Re: I would like help for Freeradius integration on AD domain
On 31/05/11 14:39, edgardolenza wrote: > Hello everybody, Hello > > I apologize because I'm new with linux and freeradius also. > I've readen many forums and many howtos but I've got some trouble with user > authentication on domain controller. > > This is my working layout: > -I've got an appliance (radius client) getting authentication requests from > users. > -the client radius sends authentication requests to the freeradius (using > CHAP) > -freeradius has to ask to AD if the user can be authenticated If you want to use AD, you'll be needing to use MSCHAPv2, realistically. Most likely inside PEAP, as this is what the MS supplicants use. Others may also play with EAP-TTLS, but from what I've seen dealing with 802.1x stuff here, it's nearly always MS-CHAPv2 on the inside (although there are sometimes others available as well) > > I've configured many things and I've done many tests: freeradius server > seems working correctly. > The machine is in Microsoft domain, I'm able to make queries on ADs. > When I try to authenticate with domain's I've got problems: I've put the > debug on bottom of this message. You need to make sure the freeradius server is joined to the domain (therefore Samba must be installed). Also, you'll need winbindd running. *snip* > Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap > mschap { > use_mppe = yes > require_encryption = yes > require_strong = yes > with_ntdomain_hack = yes > ntlm_auth = "/user/bin/ntlm_auth --request-nt-key > --username=radiustest" > } Obviously you'll be wanting to fix the ntlm_auth line as well. Hope this helps. -- Martin GoldstoneKeele University, Keele, IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG Finance & ITTelephone: +44 1782 734457 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
edgardolenza wrote: > Is this a STANDARD? I have no idea what you mean by that. > Excuse me but I'm not expert on this things. What's so hard about reading that web page? > Have you got suggestions on how to implement this? What part of "impossible" is unclear? > Isn't it possible to create a "copy" of the AD's users on a local Database? Go ask Microsoft. The answer will likely be "no". > Do you know if there ara other solutions? Do you know the definition of "impossible"? > PS: I've also tried with PAP, I'll send the debug info soon, but the problem > is the same. Yes. You've butchered your configuration so that it doesn't work. Don't do that. See "man radiusd" for reasons why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
Hi Alan, Is this a STANDARD? Excuse me but I'm not expert on this things. Have you got suggestions on how to implement this? Isn't it possible to create a "copy" of the AD's users on a local Database? Do you know if there ara other solutions? Thank you very much. Eddy PS: I've also tried with PAP, I'll send the debug info soon, but the problem is the same. -- View this message in context: http://freeradius.1045715.n5.nabble.com/I-would-like-help-for-Freeradius-integration-on-AD-domain-tp4441969p4442061.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
edgardolenza wrote: > -the client radius sends authentication requests to the freeradius (using > CHAP) > -freeradius has to ask to AD if the user can be authenticated This is impossible. http://deployingradius.com/documents/protocols/compatibility.html See the "NT Hash" column. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I would like help for Freeradius integration on AD domain
es-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [IPASS] No '/' in User-Name = "ulssve.lan@radiustest", looking up realm NULL [IPASS] Found realm "NULL" [IPASS] Adding Stripped-User-Name = "ulssve.lan@radiustest" [IPASS] Adding Realm = "NULL" [IPASS] Authentication realm is LOCAL. ++[IPASS] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "ulssve.lan@radiustest" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ulssve.lan@radiustest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 72 to 172.30.100.2 port 60020 Waking up in 4.9 seconds. Cleaning up request 2 ID 72 with timestamp +87 Ready to process requests. #by eddy: trying authenticating: radiust...@ulssve.lan with CHAP encryption rad_recv: Access-Request packet from host 172.30.100.2 port 54247, id=15, length=157 User-Name = "radiust...@ulssve.lan" CHAP-Challenge = 0xd4ab0707d4ab0707d4ab0707d4ab0707 CHAP-Password = 0x0057dc83b55c66b3ae5f6442d8c52f2d89 NAS-IP-Address = 172.30.100.2 NAS-Identifier = "GGSN-RM5" Called-Station-Id = "ulss12ve.tim.it" Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual Calling-Station-Id = "393666140176" 3GPP-PDP-Type = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [IPASS] No '/' in User-Name = "radiust...@ulssve.lan", looking up realm NULL [IPASS] Found realm "NULL" [IPASS] Adding Stripped-User-Name = "radiust...@ulssve.lan" [IPASS] Adding Realm = "NULL" [IPASS] Authentication realm is LOCAL. ++[IPASS] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "radiust...@ulssve.lan" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radiust...@ulssve.lan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 15 to 172.30.100.2 port 54247 Waking up in 4.9 seconds. Cleaning up request 3 ID 15 with timestamp +119 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/I-would-like-help-for-Freeradius-integration-on-AD-domain-tp4441969p4441969.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html