FreeRADIUS and Active Directory: Access-Reject

Nick Porter nick at portercomputing.co.uk
Wed May 25 18:17:06 UTC 2022 

In order to use AD's LDAP service to authenticate you have to use LDAP 
auth in FreeRADIUS.

After the call to the ldap module in authorize, add something like

if (ok) {
     update control {
         &Auth-Type := ldap
     }
}

and uncomment the Auth-Type LDAP group in authenticate.

This will cause FreeRADIUS to authenticate the user by binding to the 
LDAP service using the DN discovered by the previous lookup and the 
password provided as part of the request.

Note, this only works with authentication methods which provide a plain 
text password.

Nick

On 25/05/2022 18:11, White, Daniel E. (GSFC-770.0)[AEGIS] via 
Freeradius-Users wrote:
> I am attaching the entire output captured from “radiusd -X”
> Here is the important parts:
>
> RHEL 8.5
> Trying to talk to Active Directory with LDAP
>
> My Microsoft SME says AD will never hand back a password.
> How do I get RADIUS to hand the password to AD  ?
>
> (0) Received Access-Request Id 70 from 127.0.0.1:53801 to 127.0.0.1:1812 length 74
> (0)   User-Name = "demo"
> (0)   User-Password = <<User Password>>
> (0)   NAS-IP-Address = <<local host IP>>
> (0)   NAS-Port = 0
> (0)   Message-Authenticator = 0x590d9fc4e81ec118e32a67ad6fea50ca
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "demo", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0)     [eap] = noop
> (0)     [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap:    --> (sAMAccountName=demo)
> (0) ldap: Performing search in "OU=USERS,DC=dc1,DC=dc2,DC=dc3,DC=dc4" with filter "(sAMAccountName=demo)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: User object found at DN "CN=Demo,OU=USERGROUP,OU=USERS,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
> (0) ldap: Processing user attributes
> (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
> rlm_ldap (ldap): Connecting to ldap://AD-DC-1:389 ldap://AD-DC-2:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (0)     [ldap] = ok
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password is available
> (0)     [pap] = noop
> (0)   } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject:    --> demo
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0)     [attr_filter.access_reject] = updated
> (0)     [eap] = noop
> (0)     policy remove_reply_message_if_eap {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (0)       else {
> (0)         [noop] = noop
> (0)       } # else = noop
> (0)     } # policy remove_reply_message_if_eap = noop
> (0)   } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 70 from 127.0.0.1:1812 to 127.0.0.1:53801 length 20
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 70 with timestamp +7
> Ready to process requests
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Nick Porter

Porter Computing Ltd
Registered in England No 12659380

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220525/fc3a5936/attachment.sig>

More information about the Freeradius-Users mailing list