Freeradius on AWS ECS Fargate problem to authenticate using EAP-PEAP (MSCHAPv2) - Reading winbind reply failed! (0xc0000001)
aland at deployingradius.com
Mon May 13 21:48:48 CEST 2019
On May 13, 2019, at 2:13 PM, Antonio Castillo <antonio at yieldmo.com> wrote:
> I am trying to use Freeradius to authenticate our wifi clients against
> AWS Simple AD server using EAP-PEAP (MSCHAPv2)
> The tricky part is that I'm trying to run Freeradius in a AWS ECS
> Fargate service container.
> I'm using the Freeradius Docker Hub image:
> I have a test EC2 instance running Freeradius that it's working fine,
> I can connect to the WiFi network using my Simple AD credentials with
> no issues.
I'm not sure what that means. How do you connect to the WiFi with AD credentials?
> I built this test EC2 box to know exactly what needs to be done in
> order to use Freeradius for authentication and add the necessary steps
> to the Dockerfile for the Freeradius container.
> On Fargate, the problem seems to be caused by winbind
> On EC2, winbind works just fine.
> This is the winbind error:
> Mon May 13 17:06:00 2019 : ERROR: (3) mschap: Program returned code
> (1) and output 'Reading winbind reply failed! (0xc0000001)'
> Mon May 13 17:06:00 2019 : ERROR: (3) mschap: Reading winbind reply
> failed! (0xc0000001)
> Mon May 13 17:06:00 2019 : Debug: (3) mschap: Authentication failed
That's an error from winbind. Likely a permissions problem.
The server prints out the command-line it uses to run ntlm_auth. You can use this command for testing *without* running the full RADIUS server. Just run the command in a terminal. Change the permissions, or change something else, until it works.
Then, run the full version of FreeRADIUS.
> (full freeradius debug log added at the end of this email)
> radtest works fine for pap:
We don't need to see the debug output from radtest.
> but it fails with mschap:
For likely the same reason as why PEAP fails. Again, looking at the "radtest" output is a waste of time. Look at the debug output of the server.
You can also use radtest with MS-CHAP against the "inner-tunnel" virtual server. Read the top of sites-available/inner-tunnel for documentation.
See my guide here for complete details:
> I have added the 'freerad' user to the 'winbindd_priv' group and
> changed the permissions to 'root:winbindd_priv' on
> /var/lib/samba/winbindd_privileged/ as someone suggested on this link:
That might help. Or it might not.
You can't just randomly change the permissions. You need to change it to the *correct* permissions.
> Also added some debugging lines to confirm that in fact the
> permissions and group changes are taking place and they did.
> Could it be that winbind wasn't made to be executed in a docker container?
> As I mentioned before, Freeradius is working fine when running on an
> EC2 instance, it runs fine in a docker container too, but winbind
> fails when running in a container.
Likely an issue with the container then.
More information about the Freeradius-Users