You can use mschap:User-Name in ldap configuration just like in ntlm_auth. Replace Stripped-User-Name with that and both mschap (VPN) and pap (admin login) requests should work.
Ivanb Kalik Kalik Informatika ISP Dana 5/9/2008, "kesm0724" <[EMAIL PROTECTED]> piše: > >Hello All, > >I am very, very new to Freeradius (as well as Radius) ;) - disclaimer. We >are trying to move away from using IAS to Freeradius. We have approx 50 >switches/routers which I have not had a problem with getting to work with >Freeradius including group checking using LDAP. > >The issue I have is getting our Cisco VPN Concentrator to authenticate users >who are in a certain Active Directory group. I have configured Samba to >join our domain - all that is working without issue. The problem apparently >is when logging in via the Cisco VPN client: > > >Here is my debug: > >ad_recv: Access-Request packet from host 10.2.1.6 port 1059, id=83, >length=191 > User-Name = "voila\\webtest" > NAS-Port = 1151 > Service-Type = Framed-User > Framed-Protocol = PPP > Called-Station-Id = "123.201.6.78" > Calling-Station-Id = "123.201.6.76" > Tunnel-Client-Endpoint:0 = "123.201.6.76" > MS-CHAP-Challenge = 0x0ebafb8a5ab6b2be73f9a983a6a3f5d3 > MS-CHAP2-Response = >0x0000db98fa3162973c0f68121500631c0c8d00000000000000005808068d4047ef8a58e79d488a62d41e89128aabd6d88c52 > NAS-IP-Address = 10.2.1.6 > NAS-Port-Type = Virtual >+- entering group authorize >++[preprocess] returns ok > expand: >/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> >/usr/local/var/log/radius/radacct/10.2.1.6/auth-detail-20080904 >rlm_detail: >/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d >expands to /usr/local/var/log/radius/radacct/10.2.1.6/auth-detail-20080904 > expand: %t -> Thu Sep 4 17:55:54 2008 >++[auth_log] returns ok >++[chap] returns noop > rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' >++[mschap] returns ok > rlm_realm: No '@' in User-Name = "voila\webtest", looking up realm NULL > rlm_realm: No such realm "NULL" >++[suffix] returns noop > rlm_realm: No '"' in User-Name = "voila\webtest", looking up realm NULL > rlm_realm: No such realm "NULL" >++[ntdomain] returns noop >++[unix] returns notfound >rlm_ldap: Entering ldap_groupcmp() > expand: dc=voila,dc=com -> dc=voila,dc=com >WARNING: Deprecated conditional expansion ":-". See "man unlang" for >details > expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> >(sAMAccountName=voila\5cwebtest) >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: performing search in dc=voila,dc=com, with filter >(sAMAccountName=voila\5cwebtest) >rlm_ldap: object not found or got ambiguous search result >rlm_ldap::ldap_groupcmp: search failed >rlm_ldap: ldap_release_conn: Release Id: 0 >rlm_ldap: Entering ldap_groupcmp() > expand: dc=voila,dc=com -> dc=voila,dc=com >WARNING: Deprecated conditional expansion ":-". See "man unlang" for >details > expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> >(sAMAccountName=voila\5cwebtest) >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: performing search in dc=voila,dc=com, with filter >(sAMAccountName=voila\5cwebtest) >rlm_ldap: object not found or got ambiguous search result >rlm_ldap::ldap_groupcmp: search failed >rlm_ldap: ldap_release_conn: Release Id: 0 >++[files] returns noop >rlm_ldap: - authorize >rlm_ldap: performing user authorization for voila\webtest >WARNING: Deprecated conditional expansion ":-". See "man unlang" for >details > expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> >(sAMAccountName=voila\5cwebtest) > expand: dc=voila,dc=com -> dc=voila,dc=com >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: performing search in dc=voila,dc=com, with filter >(sAMAccountName=voila\5cwebtest) >rlm_ldap: object not found or got ambiguous search result >rlm_ldap: search failed >rlm_ldap: ldap_release_conn: Release Id: 0 >++[ldap] returns notfound >++[expiration] returns noop >++[logintime] returns noop >rlm_pap: WARNING! No "known good" password found for the user. >Authentication may fail because of this. >++[pap] returns noop > rad_check_password: Found Auth-Type mschap >auth: type "MSCHAP" >+- entering group MS-CHAP > rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. > rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for webtest with NT-Password > expand: --domain=%{mschap:NT-Domain} -> --domain=voila > expand: --username=%{mschap:User-Name} -> --username=webtest > mschap2: 0e > expand: --challenge=%{mschap:Challenge:-00} -> >--challenge=dcdc37024aecaec1 > expand: --nt-response=%{mschap:NT-Response:-00} -> >--nt-response=5808068d4047ef8a58e79d488a62d41e89128aabd6d88c52 >Exec-Program output: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D >Exec-Program-Wait: plaintext: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D >Exec-Program: returned: 0 >rlm_mschap: adding MS-CHAPv2 MPPE keys >++[mschap] returns ok >Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76) >+- entering group post-auth >++[exec] returns noop >Sending Access-Accept of id 83 to 10.2.1.6 port 1059 > MS-CHAP2-Success = >0x00533d31364230314341364638323331333730333334393432393943303539423539334346434433314336 > MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0 > MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae > MS-MPPE-Encryption-Policy = 0x00000001 > MS-MPPE-Encryption-Types = 0x00000006 >Finished request 2. >Going to the next request >Waking up in 4.9 seconds. >Cleaning up request 2 ID 83 with timestamp +888 >Ready to process requests. > >It appears that MSCHAP is used to verify the password but LDAP is not >properly checking the "VPN-Users" AD group....I believe it is not stripping >the domain portion off correctly as I see the domain name appended to >(sAMAccountName=voila\5cwebtest) > >My users File entries: > >(The first entry I would like to be used by the concentrator to search the >group and if the user is a member allow them access - of course >authenticating the provided password) > >DEFAULT LDAP-Group == "vpn-users" > Fall-Through = Yes > >This entry is for our network switches/routers - this appears to be working >without any issue. > >DEFAULT LDAP-Group == "Radius-Admin" > Service-Type = Login-User, > cisco-avpair = "shell:priv-lvl=15", > Fall-Through = Yes > >If I login from my network devices it performs the ldap searches without >issue and authenticates/authorizes the user - You can see this below: > >rlm_ldap: performing search in dc=voila,dc=com, with filter >(&(cn=vpn-users)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))) >rlm_ldap::ldap_groupcmp: User found in group vpn-users >rlm_ldap: ldap_release_conn: Release Id: 0 > users: Matched entry DEFAULT at line 178 >rlm_ldap: Entering ldap_groupcmp() > expand: dc=voila,dc=com -> dc=voila,dc=com > expand: >(|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))) >-> >(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))) >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: performing search in dc=voila,dc=com, with filter >(&(cn=Radius-Admin)(|(&(objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))(&(objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))) >rlm_ldap::ldap_groupcmp: User found in group Radius-Admin >rlm_ldap: ldap_release_conn: Release Id: 0 > users: Matched entry DEFAULT at line 181 >++[files] returns ok >rlm_ldap: - authorize >rlm_ldap: performing user authorization for zkms >WARNING: Deprecated conditional expansion ":-". See "man unlang" for >details > expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> >(sAMAccountName=zkms) > expand: dc=voila,dc=com -> dc=voila,dc=com >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: performing search in dc=voila,dc=com, with filter >(sAMAccountName=zkms) >rlm_ldap: looking for check items in directory... >rlm_ldap: looking for reply items in directory... >WARNING: No "known good" password was found in LDAP. Are you sure that the >user is configured correctly? >rlm_ldap: user zkms authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 >++[ldap] returns ok >++[expiration] returns noop >++[logintime] returns noop >rlm_pap: WARNING! No "known good" password found for the user. >Authentication may fail because of this. >++[pap] returns noop > rad_check_password: Found Auth-Type LDAP >auth: type "LDAP" >+- entering group LDAP >rlm_ldap: - authenticate >rlm_ldap: login attempt by "zkms" with password "Omitted" >rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com >rlm_ldap: (re)connect to control.voila.com:389, authentication 1 >rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to >control.voila.com:389 >rlm_ldap: waiting for bind result ... >rlm_ldap: Bind was successful >rlm_ldap: user zkms authenticated succesfully > > >Thanks in advance for any pointers..... > > > >-- >View this message in context: >http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html >Sent from the FreeRadius - User mailing list archive at Nabble.com. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html