Discussion:
Freeradius 3.x with LDAP authentication
Adam Cage
2017-08-14 19:26:03 UTC
Permalink
Hi people, we wanna authenticate WiFi users against a Freeradius 3.x
server, these users are defined in a Windows Active Directory remote
server.

We have the base_dn search defined, and there they are all the valid users
who can use the WiFi service.

We wanna use LDAP to initially authenticate and in the future authorize the
accesses.

Please can anybody point to me a detailed howto, because we are confused if
we have to use LDAP with MSCHAP, PAP, EAP or whatever???
Aand also we are confused about the AD object we have to use in the filter
string: uid, samaccountname, mail...What does this selection
depend on ???

And the last question: I'm using a Debian server with the freeradius and
freeradius-ldap distribution packages, is it a good idea or
maybe it's better to use the tar.gz version???

Thanks to all, good bye.

ADAM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
Alan DeKok
2017-08-14 20:01:07 UTC
Permalink
Post by Adam Cage
Hi people, we wanna authenticate WiFi users against a Freeradius 3.x
server, these users are defined in a Windows Active Directory remote
server.
Follow the guide here: http://deployingradius.com/documents/configuration/active_directory.html
Post by Adam Cage
We have the base_dn search defined, and there they are all the valid users
who can use the WiFi service.
We wanna use LDAP to initially authenticate and in the future authorize the
accesses.
For PEAP, no, that doesn't work. AD isn't really an LDAP server.
Post by Adam Cage
Please can anybody point to me a detailed howto, because we are confused if
we have to use LDAP with MSCHAP, PAP, EAP or whatever???
Follow the guide above. It will work.
Post by Adam Cage
Aand also we are confused about the AD object we have to use in the filter
string: uid, samaccountname, mail...What does this selection
depend on ???
It depends on what you want to do. Where are the user accounts in AD?
Post by Adam Cage
And the last question: I'm using a Debian server with the freeradius and
freeradius-ldap distribution packages, is it a good idea or
maybe it's better to use the tar.gz version???
Use 3.0.15. The debian versions are typically years out of date.

Alan DeKok.


-
List info/subscribe/unsubscr
Adam Cage
2017-08-14 20:15:43 UTC
Permalink
Dear Alan, we just have a Freeradius server deployed according to the howto
you point. It works OK now.

But we have to use LDAP authentication against an AD server, because in the
near future we have to use the "ldap-group" attribute in order to group
wifi users by SSID, and let them use different wifi networks.

So if I use the server I have developed according to your guide with NTLM
and MSCHAP2, I won't can use the "lda-group" attribute. So I think we have
to use LDAP authentication and authorization mandatory.

Please confirm to me if I am ok or not, because maybe using your
recommended configuration I can add the ldap-group attribute in order to
select group of users by SSID.

Thanks a lot again.

ADAM
Post by Alan DeKok
Post by Adam Cage
Hi people, we wanna authenticate WiFi users against a Freeradius 3.x
server, these users are defined in a Windows Active Directory remote
server.
Follow the guide here: http://deployingradius.com/
documents/configuration/active_directory.html
Post by Adam Cage
We have the base_dn search defined, and there they are all the valid
users
Post by Adam Cage
who can use the WiFi service.
We wanna use LDAP to initially authenticate and in the future authorize
the
Post by Adam Cage
accesses.
For PEAP, no, that doesn't work. AD isn't really an LDAP server.
Post by Adam Cage
Please can anybody point to me a detailed howto, because we are confused
if
Post by Adam Cage
we have to use LDAP with MSCHAP, PAP, EAP or whatever???
Follow the guide above. It will work.
Post by Adam Cage
Aand also we are confused about the AD object we have to use in the
filter
Post by Adam Cage
string: uid, samaccountname, mail...What does this selection
depend on ???
It depends on what you want to do. Where are the user accounts in AD?
Post by Adam Cage
And the last question: I'm using a Debian server with the freeradius and
freeradius-ldap distribution packages, is it a good idea or
maybe it's better to use the tar.gz version???
Use 3.0.15. The debian versions are typically years out of date.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.freer
Matthew Newton
2017-08-14 21:42:22 UTC
Permalink
Post by Adam Cage
But we have to use LDAP authentication against an AD server, because in the
near future we have to use the "ldap-group" attribute in order to group
wifi users by SSID, and let them use different wifi networks.
You don't need to use LDAP to authenticate, just to check groups
the user is in.

With AD it's pretty unlikely that you will be able to use LDAP to
authenticate anyway. For wireless pretty much the only option
you've got is an LDAP bind when you're doing EAP-TTLS/PAP. Which
some clients can't do.
Post by Adam Cage
Please confirm to me if I am ok or not, because maybe using your
recommended configuration I can add the ldap-group attribute in order to
select group of users by SSID.
Use Samba for authentication, then configure the ldap module for
authorization. They're not mutually exclusive.
--
Matthew
-
List info/subscribe/unsubscribe? S
Alan Buxey
2017-08-14 21:51:27 UTC
Permalink
+1 for Matthews answer , use the winbind module for the authentication
, then, in inner-tunnel, use the ldap module against your AD for group
checking.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
Matthew Newton
2017-08-14 21:56:01 UTC
Permalink
Post by Alan Buxey
+1 for Matthews answer , use the winbind module for the authentication
One day maybe I'll fix that... as I also can't remember my own code.

It's the winbind module for pap, which you don't want. Use the winbind option of the mschap module. Or the traditional ntlm_auth way.
--
Matthew

-
List info/subscribe/unsubscribe
Mohd Akhbar
2017-08-15 01:53:11 UTC
Permalink
I think AD(or SMB) and FR are much easier to setup as it is lots of
guide/reference on the net compared to LDAP. AD also provide features for
NAC if your environment are mostly Microsoft OSes and sorts. Or so I was
made to believe...

If you going for LDAP + FR, from my previous task, you have to
look/tweak/change the eap.conf & modules/ldap and test before looking any
further editing other confs. As most ldap setting uses hashes instead of
plain-text, only EAP-TTLS + PAP (works for me with FR 2.2 + 389 Directory)
and EAP-GTC would work according to Alan's blog
<http://deployingradius.com/documents/protocols/compatibility.html>.
Whatever it is radiusd -X is your best friend in debugging/troubleshooting
your setup.

One more thing, if you're using EAP-TTLS, you'll have to deploy a
configuration profile for iPhone & Macs via Apple Configurator as it is not
supported by default like Windows 10 and Androids.

Cheers from a week old FR newbie. :)




On Tue, Aug 15, 2017 at 5:56 AM, Matthew Newton <
Post by Matthew Newton
Post by Alan Buxey
+1 for Matthews answer , use the winbind module for the authentication
One day maybe I'll fix that... as I also can't remember my own code.
It's the winbind module for pap, which you don't want. Use the winbind
option of the mschap module. Or the traditional ntlm_auth way.
--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/us
Adam Cage
2017-08-15 12:49:16 UTC
Permalink
Dear Matthew and Alan, I take your advice and I will use my current
succesful Freeradius platform for AUTHENTICATION (samba, winbind,
ntlm_auth, mschapv2....according to Alan Dekok guide) and I will try to use
LDAP for AUTHORIZATION as you said.

