Users in SQL not accepted, AD works.
Alan DeKok
aland at deployingradius.com
Tue Jan 9 02:19:43 UTC 2024
On Jan 8, 2024, at 7:22 PM, it at wehle.dev wrote:
> we have a (working) FreeRadius 3.2.3 instance which is connected to our AD through ntlm_auth (but also fetches some additional fields from LDAP). Not sure if this is intended the way we built it, but it worked so far. We now wanted to add SQL (to allow temporary users). For that, we followed the official guide (SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu). This works well when testing with NTRadPing but fails when connecting a device (in this case, a Windows 10 PC).=
It can be complex to merge two different guides. It requires careful attention to detail, as not all of the complexities are due to FreeRADIUS.
> If we correctly understood the guide, this should work pretty much out of the box; still, we neitzer can get it to work nor do we fully understand what is actually causing this behaviour. Is this an issue with MSCHAP? If so, how do we fix it?
>
> We attached both, our sites-enabled/default file and the debug output of the server while connecting a client with credentials stored in SQL. I can also provide the log of a client connecting with credentials stored in the AD if that helps.
http://wiki.freeradius.org/list-help
We don't need to see configuration files. It doesn't help.
...
> (12) Sent Access-Challenge Id 183 from 172.16.8.2:1812 to 172.16.5.252:60626 length 172
> (12) EAP-Message = 0x010e007219001703030067acbcc879c7f014975048c725f1bdd58720924cb98185edbe87e1cbd52be48d1664eef7bdffe3548f1e7b0d5047c7e60b59261276208a1b1b1957eb47d153e7393b0cabef8771c2861f46f0b37bf6af94595005e9efbcb5575fbfc87655ed3baace403e894e467a
> (12) Message-Authenticator = 0x00000000000000000000000000000000
> (12) State = 0xbddf205cb1d139b6f7c918f7a32a79be
> (12) Finished request
> Waking up in 3.6 seconds.
And then nothing happens.
The supplicant isn't configured with the CA cert used by FreeRADIUS.
If you leave the server in debug output for long enough (~30s) and send it more packets, it will print out a link to the Wiki which tells you exactly what's going wrong.
http://wiki.freeradius.org/guide/Certificate_Compatibility
Alan DeKok.
More information about the Freeradius-Users
mailing list