received Access-Request Id 74 from 127.0.0.1:52096 to 127.0.0.1:18120 length 142
(1)   User-Name = “testuser"
(1)   NAS-IP-Address = 10.40.0.199
(1)   NAS-Port = 0
(1)   Message-Authenticator = 0xd61679269ea9b90bf0e38f138bd9a1a4
(1)   MS-CHAP-Challenge = 0x1b48d5a1841beb78
(1)   MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000a76b216d255f8f4b4b039e309a93b5e58e52e6fdc5feaf1e
(1) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> TRUE
(1)         if (&User-Name =~ /\.\./ )  {
(1)           update request {
(1)             &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(1)           } # update request = noop
(1)           [reject] = reject
(1)         } # if (&User-Name =~ /\.\./ )  = reject
(1)       } # if (&User-Name)  = reject
(1)     } # policy filter_username = reject
(1)   } # authorize = reject
(1) Invalid user (Rejected: User-Name contains multiple ..s): [testuser/<no User-Password attribute>] (from client localhost port 0)
(1) Using Post-Auth-Type Reject


> On Dec 30, 2017, at 4:29 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
> 
> Don't mess with username, it'll break the EAP authentication. The server
> and ntlm_auth will handle those forms of IDs fine, just use the mschap
> module and ensure that the NT name stuff (prefix module IIRC) is enabled
> 
> alan
> 
> On 30 Dec 2017 7:43 pm, "Martin, Jeremy" <jmartin at emcc.edu> wrote:
> 
>> Thanks for the feedback, makes sense.  I will just need to mutate the
>> username from “host/machine.domain.com” to “machine$” which I can handle.
>> 
>> To attempt to answer your question as I understand it: rrght now this is
>> proxied from NPS to freeradius as the NPS server existed before freeradius
>> and only implemented freeradius when the MD5 requirement came along as it
>> was removed from NPS some time ago and reimplementing it did make it work
>> “sometimes” other times it would just fail so rather than spend time on a
>> removed and unsupported feature we decided to move all the mac and MD5
>> dot1x authentication to a freeradius server.  Now I would like to get down
>> to just the single radius server gain now that it has been proven in
>> production it is time to scale out for resilancy but would like to finish
>> the project off by authenticating the PEAP/MSCHAPv2 stuff back to ad where
>> a machine is authenticated once it is joined to the domain.
>> 
>>> On Dec 30, 2017, at 1:19 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
>>> 
>>> fairly easily done - and quite common -  had different requirements
>>> when, for example, we migrated from one domain to another.
>>> 
>>> you dont want the exec ntlm_auth thing - thats a diversion, you just
>>> use the mschap module (and configure the ntlm line in that- you want
>>> to use unlang
>>> and then in the authorise section of the inner-tunnel, call different
>>> mschap modules eg
>>> 
>>> pseudo-code: (untested, quickly typed)
>>> 
>>> if (%{User-Name} ~= "@domain.com$"){
>>> mschap-one
>>> }
>>> if (%{User-Name} ~= "@other.domain.com$"){
>>> mschap-two
>>> }
>>> 
>>> 
>>> but right now you just send (proxy) all this to NPS?  your aim is to
>>> move the authentication to the FR system?
>>> 
>>> alan
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list