I'm listing my current Debian packages installed in my Freeradius server,
and I see freeradius-ldap is not present:

freeradius 2.2.5+dfsg-0.2
freeradius-common 2.2.5+dfsg-0.2
freeradius-utils 2.2.5+dfsg-0.2
libfreeradius2 2.2.5+dfsg-0.2

When I go to /etc/freeradius/modules I can see the ldap file, so is it
necessary to install freeradius-ldap or not??? Because maybe it's
sufficient to edit my current /etc/freeradius/modules/ldap file, I can't
understand the sense of having freeradius-ldap package.

Thanks and maybe I will ask you again some questions about this
topic....good bye !!!

ADAM
Post by Alan Buxey
+1 for Matthews answer , use the winbind module for the authentication
, then, in inner-tunnel, use the ldap module against your AD for group
checking.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe
Alan DeKok
2017-08-15 13:02:11 UTC
Permalink
Post by Adam Cage
Dear Matthew and Alan, I take your advice and I will use my current
succesful Freeradius platform for AUTHENTICATION (samba, winbind,
ntlm_auth, mschapv2....according to Alan Dekok guide) and I will try to use
LDAP for AUTHORIZATION as you said.
I'm listing my current Debian packages installed in my Freeradius server,
freeradius 2.2.5+dfsg-0.2
That version is YEARS out of date.

Please install a recent version of the server. Packages for most common OS's are on http://packages.networkradius.com/
Post by Adam Cage
When I go to /etc/freeradius/modules I can see the ldap file, so is it
necessary to install freeradius-ldap or not??? Because maybe it's
sufficient to edit my current /etc/freeradius/modules/ldap file, I can't
understand the sense of having freeradius-ldap package.
The freeradius-ldap package has the rlm_ldap library. The main package has the configuration files.

Think of it this way: if freereadius-ldap wasn't needed to do LDAP... then why would it exist?

Alan DeKok.


-
List info/subscribe/unsubscribe? See ht
Adam Cage
2017-08-15 15:58:12 UTC
Permalink
Dear all, finally I have followed as you said: Authentication with samba,
winbind, ntlm_auth and Authorization with LDAP, but I fails. I post my main
config LDAP files and the debug output in order to get your help please:

*/etc/freeradius/modules/ldap:*

ldap {
server = "ldap.company.com"
identity = "cn=connect,ou=users,dc=company,dc=com"
password = 1234
basedn = "OU=users,DC=company,DC=com"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
max_uses = 0
port = 389
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = no
groupmembership_filter =
"(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
chase_referrals = yes
rebind = yes
set_auth_type = no
}

*/etc/freeradius/users:*

DEFAULT Ldap-Group == "cn=group1,ou=wifi,dc=company,dc=com"
Service-Type = Login-User

DEFAULT Auth-Type := Reject

*/etc/freeradius/sites-available/default:*

authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
*ldap*
}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
ntlm_auth
}

*/etc/freeradius/sites-available/inner-tunnel:*

server inner-tunnel {

listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}

authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
* ldap*
pap
}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
ntlm_auth
}

After that I start "freeradius -XX" and execute:

$ radtest adam 1234abcd 127.0.0.1 0 testing123

And I fail, this is the debug output:

rad_recv: Access-Request packet from host 127.0.0.1 port 47637, id=109,
length=79
User-Name = "adam"
User-Password = "1234abcd"
NAS-IP-Address = 10.10.10.1
NAS-Port = 0
Message-Authenticator = 0x817a524013d20e2d4f40cfbc99661b35
Tue Aug 15 12:38:27 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Tue Aug 15 12:38:27 2017 : Info: +group authorize {
Tue Aug 15 12:38:27 2017 : Info: ++[preprocess] = ok
Tue Aug 15 12:38:27 2017 : Info: ++[chap] = noop
Tue Aug 15 12:38:27 2017 : Info: ++[mschap] = noop
Tue Aug 15 12:38:27 2017 : Info: ++[digest] = noop
Tue Aug 15 12:38:27 2017 : Info: [suffix] No '@' in User-Name = "adam",
looking up realm NULL
Tue Aug 15 12:38:27 2017 : Info: [suffix] No such realm "NULL"
Tue Aug 15 12:38:27 2017 : Info: ++[suffix] = noop
Tue Aug 15 12:38:27 2017 : Info: [eap] No EAP-Message, not doing EAP
Tue Aug 15 12:38:27 2017 : Info: ++[eap] = noop
Tue Aug 15 12:38:27 2017 : Debug: [ldap] Entering ldap_groupcmp()
Tue Aug 15 12:38:27 2017 : Info: [files] expand: OU=
users,DC=company,DC=com -> OU=users,DC=company,DC=com
Tue Aug 15 12:38:27 2017 : Info: [files] expand:
%{Stripped-User-Name} ->
Tue Aug 15 12:38:27 2017 : Info: [files] ... expanding second
conditional
Tue Aug 15 12:38:27 2017 : Info: [files] expand: %{User-Name} -> adam
Tue Aug 15 12:38:27 2017 : Info: [files] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] attempting LDAP reconnection
Tue Aug 15 12:38:27 2017 : Debug: [ldap] (re)connect to
ldap.company.com:389, authentication 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] bind as
cn=,ou=connect,ou=users,dc=company,dc=com/wP67yh345 to ldap.company.com:389
Tue Aug 15 12:38:27 2017 : Debug: [ldap] waiting for bind result ...
Tue Aug 15 12:38:27 2017 : Debug: [ldap] Bind was successful
Tue Aug 15 12:38:27 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 15 12:38:27 2017 : Info: [files] expand:
(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dadam\OU\3dUsers\2cOU\DC\3dcompany\2cDC\3dcom)))
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] performing search in
cn=group1,ou=wifi,dc=company,dc=com, with filter
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dUsers\2cDC\3dcompany\2cDC\3dcom)))
Tue Aug 15 12:38:27 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
group cn=group1,ou=wifi,dc=company,dc=com
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 15 12:38:27 2017 : Info: [files] users: Matched entry DEFAULT at
line 207
Tue Aug 15 12:38:27 2017 : Info: ++[files] = ok
Tue Aug 15 12:38:27 2017 : Info: [ldap] performing user authorization for
adam
Tue Aug 15 12:38:27 2017 : Info: [ldap] expand:
%{Stripped-User-Name} ->
Tue Aug 15 12:38:27 2017 : Info: [ldap] ... expanding second
conditional
Tue Aug 15 12:38:27 2017 : Info: [ldap] expand: %{User-Name} -> adam
Tue Aug 15 12:38:27 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Info: [ldap] expand:
OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 15 12:38:27 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Tue Aug 15 12:38:27 2017 : Info: [ldap] No default NMAS login sequence
Tue Aug 15 12:38:27 2017 : Info: [ldap] looking for check items in
directory...
Tue Aug 15 12:38:27 2017 : Info: [ldap] looking for reply items in
directory...
Tue Aug 15 12:38:27 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Tue Aug 15 12:38:27 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 15 12:38:27 2017 : Info: ++[ldap] = ok
Tue Aug 15 12:38:27 2017 : Info: ++[expiration] = noop
Tue Aug 15 12:38:27 2017 : Info: ++[logintime] = noop
Tue Aug 15 12:38:27 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Tue Aug 15 12:38:27 2017 : Info: ++[pap] = noop
Tue Aug 15 12:38:27 2017 : Info: +} # group authorize = ok
Tue Aug 15 12:38:27 2017 : Info: *ERROR: No authenticate method (Auth-Type)
found for the request: Rejecting the user*
Tue Aug 15 12:38:27 2017 : Info: Failed to authenticate the user.
Tue Aug 15 12:38:27 2017 : Info: Using Post-Auth-Type REJECT
Tue Aug 15 12:38:27 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Tue Aug 15 12:38:27 2017 : Info: +group REJECT {
Tue Aug 15 12:38:27 2017 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> adam
Tue Aug 15 12:38:27 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Tue Aug 15 12:38:27 2017 : Info: ++[attr_filter.access_reject] = updated
Tue Aug 15 12:38:27 2017 : Info: +} # group REJECT = updated
Tue Aug 15 12:38:27 2017 : Info: Delaying reject of request 0 for 1 seconds
Tue Aug 15 12:38:27 2017 : Debug: Going to the next request
Tue Aug 15 12:38:27 2017 : Debug: Waking up in 0.9 seconds.
Tue Aug 15 12:38:28 2017 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 109 to 127.0.0.1 port 47637
Tue Aug 15 12:38:28 2017 : Debug: Waking up in 4.9 seconds.
Tue Aug 15 12:38:33 2017 : Info: Cleaning up request 0 ID 109 with
timestamp +8
Tue Aug 15 12:38:33 2017 : Info: Ready to process requests


