Hello All, I am very, very new to Freeradius (as well as Radius) ;) - disclaimer. We are trying to move away from using IAS to Freeradius. We have approx 50 switches/routers which I have not had a problem with getting to work with Freeradius including group checking using LDAP.
The issue I have is getting our Cisco VPN Concentrator to authenticate users who are in a certain Active Directory group. I have configured Samba to join our domain - all that is working without issue. The problem apparently is when logging in via the Cisco VPN client: Here is my debug: ad_recv: Access-Request packet from host 10.2.1.6 port 1059, id=83, length=191 User-Name = "voila\\webtest" NAS-Port = 1151 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "123.201.6.78" Calling-Station-Id = "123.201.6.76" Tunnel-Client-Endpoint:0 = "123.201.6.76" MS-CHAP-Challenge = 0x0ebafb8a5ab6b2be73f9a983a6a3f5d3 MS-CHAP2-Response = 0x0000db98fa3162973c0f68121500631c0c8d00000000000000005808068d4047ef8a58e79d488a62d41e89128aabd6d88c52 NAS-IP-Address = 10.2.1.6 NAS-Port-Type = Virtual +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.2.1.6/auth-detail-20080904 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.2.1.6/auth-detail-20080904 expand: %t -> Thu Sep 4 17:55:54 2008 ++[auth_log] returns ok ++[chap] returns noop rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok rlm_realm: No '@' in User-Name = "voila\webtest", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '"' in User-Name = "voila\webtest", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() expand: dc=voila,dc=com -> dc=voila,dc=com WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=voila\5cwebtest) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=voila\5cwebtest) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: dc=voila,dc=com -> dc=voila,dc=com WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=voila\5cwebtest) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=voila\5cwebtest) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for voila\webtest WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=voila\5cwebtest) expand: dc=voila,dc=com -> dc=voila,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=voila\5cwebtest) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type mschap auth: type "MSCHAP" +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for webtest with NT-Password expand: --domain=%{mschap:NT-Domain} -> --domain=voila expand: --username=%{mschap:User-Name} -> --username=webtest mschap2: 0e expand: --challenge=%{mschap:Challenge:-00} -> --challenge=dcdc37024aecaec1 expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=5808068d4047ef8a58e79d488a62d41e89128aabd6d88c52 Exec-Program output: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D Exec-Program-Wait: plaintext: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 83 to 10.2.1.6 port 1059 MS-CHAP2-Success = 0x00533d31364230314341364638323331333730333334393432393943303539423539334346434433314336 MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0 MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 83 with timestamp +888 Ready to process requests. It appears that MSCHAP is used to verify the password but LDAP is not properly checking the "VPN-Users" AD group....I believe it is not stripping the domain portion off correctly as I see the domain name appended to (sAMAccountName=voila\5cwebtest) My users File entries: (The first entry I would like to be used by the concentrator to search the group and if the user is a member allow them access - of course authenticating the provided password) DEFAULT LDAP-Group == "vpn-users" Fall-Through = Yes This entry is for our network switches/routers - this appears to be working without any issue. DEFAULT LDAP-Group == "Radius-Admin" Service-Type = Login-User, cisco-avpair = "shell:priv-lvl=15", Fall-Through = Yes If I login from my network devices it performs the ldap searches without issue and authenticates/authorizes the user - You can see this below: rlm_ldap: performing search in dc=voila,dc=com, with filter (&(cn=vpn-users)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))) rlm_ldap::ldap_groupcmp: User found in group vpn-users rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 178 rlm_ldap: Entering ldap_groupcmp() expand: dc=voila,dc=com -> dc=voila,dc=com expand: (|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter (&(cn=Radius-Admin)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))) rlm_ldap::ldap_groupcmp: User found in group Radius-Admin rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 181 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for zkms WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=zkms) expand: dc=voila,dc=com -> dc=voila,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=zkms) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user zkms authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type LDAP auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "zkms" with password "Omitted" rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com rlm_ldap: (re)connect to control.voila.com:389, authentication 1 rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to control.voila.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user zkms authenticated succesfully Thanks in advance for any pointers..... -- View this message in context: http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html