Freeradius on AWS ECS Fargate problem to authenticate using EAP-PEAP (MSCHAPv2) - Reading winbind reply failed! (0xc0000001)

Alan DeKok aland at deployingradius.com
Mon May 13 21:48:48 CEST 2019 

On May 13, 2019, at 2:13 PM, Antonio Castillo <antonio at yieldmo.com> wrote:
> 
> I am trying to use Freeradius to authenticate our wifi clients against
> AWS Simple AD server using EAP-PEAP (MSCHAPv2)
> The tricky part is that I'm trying to run Freeradius in a AWS ECS
> Fargate service container.

  Hmm... OK.

> I'm using the Freeradius Docker Hub image:
> https://hub.docker.com/r/freeradius/freeradius-server
> ...
> I have a test EC2 instance running Freeradius that it's working fine,
> I can connect to the WiFi network using my Simple AD credentials with
> no issues.

  I'm not sure what that means.  How do you connect to the WiFi with AD credentials?

> I built this test EC2 box to know exactly what needs to be done in
> order to use Freeradius for authentication and add the necessary steps
> to the Dockerfile for the Freeradius container.
> 
> On Fargate, the problem seems to be caused by winbind
> On EC2, winbind works just fine.
> 
> This is the winbind error:
> 
> Mon May 13 17:06:00 2019 : ERROR: (3) mschap: Program returned code
> (1) and output 'Reading winbind reply failed! (0xc0000001)'
> Mon May 13 17:06:00 2019 : ERROR: (3) mschap: Reading winbind reply
> failed! (0xc0000001)
> Mon May 13 17:06:00 2019 : Debug: (3) mschap: Authentication failed

  That's an error from winbind.  Likely a permissions problem.

  The server prints out the command-line it uses to run ntlm_auth.  You can use this command for testing *without* running the full RADIUS server.  Just run the command in a terminal.  Change the permissions, or change something else, until it works.

  Then, run the full version of FreeRADIUS.

> (full freeradius debug log added at the end of this email)
> 
> radtest works fine for pap:

  We don't need to see the debug output from radtest.

http://wiki.freeradius.org/list-help

> but it fails with mschap:

  For likely the same reason as why PEAP fails.  Again, looking at the "radtest" output is a waste of time.  Look at the debug output of the server.

  You can also use radtest with MS-CHAP against the "inner-tunnel" virtual server.  Read the top of sites-available/inner-tunnel for documentation.

  See my guide here for complete details:

http://deployingradius.com/documents/configuration/active_directory.html

> I have added the 'freerad' user to the 'winbindd_priv' group and
> changed the permissions to 'root:winbindd_priv' on
> /var/lib/samba/winbindd_privileged/ as someone suggested on this link:
> https://xenomorph.net/linux/samba/issues/exec-program-output-reading-winbind-reply-failed/

  That might help.  Or it might not.

  You can't just randomly change the permissions.  You need to change it to the *correct* permissions.

> Also added some debugging lines to confirm that in fact the
> permissions and group changes are taking place and they did.
> 
> Could it be that winbind wasn't made to be executed in a docker container?

  Maybe.

> As I mentioned before, Freeradius is working fine when running on an
> EC2 instance, it runs fine in a docker container too, but winbind
> fails when running in a container.

  Likely an issue with the container then.

  Alan DeKok.

More information about the Freeradius-Users mailing list