Special thanks !!!

ADAM
Post by Alan DeKok
Post by Adam Cage
Dear Matthew and Alan, I take your advice and I will use my current
succesful Freeradius platform for AUTHENTICATION (samba, winbind,
ntlm_auth, mschapv2....according to Alan Dekok guide) and I will try to
use
Post by Adam Cage
LDAP for AUTHORIZATION as you said.
I'm listing my current Debian packages installed in my Freeradius server,
freeradius 2.2.5+dfsg-0.2
That version is YEARS out of date.
Please install a recent version of the server. Packages for most
common OS's are on http://packages.networkradius.com/
Post by Adam Cage
When I go to /etc/freeradius/modules I can see the ldap file, so is it
necessary to install freeradius-ldap or not??? Because maybe it's
sufficient to edit my current /etc/freeradius/modules/ldap file, I can't
understand the sense of having freeradius-ldap package.
The freeradius-ldap package has the rlm_ldap library. The main package
has the configuration files.
Think of it this way: if freereadius-ldap wasn't needed to do LDAP...
then why would it exist?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.free
Alan DeKok
2017-08-15 16:41:12 UTC
Permalink
Post by Adam Cage
Dear all, finally I have followed as you said: Authentication with samba,
winbind, ntlm_auth and Authorization with LDAP, but I fails. I post my main
Please don't post configuration files. We ask for the debug output for a reason: it's all we need.
Post by Adam Cage
*/etc/freeradius/users:*
DEFAULT Ldap-Group == "cn=group1,ou=wifi,dc=company,dc=com"
Service-Type = Login-User
DEFAULT Auth-Type := Reject
You're not telling the server how to authenticate the user.
Post by Adam Cage
$ radtest adam 1234abcd 127.0.0.1 0 testing123
Which is just a PAP request...
...
Post by Adam Cage
Tue Aug 15 12:38:27 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
That's just Active Directory not supplying the password...
Post by Adam Cage
Tue Aug 15 12:38:27 2017 : Info: *ERROR: No authenticate method (Auth-Type)
found for the request: Rejecting the user*
Tue Aug 15 12:38:27 2017 : Info: Failed to authenticate the user.
And you haven't told the server how to authenticate the user.

Follow the guide on deployingradius.com. It *will* work.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Adam Cage
2017-08-16 14:05:18 UTC
Permalink
Dear Alan and people, I'm near the solution of my problem but I'm still
having a problem.

Following the Alan Dekok tutorial about Authentication with Active
Directory with ntlm_auth and mschap, everything work OK. In this case, I
have no LDAP support at all, no authorization, just authentication. At this
point I success because I obtain an ACCEP-ACCEPT response packet, let's see:

$ radtest -t mschap adam 1234abcd localhost 0 testing123
Sending Access-Request of id 233 to 127.0.0.1 port 1812
User-Name = "adam"
NAS-IP-Address = 10.10.10.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0x9c705e7afe5513e7
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000008319855335ab46ea32fd6382fb68640c6c27a0e929182371
rad_recv: *Access-Accept* packet from host 127.0.0.1 port 1812, id=233,
length=84
MS-CHAP-MPPE-Keys =
0x0000000000000000997c9fae0cc86f9d48d2cbb81915e1630000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006

But the problem comes when I setup the LDAP support to Authorization when
checking if user is or not in a given group with the Ldap-Group attribute.
As I said previously, after configured ldap module and
/etc/sites-available/default and inner-tunnel with LDAP for authorization,
I execute the same radtest command "radtest -t mschap adam 1234abcd
localhost 0 testing123" and this is the freeradius debug output when it
fail:

