At 06:12 PM 11/30/2009, t...@kalik.net wrote:
> You need to set fall-through so that you still do per user processing.
> This is documented in the raddb/users file and you should also read
> doc/processing_users_file
Or just add Auth-Type := ntlm_auth to the first line (ie. instead of
Accept). Fall-Through is more elegant since you don't have to add
Auth-Type to every DEFAULT entry.
Yup, both of those work, and I'm to the point I understand why!
What I think is my final problem. I'm now working to authenticate
VPN users in the same scenario, using the l2tp client in
windows. Looks like everything automatically picks up that it's a
MSCHAP request.
Using a similar logic:
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
The only problem is that it appears to ignore my LDAP group, and just
authenticate ANY user (with a valid User ID/ Password) regardless of
LDAP group.
rad_recv: Access-Request packet from host 10.4.1.2 port 1924, id=55, length=129
User-Name = "notvpnuser"
MS-CHAP-Challenge = 0x85e6507f219630664491c4e1bbeee67b
MS-CHAP2-Response =
0x0100cc49a55de60f33a16e0afd73fb10d7dd0000000000000000eb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4
NAS-IP-Address = 10.4.1.2
NAS-Port = 0
server server_vpn {
+- entering group authorize {...}
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: OU=Enterprise,DC=int,DC=example,DC=com ->
OU=Enterprise,DC=int,DC=example,DC=com
[files] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[files] expand:
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
-> (&(sAMAccountname=notvpnuser)(objectClass=person))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to int.example.com:389, authentication 0
rlm_ldap: bind as CN=_sonicwall,OU=Service Accounts,OU=Special User
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I
to int.example.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with filter
(&(sAMAccountname=notvpnuser)(objectClass=person))
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=CN\3dcisco
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with filter
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3dcisco
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=cisco
rsteeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with
filter (objectclass=*)
rlm_ldap: performing search in CN=Infrastructure,OU=Security
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)
rlm_ldap: object not found
rlm_ldap::groupcmp: Group VPN_Users not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for notvpnuser
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand:
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
-> (&(sAMAccountname=notvpnuser)(objectClass=person))
[ldap] expand: OU=Enterprise,DC=int,DC=example,DC=com ->
OU=Enterprise,DC=int,DC=example,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with filter
(&(sAMAccountname=notvpnuser)(objectClass=person))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user notvpnuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for notvpnuser with NT-Password
[mschap] expand: --username=%{mschap:User-Name} -> --username=notvpnuser
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: --domain=%{mschap:NT-Domain:-int.example.com}
-> --domain=int.example.com
[mschap] mschap2: 85
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=902a16bba035658e
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=eb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4
Exec-Program output: NT_KEY: 4E1F254C4B27DD3C7F78BB1C5513887C
Exec-Program-Wait: plaintext: NT_KEY: 4E1F254C4B27DD3C7F78BB1C5513887C
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
Login OK: [notvpnuser] (from client VPN port 0)
+- entering group post-auth {...}
++[exec] returns noop
} # server server_vpn
Sending Access-Accept of id 55 to 10.4.1.2 port 1924
MS-CHAP2-Success =
0x01533d38304631424142374345463745433336454431353636444636413932383044334131463237314437
MS-MPPE-Recv-Key = 0xdb66e88cd170cf5f5a59034267079b9e
MS-MPPE-Send-Key = 0x660d90f211a1efa06e81e612eb08f3fa
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 55 with timestamp +13
Ready to process requests.
Ivan Kalik
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
