Re: I would like help for Freeradius integration on AD domain
On 31/05/11 14:39, edgardolenza wrote:
> Hello everybody,
Hello
>
> I apologize because I'm new with linux and freeradius also.
> I've readen many forums and many howtos but I've got some trouble with user
> authentication on domain controller.
>
> This is my working layout:
> -I've got an appliance (radius client) getting authentication requests from
> users.
> -the client radius sends authentication requests to the freeradius (using
> CHAP)
> -freeradius has to ask to AD if the user can be authenticated
If you want to use AD, you'll be needing to use MSCHAPv2, realistically.
Most likely inside PEAP, as this is what the MS supplicants use.
Others may also play with EAP-TTLS, but from what I've seen dealing with
802.1x stuff here, it's nearly always MS-CHAPv2 on the inside (although
there are sometimes others available as well)
>
> I've configured many things and I've done many tests: freeradius server
> seems working correctly.
> The machine is in Microsoft domain, I'm able to make queries on ADs.
> When I try to authenticate with domain's I've got problems: I've put the
> debug on bottom of this message.
You need to make sure the freeradius server is joined to the domain
(therefore Samba must be installed). Also, you'll need winbindd running.
*snip*
> Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
> mschap {
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> with_ntdomain_hack = yes
> ntlm_auth = "/user/bin/ntlm_auth --request-nt-key
> --username=radiustest"
> }
Obviously you'll be wanting to fix the ntlm_auth line as well.
Hope this helps.
--
Martin GoldstoneKeele University, Keele,
IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG
Finance & ITTelephone: +44 1782 734457
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
edgardolenza wrote: > Is this a STANDARD? I have no idea what you mean by that. > Excuse me but I'm not expert on this things. What's so hard about reading that web page? > Have you got suggestions on how to implement this? What part of "impossible" is unclear? > Isn't it possible to create a "copy" of the AD's users on a local Database? Go ask Microsoft. The answer will likely be "no". > Do you know if there ara other solutions? Do you know the definition of "impossible"? > PS: I've also tried with PAP, I'll send the debug info soon, but the problem > is the same. Yes. You've butchered your configuration so that it doesn't work. Don't do that. See "man radiusd" for reasons why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
Hi Alan, Is this a STANDARD? Excuse me but I'm not expert on this things. Have you got suggestions on how to implement this? Isn't it possible to create a "copy" of the AD's users on a local Database? Do you know if there ara other solutions? Thank you very much. Eddy PS: I've also tried with PAP, I'll send the debug info soon, but the problem is the same. -- View this message in context: http://freeradius.1045715.n5.nabble.com/I-would-like-help-for-Freeradius-integration-on-AD-domain-tp4441969p4442061.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
edgardolenza wrote: > -the client radius sends authentication requests to the freeradius (using > CHAP) > -freeradius has to ask to AD if the user can be authenticated This is impossible. http://deployingradius.com/documents/protocols/compatibility.html See the "NT Hash" column. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I would like help for Freeradius integration on AD domain
es-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "ulssve.lan@radiustest", looking up realm NULL
[IPASS] Found realm "NULL"
[IPASS] Adding Stripped-User-Name = "ulssve.lan@radiustest"
[IPASS] Adding Realm = "NULL"
[IPASS] Authentication realm is LOCAL.
++[IPASS] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "ulssve.lan@radiustest" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
ulssve.lan@radiustest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 72 to 172.30.100.2 port 60020
Waking up in 4.9 seconds.
Cleaning up request 2 ID 72 with timestamp +87
Ready to process requests.
#by eddy: trying authenticating: radiust...@ulssve.lan with CHAP
encryption
rad_recv: Access-Request packet from host 172.30.100.2 port 54247, id=15,
length=157
User-Name = "radiust...@ulssve.lan"
CHAP-Challenge = 0xd4ab0707d4ab0707d4ab0707d4ab0707
CHAP-Password = 0x0057dc83b55c66b3ae5f6442d8c52f2d89
NAS-IP-Address = 172.30.100.2
NAS-Identifier = "GGSN-RM5"
Called-Station-Id = "ulss12ve.tim.it"
Framed-Protocol = GPRS-PDP-Context
Service-Type = Framed-User
NAS-Port-Type = Virtual
Calling-Station-Id = "393666140176"
3GPP-PDP-Type = 0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "radiust...@ulssve.lan", looking up realm NULL
[IPASS] Found realm "NULL"
[IPASS] Adding Stripped-User-Name = "radiust...@ulssve.lan"
[IPASS] Adding Realm = "NULL"
[IPASS] Authentication realm is LOCAL.
++[IPASS] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "radiust...@ulssve.lan" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
radiust...@ulssve.lan
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 15 to 172.30.100.2 port 54247
Waking up in 4.9 seconds.
Cleaning up request 3 ID 15 with timestamp +119
Ready to process requests.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/I-would-like-help-for-Freeradius-integration-on-AD-domain-tp4441969p4441969.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