rad_recv: Access-Request packet from host 127.0.0.1 port 35229, id=117,
length=135
User-Name = "adam"
NAS-IP-Address = 10.10.10.1
NAS-Port = 0
Message-Authenticator = 0x38de9478053289444c4ad85736b70bfd
MS-CHAP-Challenge = 0xb4d7849d65d481d0
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000000fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
Wed Aug 16 10:51:56 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Wed Aug 16 10:51:56 2017 : Info: +group authorize {
Wed Aug 16 10:51:56 2017 : Info: ++[preprocess] = ok
Wed Aug 16 10:51:56 2017 : Info: ++[chap] = noop
Wed Aug 16 10:51:56 2017 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type = mschap'
Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = ok
Wed Aug 16 10:51:56 2017 : Info: ++[digest] = noop
Wed Aug 16 10:51:56 2017 : Info: [suffix] No '@' in User-Name = "adam",
looking up realm NULL
Wed Aug 16 10:51:56 2017 : Info: [suffix] No such realm "NULL"
Wed Aug 16 10:51:56 2017 : Info: ++[suffix] = noop
Wed Aug 16 10:51:56 2017 : Info: [eap] No EAP-Message, not doing EAP
Wed Aug 16 10:51:56 2017 : Info: ++[eap] = noop
Wed Aug 16 10:51:56 2017 : Debug: [ldap] Entering ldap_groupcmp()
Wed Aug 16 10:51:56 2017 : Info: [files] expand:
OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
Wed Aug 16 10:51:56 2017 : Info: [files] expand:
%{Stripped-User-Name} ->
Wed Aug 16 10:51:56 2017 : Info: [files] ... expanding second
conditional
Wed Aug 16 10:51:56 2017 : Info: [files] expand: %{User-Name} -> adam
Wed Aug 16 10:51:56 2017 : Info: [files] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] attempting LDAP reconnection
Wed Aug 16 10:51:56 2017 : Debug: [ldap] (re)connect to
mitwpdcs01.company.com:389, authentication 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] bind as cn=wspsf,ou=Proxy para
Apps,ou=Internos,ou=Servicios,ou=users,dc=company,dc=com/wP67yh345 to
mitwpdcs01.company.com:389
Wed Aug 16 10:51:56 2017 : Debug: [ldap] waiting for bind result ...
Wed Aug 16 10:51:56 2017 : Debug: [ldap] Bind was successful
Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 10:51:56 2017 : Info: [files] expand:
(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dusers\2cOU\2cDC\3dcompany\2cDC\3dcom)))
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
cn=group1,ou=wifi,dc=company,dc=com, with filter
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dUsers\2cOU\3dcompany\2cDC\3dcom)))
Wed Aug 16 10:51:56 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
group cn=group1,ou=wifi,dc=company,dc=com
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 10:51:56 2017 : Info: [files] users: Matched entry DEFAULT at
line 207
Wed Aug 16 10:51:56 2017 : Info: ++[files] = ok
Wed Aug 16 10:51:56 2017 : Info: [ldap] performing user authorization for
adam
Wed Aug 16 10:51:56 2017 : Info: [ldap] expand:
%{Stripped-User-Name} ->
Wed Aug 16 10:51:56 2017 : Info: [ldap] ... expanding second
conditional
Wed Aug 16 10:51:56 2017 : Info: [ldap] expand: %{User-Name} -> adam
Wed Aug 16 10:51:56 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Info: [ldap] expand:
OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Info: [ldap] No default NMAS login sequence
Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for check items in
directory...
Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for reply items in
directory...
Wed Aug 16 10:51:56 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 10:51:56 2017 : Info: ++[ldap] = ok
Wed Aug 16 10:51:56 2017 : Info: ++[expiration] = noop
Wed Aug 16 10:51:56 2017 : Info: ++[logintime] = noop
Wed Aug 16 10:51:56 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Wed Aug 16 10:51:56 2017 : Info: ++[pap] = noop
Wed Aug 16 10:51:56 2017 : Info: +} # group authorize = ok
Wed Aug 16 10:51:56 2017 : Info: Found Auth-Type = MSCHAP
Wed Aug 16 10:51:56 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Aug 16 10:51:56 2017 : Info: +group MS-CHAP {
Wed Aug 16 10:51:56 2017 : Info: [mschap] Client is using MS-CHAPv1 with
NT-Password
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
--username=%{mschap:User-Name:-None} -> --username=adam
Wed Aug 16 10:51:56 2017 : Info: [mschap] No NT-Domain was found in the
User-Name.
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand: %{mschap:NT-Domain}
->
Wed Aug 16 10:51:56 2017 : Info: [mschap] ... expanding second
conditional
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
--domain=%{%{mschap:NT-Domain}:-company} -> --domain=company
Wed Aug 16 10:51:56 2017 : Info: [mschap] mschap1: b4
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=b4d7849d65d481d0
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account *
(0xc000018b)
Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM account*
(0xc000018b)
Wed Aug 16 10:51:56 2017 : Info: [mschap] Exec: program returned: 1
Wed Aug 16 10:51:56 2017 : Info: [mschap] External script failed.
Wed Aug 16 10:51:56 2017 : Info: [mschap] MS-CHAP-Response is incorrect.
Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = reject
Wed Aug 16 10:51:56 2017 : Info: +} # group MS-CHAP = reject
Wed Aug 16 10:51:56 2017 : Info: Failed to authenticate the user.
Wed Aug 16 10:51:56 2017 : Info: Using Post-Auth-Type REJECT
Wed Aug 16 10:51:56 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Aug 16 10:51:56 2017 : Info: +group REJECT {
Wed Aug 16 10:51:56 2017 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> adam
Wed Aug 16 10:51:56 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Aug 16 10:51:56 2017 : Info: ++[attr_filter.access_reject] = updated
Wed Aug 16 10:51:56 2017 : Info: +} # group REJECT = updated
Wed Aug 16 10:51:56 2017 : Info: Delaying reject of request 3 for 1 seconds
Wed Aug 16 10:51:56 2017 : Debug: Going to the next request
Wed Aug 16 10:51:56 2017 : Debug: Waking up in 0.8 seconds.
Wed Aug 16 10:51:57 2017 : Info: Sending delayed reject for request 3
Sending Access-Reject of id 117 to 127.0.0.1 port 35229
MS-CHAP-Error = "\000E=691 R=1"


Can you tell me why mschap auth is ok without LDAP support and it's wrong
with LDAP support???

Thanks a lot again.

ADAM
Post by Alan DeKok
Post by Adam Cage
Dear all, finally I have followed as you said: Authentication with samba,
winbind, ntlm_auth and Authorization with LDAP, but I fails. I post my
main
Please don't post configuration files. We ask for the debug output for
a reason: it's all we need.
Post by Adam Cage
*/etc/freeradius/users:*
DEFAULT Ldap-Group == "cn=group1,ou=wifi,dc=company,dc=com"
Service-Type = Login-User
DEFAULT Auth-Type := Reject
You're not telling the server how to authenticate the user.
Post by Adam Cage
$ radtest adam 1234abcd 127.0.0.1 0 testing123
Which is just a PAP request...
...
Post by Adam Cage
Tue Aug 15 12:38:27 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
That's just Active Directory not supplying the password...
Post by Adam Cage
Tue Aug 15 12:38:27 2017 : Info: *ERROR: No authenticate method
(Auth-Type)
Post by Adam Cage
found for the request: Rejecting the user*
Tue Aug 15 12:38:27 2017 : Info: Failed to authenticate the user.
And you haven't told the server how to authenticate the user.
Follow the guide on deployingradius.com. It *will* work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://ww
Alan DeKok
2017-08-16 16:28:19 UTC
Permalink
Post by Adam Cage
Dear Alan and people, I'm near the solution of my problem but I'm still
having a problem.
Following the Alan Dekok tutorial about Authentication with Active
Directory with ntlm_auth and mschap, everything work OK. In this case, I
have no LDAP support at all, no authorization, just authentication.
That's fine. The guide deals with one issue at a time.

If you can get AD authentication working, then adding LDAP authorization is about 10 minutes.
Post by Adam Cage
But the problem comes when I setup the LDAP support to Authorization when
checking if user is or not in a given group with the Ldap-Group attribute.
Put those checks into the virtual server, not in the "users" file.

What LDAP group checks are you doing?

