Active Directory authenticated VPN
Pisch Tamás
pischta at gmail.com
Wed Apr 28 09:51:10 CEST 2021
Hi,
I purged my configuration and started it again from the default state. The
system is Debian Bullseye.
dpkg --purge freeradius freeradius-ldap freeradius-krb5 freeradius-common
freeradius-utils freeradius-config
apt install freeradius freeradius-ldap freeradius-krb5 freeradius-common
freeradius-utils freeradius-config
mkdir /var/log/freeradius/radacct
I've created vpn user before.
I started the setup now according to this:
https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
ntlm_auth --request-nt-key --domain=ad --username=vpn
OK.
setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged
clients.conf:
client localhost {
ipaddr = 127.0.0.1
netmask = 32
secret = xyz
shortname = localhost
}
mods-available-mschap:
mschap {
with_ntdomain_hack = yes
...
winbind_username = "%{mschap:User-Name}"
##winbind_domain = "%{mschap:NT-Domain}"
winbind_domain = "ad.ourdomain.hu"
Why "%{mschap:NT-Domain}"doesn't work?
mods-available/eap:
default_eap_type = peap
In tls-config tls-common { :
random_file = /dev/urandom
In the users file:
bob Cleartext-Password := "asdfg", MS-CHAP-Use-NTLM-Auth := 0
Reply-Message := "Hello, %{User-Name}"
Testing:
radtest -x -t mschap vpn "qwert" localhost 0 asdfg
Debug messages:
(3) Received Access-Request Id 205 from 127.0.0.1:54834 to 127.0.0.1:1812
length 129
(3) User-Name = "vpn"
(3) NAS-IP-Address = 1.2.3.4
(3) NAS-Port = 0
(3) Message-Authenticator = 0xd38e4b9f5882a26aac2b6c434193ce2c
(3) MS-CHAP-Challenge = 0xf5cbfa7a17cd01a9
(3) MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000018e5b4331f9534d83e07def8a29c802dfd30a011e2e6224a
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(3) [mschap] = ok
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "vpn", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: No EAP-Message, not doing EAP
(3) [eap] = noop
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(3) [pap] = noop
(3) } # authorize = ok
(3) Found Auth-Type = mschap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) mschap: Client is using MS-CHAPv1 with NT-Password
(3) mschap: EXPAND %{mschap:User-Name}
(3) mschap: --> vpn
rlm_mschap (mschap): Reserved connection (7)
(3) mschap: sending authentication request user='vpn' domain='
ad.ourdomain.hu'
rlm_mschap (mschap): Released connection (7)
Need 1 more connections to reach min connections (3)
rlm_mschap (mschap): Opening additional connection (9), 1 of 30 pending
slots used
(3) mschap: Authenticated successfully
(3) mschap: adding MS-CHAPv1 MPPE keys
(3) [mschap] = ok
(3) } # authenticate = ok
Why vpn at ad.ourdomain.hu doesn't work?
radtest -x -t mschap vpn at ad.ourdomain.hu "qwert" localhost 0 asdfg
Debug messages:
(4) Received Access-Request Id 203 from 127.0.0.1:34360 to 127.0.0.1:1812
length 145
(4) User-Name = "vpn at ad.ourdomain.hu"
(4) NAS-IP-Address = 1.2.3.4
(4) NAS-Port = 0
(4) Message-Authenticator = 0x6f31019a0d498b004da273a6cdf4dae3
(4) MS-CHAP-Challenge = 0x0c602d2a989f07bd
(4) MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000005fe2f91d70356771e4af8a27ddcfec463f235dfcf04e7e31
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(4) [mschap] = ok
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "ad.ourdomain.hu" for User-Name = "
vpn at ad.ourdomain.hu"
(4) suffix: No such realm "ad.ourdomain.hu"
(4) [suffix] = noop
(4) eap: No EAP-Message, not doing EAP
(4) [eap] = noop
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(4) [pap] = noop
(4) } # authorize = ok
(4) Found Auth-Type = mschap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) mschap: Client is using MS-CHAPv1 with NT-Password
(4) mschap: EXPAND %{mschap:User-Name}
(4) mschap: --> vpn at ad.ourdomain.hu
rlm_mschap (mschap): Closing connection (8): Hit idle_timeout, was idle for
772 seconds
rlm_mschap (mschap): You probably need to lower "min"
rlm_mschap (mschap): Reserved connection (7)
(4) mschap: sending authentication request user='vpn at ad.ourdomain.hu'
domain='ad.ourdomain.hu'
rlm_mschap (mschap): Released connection (7)
Need 1 more connections to reach min connections (3)
rlm_mschap (mschap): Opening additional connection (10), 1 of 30 pending
slots used
(4) mschap: ERROR: The specified account does not exist. [0xC0000064]
(4) mschap: ERROR: MS-CHAP2-Response is incorrect
(4) [mschap] = reject
(4) } # authenticate = reject
(4) Failed to authenticate the user
Thanks,
Tamas Pisch.
More information about the Freeradius-Users
mailing list