allow both /etc/freeradius/users and LDAP authentification : DETAILLED
jean-francois MONI
jean-francois.moni at u-bordeaux.fr
Thu Mar 29 16:55:31 CEST 2018
Hi,
sorry for my first email wich was a bit short.
Here is a new one with what I'd like to achieve, my conf and the server
output.
Thanks to everyone involved in helping me !
:)
1. WHAT I'D LIKE TO ACHIEVE :
I'd like to allow authentification for our visitors by using the USERS
file at the same time.
WHen I add a local user, i receive an EAP/TLS error.
First, I'd like to know if if it's even possible to do so.
2. MY SERVER CONFIGURATION
/etc/freeradius/radiusd.conf
max_requests = 38400
auth = yes
auth_badpass = yes
auth_badpass = yes
/etc/freeradius/clients.conf
## RESEAU WIFI
client IP/24 {
secret = secretpwd
shortname = brocaneurocampuswifi
/etc/freeradius/users
## CREATION COMPTE TEST
test Cleartext-Password := "test"
Reply-Message = "Hello, %{User-Name}"
/etc/freeradius/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --password=%{User-Password}"
}
/etc/freeradius/sites-enabled/default and
/etc/freeradius/sites-enabled/inner-tunnel
authenticate {
ntlm_auth
...
}
/etc/freeradius/users
#DEFAULT Auth-Type = ntlm_auth
freerad
service freeradius stop
usermod -a -G winbindd_priv freerad
chown root:winbindd_priv /var/lib/samba/winbindd_privileged/
service freeradius start
/etc/freeradius/modules/mschap
with_ntdomain_hack = yes
...
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN_NAME
--username=%{mschap:User-Name} --password=%{User-Password}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} "
/etc/freeradius/eap.conf
default_eap_type = peap
...
default_eap_type = mschapv2
3. MY SERVER DEBUG WHEN I TRY TO CONNECT WITH AN ACCOUNT OF THE users
files.
(Connection with LDAP auth works fine on laptops, iphones, android phones)
Ready to process requests.
rad_recv: Access-Request packet from host xx.xx.xx.1 port 59771, id=108,
length=364
User-Name = "host/HOSTNAME.DOMAIN"
Chargeable-User-Identity = "\001"
Location-Capable = Civix-Location
Calling-Station-Id = "MACADDR"
Called-Station-Id = "MACADDR:SSID"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx"
Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111"
Cisco-AVPair = "mDNS=true"
NAS-IP-Address = IP
NAS-Identifier = "CiscoWLC"
Airespace-Wlan-Id = 11
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "152"
EAP-Message = 0x00000000000000000000000000000000aaaaaaaaaaa
Message-Authenticator = 0x000000000000000000000
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 38
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 108 to IP port 59771
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x11111111111111111111111111111111111111111
Finished request 34.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host IP port 59771, id=109, length=510
User-Name = "host/HOSTNAME.DOMAIN"
Chargeable-User-Identity = "\001"
Location-Capable = Civix-Location
Calling-Station-Id = "MACADDR"
Called-Station-Id = "MACADDR:SSID"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx"
Acct-Session-Id = ""
Cisco-AVPair = "mDNS=true"
NAS-IP-Address = 172.31.10.1
NAS-Identifier = "CiscoWLC"
Airespace-Wlan-Id = 11
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "152"
EAP-Message = 0x00000000000000000000000000000000
State =
Message-Authenticator =
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 166
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 156
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0097], ClientHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 02e4], Certificate
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 109 to 172.31.10.1 port 59771
EAP-Message = 0x00000000000000000000000000000000
EAP-Message = 0x00000000000000000000000000000000
EAP-Message = 0x00000000000000000000000000000000
EAP-Message = 0x00000000000000000000000000000000
EAP-Message = 0xbcfe187aaa8a11b59a0d6a57
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8dcb87ed9d8a1265676698e87672627
Finished request 35.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.31.10.1 port 59771,
id=110, length=350
User-Name = "host/HOSTNAME.DOMAIN"
Chargeable-User-Identity = "\001"
Location-Capable = Civix-Location
Calling-Station-Id = "MACADDR"
Called-Station-Id = "MACADDR:SSID"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=00000000000"
Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111"
Cisco-AVPair = "mDNS=true"
NAS-IP-Address = 172.31.10.1
NAS-Identifier = "CiscoWLC"
Airespace-Wlan-Id = 11
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "152"
EAP-Message = 0x020400061900
State = 0xd8dcb87ed9d8a1265676698e87672627
Message-Authenticator = 0x84bbb2c96c1d5b5500daa8aa4c6e83f9
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 110 to IP port 59771
EAP-Message = 0x00000000000000000000000000000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x00000000000000000000000000000000
Finished request 36.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.31.10.1 port 59771,
id=111, length=361
User-Name = "host/HOSTNAME.DOMAIN"
Chargeable-User-Identity = "\001"
Location-Capable = Civix-Location
Calling-Station-Id = "MACADDR"
Called-Station-Id = "MACADDR:SSID"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=010a1fac007199dcc0f9bc5a"
Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111"
Cisco-AVPair = "mDNS=true"
NAS-IP-Address = 172.31.10.1
NAS-Identifier = "CiscoWLC"
Airespace-Wlan-Id = 11
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "152"
EAP-Message = 0x000000000000000000000
State = 0x000000000000000000000
Message-Authenticator = 0x55471ef471cea67863dcad3682750cef
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 17
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in unknown state
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:unknown CA):
[host/HOSTNAME.DOMAIN/<via Auth-Type = EAP>] (from client client_name
port 8 cli MACADDR)
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> host/HOSTNAME.DOMAIN
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 37 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 37
Sending Access-Reject of id 111 to 172.31.10.1 port 59771
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 34 ID 108 with timestamp +113
Cleaning up request 35 ID 109 with timestamp +113
Cleaning up request 36 ID 110 with timestamp +114
Waking up in 1.0 seconds.
Cleaning up request 37 ID 111 with timestamp +114
Ready to process requests.
--
Jean-François MONI
Technicien Informatique
Centre Broca Nouvelle-Aquitaine
146 rue Léo Saignat
33076 Bordeaux Cedex
More information about the Freeradius-Users
mailing list