This kind of thing will work:

authorize {
...
if (LDAP-Group != admins) {
reject
}
...
}
Post by Adam Cage
As I said previously, after configured ldap module and
/etc/sites-available/default and inner-tunnel with LDAP for authorization,
To do *what*? Be specific.

In most case, if you can write the requirements down in simple English, you can translate those to "unlang" policy rules pretty directly.
Post by Adam Cage
--nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account *
(0xc000018b)
Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM account*
(0xc000018b)
That's an error produced by AD, not FreeRADIUS.
Post by Adam Cage
Can you tell me why mschap auth is ok without LDAP support and it's wrong
with LDAP support???
Since you didn't say what you did for LDAP authorization, I have no idea what's going wrong.

But from the error message above, it *is* clear that the user isn't allowed to use AD authentication. That is an issue entirely separate from LDAP authorization.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.
Adam Cage
2017-08-17 01:50:50 UTC
Permalink
Dear, I've tried to understand what you said and I've made some changes:

* I've deleted the the content of /etc/freeradius/users corresponding to
ldap-group attribute

* I've added the ldap-group clauses in
/etc/freeradius/sites-available/default and inner-tunnel, as you said. I
have not the ultimate clause yet, so the clause is a noop if users belong
to the Group1 group:

Authorize {
...
if (LDAP-Group == Group1) {
noop
}
else {
reject
}
}

* Restart freeradius in debug mode, and execute the command below in order
to check the inner tunnel behaviour:

$ radtest -t mschap adam 1234abcd localhost:18120 0 testing123

But I fail again...

Here I show you the log for success test (Alan Dekok's guide exactly
without LDAP authorization) and after that the log for failure test (adding
LDAP support as described above), in order to confirm that mschap in the
success test does not have the "NOT TRUSTED SAM ACCOUNT" error appearing in
the failure case, being the same AD in both cases:

1) SUCCESS:

Wed Aug 16 12:17:15 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 12:17:15 2017 : Info: +group authorize {
Wed Aug 16 12:17:15 2017 : Info: ++[chap] = noop
Wed Aug 16 12:17:15 2017 : Info: ++[mschap] = noop
Wed Aug 16 12:17:15 2017 : Info: [suffix] No '@' in User-Name = "adam",
looking up realm NULL
Wed Aug 16 12:17:15 2017 : Info: [suffix] No such realm "NULL"
Wed Aug 16 12:17:15 2017 : Info: ++[suffix] = noop
Wed Aug 16 12:17:15 2017 : Info: ++update control {
Wed Aug 16 12:17:15 2017 : Info: ++} # update control = noop
Wed Aug 16 12:17:15 2017 : Info: [eap] EAP packet type response id 8 length
69
Wed Aug 16 12:17:15 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Wed Aug 16 12:17:15 2017 : Info: ++[eap] = updated
Wed Aug 16 12:17:15 2017 : Info: ++[files] = noop
Wed Aug 16 12:17:15 2017 : Info: ++[expiration] = noop
Wed Aug 16 12:17:15 2017 : Info: ++[logintime] = noop
Wed Aug 16 12:17:15 2017 : Info: ++[pap] = noop
Wed Aug 16 12:17:15 2017 : Info: +} # group authorize = updated
Wed Aug 16 12:17:15 2017 : Info: Found Auth-Type = EAP
Wed Aug 16 12:17:15 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 12:17:15 2017 : Info: +group authenticate {
Wed Aug 16 12:17:15 2017 : Info: [eap] Request found, released from the list
Wed Aug 16 12:17:15 2017 : Info: [eap] EAP/mschapv2
Wed Aug 16 12:17:15 2017 : Info: [eap] processing type mschapv2
Wed Aug 16 12:17:15 2017 : Info: [mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 12:17:15 2017 : Info: [mschapv2] +group MS-CHAP {
Wed Aug 16 12:17:15 2017 : Info: [mschap] Creating challenge hash with
username: adam
Wed Aug 16 12:17:15 2017 : Info: [mschap] Client is using MS-CHAPv2 for
adam, we need NT-Password
Wed Aug 16 12:17:15 2017 : Info: [mschap] expand:
--username=%{mschap:User-Name:-None} -> --username=adam
Wed Aug 16 12:17:15 2017 : Info: [mschap] No NT-Domain was found in the
User-Name.
Wed Aug 16 12:17:15 2017 : Info: [mschap] expand: %{mschap:NT-Domain}
->
Wed Aug 16 12:17:15 2017 : Info: [mschap] ... expanding second
conditional
Wed Aug 16 12:17:15 2017 : Info: [mschap] expand:
--domain=%{%{mschap:NT-Domain}:-D-HOLOMIT} -> --domain=
Wed Aug 16 12:17:15 2017 : Info: [mschap] Creating challenge hash with
username: adam
Wed Aug 16 12:17:15 2017 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=845cda3e640fcd8a
Wed Aug 16 12:17:15 2017 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=23b6b6f4e5bc4601f0f7ddeaec6876cf596fdeac5c26f359
Wed Aug 16 12:17:16 2017 : *Debug: Exec output: NT_KEY:
E10EE54A9C762F08F75E4008F93F109E*
Wed Aug 16 12:17:16 2017 : *Debug: Exec plaintext: NT_KEY:
E10EE54A9C762F08F75E4008F93F109E*
Wed Aug 16 12:17:16 2017 : Info: [mschap] Exec: program returned: 0
Wed Aug 16 12:17:16 2017 : Info: [mschap] adding MS-CHAPv2 MPPE keys
Wed Aug 16 12:17:16 2017 : Info: ++[mschap] = ok
Wed Aug 16 12:17:16 2017 : Info: +} # group MS-CHAP = ok
Wed Aug 16 12:17:16 2017 : Debug: MSCHAP Success
Wed Aug 16 12:17:16 2017 : Info: ++[eap] = handled
Wed Aug 16 12:17:16 2017 : Info: +} # group authenticate = handled

2) FAILURE

rad_recv: Access-Request packet from host 127.0.0.1 port 56467, id=90,
length=135
User-Name = "adam"
NAS-IP-Address = 172.22.88.223
NAS-Port = 0
Message-Authenticator = 0xb38b49322db530f2191b85452fdf0195
MS-CHAP-Challenge = 0xe1248c7251ea7e63
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000d594e0a1673248f8e3a3b358381b78ed47891d8cd0fea851
Wed Aug 16 22:21:45 2017 : Info: server inner-tunnel {
Wed Aug 16 22:21:45 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 22:21:45 2017 : Info: +group authorize {
Wed Aug 16 22:21:45 2017 : Info: ++[chap] = noop
Wed Aug 16 22:21:45 2017 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type = mschap'
Wed Aug 16 22:21:45 2017 : Info: ++[mschap] = ok
Wed Aug 16 22:21:45 2017 : Info: [suffix] No '@' in User-Name = "adam",
looking up realm NULL
Wed Aug 16 22:21:45 2017 : Info: [suffix] No such realm "NULL"
Wed Aug 16 22:21:45 2017 : Info: ++[suffix] = noop
Wed Aug 16 22:21:45 2017 : Info: ++update control {
Wed Aug 16 22:21:45 2017 : Info: ++} # update control = noop
Wed Aug 16 22:21:45 2017 : Info: [eap] No EAP-Message, not doing EAP
Wed Aug 16 22:21:45 2017 : Info: ++[eap] = noop
Wed Aug 16 22:21:45 2017 : Info: ++[files] = noop
Wed Aug 16 22:21:45 2017 : Info: [ldap] performing user authorization for
adam
Wed Aug 16 22:21:45 2017 : Info: [ldap] expand:
%{Stripped-User-Name} ->
Wed Aug 16 22:21:45 2017 : Info: [ldap] ... expanding second
conditional
Wed Aug 16 22:21:45 2017 : Info: [ldap] expand: %{User-Name} -> adam
Wed Aug 16 22:21:45 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Wed Aug 16 22:21:45 2017 : Info: [ldap] expand:
OU=users,DC=d-holomit,DC=com -> OU=users,DC=d-holomit,DC=com
Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 22:21:45 2017 : Debug: [ldap] attempting LDAP reconnection
Wed Aug 16 22:21:45 2017 : Debug: [ldap] (re)connect to
host1.holimit.com:389, authentication 0
Wed Aug 16 22:21:45 2017 : Debug: [ldap] bind as
cn=connect,ou=users,dc=d-holomit,dc=com/wP67yh345 to host1.holomit.com:389
Wed Aug 16 22:21:45 2017 : Debug: [ldap] waiting for bind result ...
Wed Aug 16 22:21:45 2017 : Debug: [ldap] Bind was successful
Wed Aug 16 22:21:45 2017 : Debug: [ldap] performing search in
OU=users,DC=d-holomit,DC=com, with filter (sAMAccountName=adam)
Wed Aug 16 22:21:45 2017 : Info: [ldap] No default NMAS login sequence
Wed Aug 16 22:21:45 2017 : Info: [ldap] looking for check items in
directory...
Wed Aug 16 22:21:45 2017 : Info: [ldap] looking for reply items in
directory...
Wed Aug 16 22:21:45 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 22:21:45 2017 : Info: ++[ldap] = ok
Wed Aug 16 22:21:45 2017 : Info: ++[expiration] = noop
Wed Aug 16 22:21:45 2017 : Info: ++[logintime] = noop
Wed Aug 16 22:21:45 2017 : Info: ++[pap] = noop
Wed Aug 16 22:21:45 2017 : Info: ++? if (LDAP-Group == Group1)
Wed Aug 16 22:21:45 2017 : Debug: [ldap] Entering ldap_groupcmp()
Wed Aug 16 22:21:45 2017 : Info: expand:
OU=users,DC=d-holomit,DC=com -> OU=users,DC=d-holomit,DC=com
Wed Aug 16 22:21:45 2017 : Info: expand:
(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dInfraestructura\2cOU\3dG.
Infraestructura\2cOU\3dusers\3dd-holomit\2cDC\3dcom)))
Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 22:21:45 2017 : Debug: [ldap] performing search in
OU=users,DC=d-holomit,DC=com, with filter
(&(cn=Group1)(|(&(objectClass=group)(member=CN\3dAdam\3dUsers\2cOU\3dd-holomit\2cDC\3dcom)))
Wed Aug 16 22:21:45 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
group Group1
Wed Aug 16 22:21:45 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 22:21:45 2017 : Info: ? Evaluating (LDAP-Group == Group1) -> TRUE
Wed Aug 16 22:21:45 2017 : Info: ++? if (LDAP-Group == Group1) -> TRUE
Wed Aug 16 22:21:45 2017 : Info: ++if (LDAP-Group == Group1) {
Wed Aug 16 22:21:45 2017 : Info: +++[noop] = noop
Wed Aug 16 22:21:45 2017 : Info: ++} # if (LDAP-Group == Group1) = noop
Wed Aug 16 22:21:45 2017 : Info: ++ ... skipping else for request 0:
Preceding "if" was taken
Wed Aug 16 22:21:45 2017 : Info: +} # group authorize = ok
Wed Aug 16 22:21:45 2017 : Info: Found Auth-Type = MSCHAP
Wed Aug 16 22:21:45 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 22:21:45 2017 : Info: +group MS-CHAP {
Wed Aug 16 22:21:45 2017 : Info: [mschap] Client is using MS-CHAPv1 with
NT-Password
Wed Aug 16 22:21:45 2017 : Info: [mschap] expand:
--username=%{mschap:User-Name:-None} -> --username=adam
Wed Aug 16 22:21:45 2017 : Info: [mschap] No NT-Domain was found in the
User-Name.
Wed Aug 16 22:21:45 2017 : Info: [mschap] expand: %{mschap:NT-Domain}
->
Wed Aug 16 22:21:45 2017 : Info: [mschap] ... expanding second
conditional
Wed Aug 16 22:21:45 2017 : Info: [mschap] expand:
--domain=%{%{mschap:NT-Domain}:-D-HOLOMIT} -> --domain=D-HOLOMIT
Wed Aug 16 22:21:45 2017 : Info: [mschap] mschap1: e1
Wed Aug 16 22:21:45 2017 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=e1248c7251ea7e63
Wed Aug 16 22:21:45 2017 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=d594e0a1673248f8e3a3b358381b78ed47891d8cd0fea851
Wed Aug 16 22:21:45 2017 : *Debug: Exec output: No trusted SAM account
(0xc000018b) *
Wed Aug 16 22:21:45 2017 : *Debug: Exec plaintext: No trusted SAM account
(0xc000018b)*
Wed Aug 16 22:21:45 2017 : Info: [mschap] Exec: program returned: 1
Wed Aug 16 22:21:45 2017 : Info: [mschap] External script failed.
Wed Aug 16 22:21:45 2017 : Info: [mschap] MS-CHAP-Response is incorrect.
Wed Aug 16 22:21:45 2017 : Info: ++[mschap] = reject
Wed Aug 16 22:21:45 2017 : Info: +} # group MS-CHAP = reject
Wed Aug 16 22:21:45 2017 : Info: Failed to authenticate the user.
Wed Aug 16 22:21:45 2017 : Info: } # server inner-tunnel
Wed Aug 16 22:21:45 2017 : Info: Using Post-Auth-Type REJECT
Wed Aug 16 22:21:45 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 16 22:21:45 2017 : Info: +group REJECT {
Wed Aug 16 22:21:45 2017 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> adam
Wed Aug 16 22:21:45 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Aug 16 22:21:45 2017 : Info: ++[attr_filter.access_reject] = updated
Wed Aug 16 22:21:45 2017 : Info: +} # group REJECT = updated
Wed Aug 16 22:21:45 2017 : Info: Delaying reject of request 0 for 1 seconds
Wed Aug 16 22:21:45 2017 : Debug: Going to the next request
Wed Aug 16 22:21:45 2017 : Debug: Waking up in 0.8 seconds.
Wed Aug 16 22:21:46 2017 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 90 to 127.0.0.1 port 56467
MS-CHAP-Error = "\000E=691 R=1"

Special thanks !!!

Adam
Post by Alan DeKok
Post by Adam Cage
Dear Alan and people, I'm near the solution of my problem but I'm still
having a problem.
Following the Alan Dekok tutorial about Authentication with Active
Directory with ntlm_auth and mschap, everything work OK. In this case, I
have no LDAP support at all, no authorization, just authentication.
That's fine. The guide deals with one issue at a time.
If you can get AD authentication working, then adding LDAP authorization
is about 10 minutes.
Post by Adam Cage
But the problem comes when I setup the LDAP support to Authorization when
checking if user is or not in a given group with the Ldap-Group
attribute.
Put those checks into the virtual server, not in the "users" file.
What LDAP group checks are you doing?
authorize {
...
if (LDAP-Group != admins) {
reject
}
...
}
Post by Adam Cage
As I said previously, after configured ldap module and
/etc/sites-available/default and inner-tunnel with LDAP for
authorization,
To do *what*? Be specific.
In most case, if you can write the requirements down in simple English,
you can translate those to "unlang" policy rules pretty directly.
Post by Adam Cage
--nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account *
(0xc000018b)
Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM
account*
Post by Adam Cage
(0xc000018b)
That's an error produced by AD, not FreeRADIUS.
Post by Adam Cage
Can you tell me why mschap auth is ok without LDAP support and it's wrong
with LDAP support???
Since you didn't say what you did for LDAP authorization, I have no idea
what's going wrong.
But from the error message above, it *is* clear that the user isn't
allowed to use AD authentication. That is an issue entirely separate from
LDAP authorization.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.freera
Alan DeKok
2017-08-17 07:11:03 UTC
Permalink
Post by Adam Cage
* I've deleted the the content of /etc/freeradius/users corresponding to
ldap-group attribute
Good...
Post by Adam Cage
* I've added the ldap-group clauses in
/etc/freeradius/sites-available/default and inner-tunnel, as you said. I
have not the ultimate clause yet, so the clause is a noop if users belong
That's fine.
Post by Adam Cage
Here I show you the log for success test (Alan Dekok's guide exactly
without LDAP authorization) and after that the log for failure test (adding
LDAP support as described above), in order to confirm that mschap in the
success test does not have the "NOT TRUSTED SAM ACCOUNT" error appearing in
Adding an "LDAP-Group" check just can't create that error. The error is because of something else. Likely that Samba hasn't actually joined the AD domain.

While I understand this is frustrating, the error is *entirely* between ntlm_auth and AD. No amount of poking at FreeRADIUS will fix the problem.

You will have to check that Samba is actually joined to the domain, and debug issues there.

You *can* run ntlm_auth manually, using the information provided in the debug output:

$ ntlm_auth --username=adam --domain=D-HOLOMIT --challenge=e1248c7251ea7e63 --nt-response=d594e0a1673248f8e3a3b358381b78ed47891d8cd0fea851

Keep running that (and fixing AD / Samba issues) until you get "success" returned. FreeRADIUS will then work.

Alan DeKok.


-
List info/subscribe/unsubscribe? See ht
Adam Cage
2017-08-17 12:32:36 UTC
Permalink
Alan, you were right.....I haven't joined to the domain because this is a
new server, I forget it !!!

After join the domain, the radtest worked OK.

Special thanks to all of you and now I have to make the ldap authorization
clauses based on SSID and ldap-groups....maybe I will ask for your help
again.

Regards!!!
Post by Alan DeKok
Post by Adam Cage
* I've deleted the the content of /etc/freeradius/users corresponding to
ldap-group attribute
Good...
Post by Adam Cage
* I've added the ldap-group clauses in
/etc/freeradius/sites-available/default and inner-tunnel, as you said. I
have not the ultimate clause yet, so the clause is a noop if users belong
That's fine.
Post by Adam Cage
Here I show you the log for success test (Alan Dekok's guide exactly
without LDAP authorization) and after that the log for failure test
(adding
Post by Adam Cage
LDAP support as described above), in order to confirm that mschap in the
success test does not have the "NOT TRUSTED SAM ACCOUNT" error appearing
in
Adding an "LDAP-Group" check just can't create that error. The error is
because of something else. Likely that Samba hasn't actually joined the AD
domain.
While I understand this is frustrating, the error is *entirely* between
ntlm_auth and AD. No amount of poking at FreeRADIUS will fix the problem.
You will have to check that Samba is actually joined to the domain, and
debug issues there.
$ ntlm_auth --username=adam --domain=D-HOLOMIT
--challenge=e1248c7251ea7e63 --nt-response=d594e0a1673248f8e3a3b358381b78
ed47891d8cd0fea851
Keep running that (and fixing AD / Samba issues) until you get "success"
returned. FreeRADIUS will then work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.freera

Alan Buxey
2017-08-16 18:25:15 UTC
Permalink
see my other recent reply about accounts in AD - if you want to
verify, you can use ntlm_auth directly on the command
line the same as FR is doing (check its debug to see what parameters)
- expect that the account information is wrong...wrong domain etc.

alan
Post by Adam Cage
Dear Alan and people, I'm near the solution of my problem but I'm still
having a problem.
Following the Alan Dekok tutorial about Authentication with Active
Directory with ntlm_auth and mschap, everything work OK. In this case, I
have no LDAP support at all, no authorization, just authentication. At this
$ radtest -t mschap adam 1234abcd localhost 0 testing123
Sending Access-Request of id 233 to 127.0.0.1 port 1812
User-Name = "adam"
NAS-IP-Address = 10.10.10.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0x9c705e7afe5513e7
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000008319855335ab46ea32fd6382fb68640c6c27a0e929182371
rad_recv: *Access-Accept* packet from host 127.0.0.1 port 1812, id=233,
length=84
MS-CHAP-MPPE-Keys =
0x0000000000000000997c9fae0cc86f9d48d2cbb81915e1630000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
But the problem comes when I setup the LDAP support to Authorization when
checking if user is or not in a given group with the Ldap-Group attribute.
As I said previously, after configured ldap module and
/etc/sites-available/default and inner-tunnel with LDAP for authorization,
I execute the same radtest command "radtest -t mschap adam 1234abcd
localhost 0 testing123" and this is the freeradius debug output when it
rad_recv: Access-Request packet from host 127.0.0.1 port 35229, id=117,
length=135
User-Name = "adam"
NAS-IP-Address = 10.10.10.1
NAS-Port = 0
Message-Authenticator = 0x38de9478053289444c4ad85736b70bfd
MS-CHAP-Challenge = 0xb4d7849d65d481d0
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000000fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
Wed Aug 16 10:51:56 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Wed Aug 16 10:51:56 2017 : Info: +group authorize {
Wed Aug 16 10:51:56 2017 : Info: ++[preprocess] = ok
Wed Aug 16 10:51:56 2017 : Info: ++[chap] = noop
Wed Aug 16 10:51:56 2017 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type = mschap'
Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = ok
Wed Aug 16 10:51:56 2017 : Info: ++[digest] = noop
looking up realm NULL
Wed Aug 16 10:51:56 2017 : Info: [suffix] No such realm "NULL"
Wed Aug 16 10:51:56 2017 : Info: ++[suffix] = noop
Wed Aug 16 10:51:56 2017 : Info: [eap] No EAP-Message, not doing EAP
Wed Aug 16 10:51:56 2017 : Info: ++[eap] = noop
Wed Aug 16 10:51:56 2017 : Debug: [ldap] Entering ldap_groupcmp()
OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
%{Stripped-User-Name} ->
Wed Aug 16 10:51:56 2017 : Info: [files] ... expanding second
conditional
Wed Aug 16 10:51:56 2017 : Info: [files] expand: %{User-Name} -> adam
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] attempting LDAP reconnection
Wed Aug 16 10:51:56 2017 : Debug: [ldap] (re)connect to
mitwpdcs01.company.com:389, authentication 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] bind as cn=wspsf,ou=Proxy para
Apps,ou=Internos,ou=Servicios,ou=users,dc=company,dc=com/wP67yh345 to
mitwpdcs01.company.com:389
Wed Aug 16 10:51:56 2017 : Debug: [ldap] waiting for bind result ...
Wed Aug 16 10:51:56 2017 : Debug: [ldap] Bind was successful
Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dusers\2cOU\2cDC\3dcompany\2cDC\3dcom)))
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
cn=group1,ou=wifi,dc=company,dc=com, with filter
(|(&(objectClass=group)(member=CN\3dAdam\2cOU\3dUsers\2cOU\3dcompany\2cDC\3dcom)))
Wed Aug 16 10:51:56 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
group cn=group1,ou=wifi,dc=company,dc=com
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 10:51:56 2017 : Info: [files] users: Matched entry DEFAULT at
line 207
Wed Aug 16 10:51:56 2017 : Info: ++[files] = ok
Wed Aug 16 10:51:56 2017 : Info: [ldap] performing user authorization for
adam
%{Stripped-User-Name} ->
Wed Aug 16 10:51:56 2017 : Info: [ldap] ... expanding second
conditional
Wed Aug 16 10:51:56 2017 : Info: [ldap] expand: %{User-Name} -> adam
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
OU=users,DC=company,DC=com -> OU=users,DC=company,DC=com
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Wed Aug 16 10:51:56 2017 : Debug: [ldap] performing search in
OU=users,DC=company,DC=com, with filter (sAMAccountName=adam)
Wed Aug 16 10:51:56 2017 : Info: [ldap] No default NMAS login sequence
Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for check items in
directory...
Wed Aug 16 10:51:56 2017 : Info: [ldap] looking for reply items in
directory...
Wed Aug 16 10:51:56 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Wed Aug 16 10:51:56 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 16 10:51:56 2017 : Info: ++[ldap] = ok
Wed Aug 16 10:51:56 2017 : Info: ++[expiration] = noop
Wed Aug 16 10:51:56 2017 : Info: ++[logintime] = noop
Wed Aug 16 10:51:56 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Wed Aug 16 10:51:56 2017 : Info: ++[pap] = noop
Wed Aug 16 10:51:56 2017 : Info: +} # group authorize = ok
Wed Aug 16 10:51:56 2017 : Info: Found Auth-Type = MSCHAP
Wed Aug 16 10:51:56 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Aug 16 10:51:56 2017 : Info: +group MS-CHAP {
Wed Aug 16 10:51:56 2017 : Info: [mschap] Client is using MS-CHAPv1 with
NT-Password
--username=%{mschap:User-Name:-None} -> --username=adam
Wed Aug 16 10:51:56 2017 : Info: [mschap] No NT-Domain was found in the
User-Name.
Wed Aug 16 10:51:56 2017 : Info: [mschap] expand: %{mschap:NT-Domain}
->
Wed Aug 16 10:51:56 2017 : Info: [mschap] ... expanding second
conditional
--domain=%{%{mschap:NT-Domain}:-company} -> --domain=company
Wed Aug 16 10:51:56 2017 : Info: [mschap] mschap1: b4
--challenge=%{mschap:Challenge:-00} -> --challenge=b4d7849d65d481d0
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38
Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account *
(0xc000018b)
Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM account*
(0xc000018b)
Wed Aug 16 10:51:56 2017 : Info: [mschap] Exec: program returned: 1
Wed Aug 16 10:51:56 2017 : Info: [mschap] External script failed.
Wed Aug 16 10:51:56 2017 : Info: [mschap] MS-CHAP-Response is incorrect.
Wed Aug 16 10:51:56 2017 : Info: ++[mschap] = reject
Wed Aug 16 10:51:56 2017 : Info: +} # group MS-CHAP = reject
Wed Aug 16 10:51:56 2017 : Info: Failed to authenticate the user.
Wed Aug 16 10:51:56 2017 : Info: Using Post-Auth-Type REJECT
Wed Aug 16 10:51:56 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Aug 16 10:51:56 2017 : Info: +group REJECT {
%{User-Name} -> adam
Wed Aug 16 10:51:56 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Aug 16 10:51:56 2017 : Info: ++[attr_filter.access_reject] = updated
Wed Aug 16 10:51:56 2017 : Info: +} # group REJECT = updated
Wed Aug 16 10:51:56 2017 : Info: Delaying reject of request 3 for 1 seconds
Wed Aug 16 10:51:56 2017 : Debug: Going to the next request
Wed Aug 16 10:51:56 2017 : Debug: Waking up in 0.8 seconds.
Wed Aug 16 10:51:57 2017 : Info: Sending delayed reject for request 3
Sending Access-Reject of id 117 to 127.0.0.1 port 35229
MS-CHAP-Error = "\000E=691 R=1"
Can you tell me why mschap auth is ok without LDAP support and it's wrong
with LDAP support???
Thanks a lot again.
ADAM
Post by Alan DeKok
Post by Adam Cage
Dear all, finally I have followed as you said: Authentication with samba,
winbind, ntlm_auth and Authorization with LDAP, but I fails. I post my
main
Please don't post configuration files. We ask for the debug output for
a reason: it's all we need.
Post by Adam Cage
*/etc/freeradius/users:*
DEFAULT Ldap-Group == "cn=group1,ou=wifi,dc=company,dc=com"
Service-Type = Login-User
DEFAULT Auth-Type := Reject
You're not telling the server how to authenticate the user.
Post by Adam Cage
$ radtest adam 1234abcd 127.0.0.1 0 testing123
Which is just a PAP request...
...
Post by Adam Cage
Tue Aug 15 12:38:27 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
That's just Active Directory not supplying the password...
Post by Adam Cage
Tue Aug 15 12:38:27 2017 : Info: *ERROR: No authenticate method
(Auth-Type)
Post by Adam Cage
found for the request: Rejecting the user*
Tue Aug 15 12:38:27 2017 : Info: Failed to authenticate the user.
And you haven't told the server how to authenticate the user.
Follow the guide on deployingradius.com. It *will* work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsu
Loading...