Re: freeradius with NTLM authentication

2010-10-22 Thread Ramzi Abdallah 
Thank you Phil for your reply,

What is prompting here? How is the firewall asking the user for a
password? Is this web intercept?
exactly right the firewall is prompting the user to authenticate using
its internal captive portal page.

What I am trying to achieve here is single sign on with radius
accounting using the following scenario:
our users authenticate to the Windows Domain, and when they try to
access the internet they hit a firewall protected policy which
requires authentication. now instead of authenticating via the
firewall captive portal I want to use NTLM to check is the user is
already authenticated on the AD and if so pass the authorization to
the radius for accounting.

the firewall has the option to do NTLM authentication on the protected
policy but I am trying to fit the Radius as well for accounting
perpouses


Bellow is the debug output

rad_recv: Access-Request packet from host 193.188.X.X port 5027,
id=40, length=126
NAS-Identifier = WAN-HA
User-Name = rsa
User-Password = **
NAS-IP-Address = 193.188.X.X
NAS-Port = 1
Called-Station-Id = 193.188.X.X
Calling-Station-Id = 192.168.1.74
Acct-Session-Id = 0fa5011f
Connect-Info = web-auth
Fortinet-Vdom-Name = root
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/193.188.X.X/auth-detail-20101022
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/193.188.X.X/auth-detail-20101022
[auth_log]  expand: %t - Fri Oct 22 09:04:24 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 71
++[files] returns ok
[sql]   expand: %{User-Name} - rsa
[sql] sql_set_user escaped user -- 'rsa'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op
FROM radcheck   WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck   WHERE username = 'rsa'   ORDER BY id
[sql]   expand: SELECT groupname   FROM radusergroup
WHERE username = '%{SQL-User-Name}'   ORDER BY priority -
SELECT groupname   FROM radusergroup   WHERE username
= 'rsa'   ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User rsa not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=rsa
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [rsa/*...@] (from client vdk-f-fgwan port 1 cli 192.168.1.74)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 40 to 193.188.X.X port 5027
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 193.188.X.X port 5028,
id=41, length=98
Acct-Status-Type = Start
Acct-Session-Id = 0fa5011f
User-Name = rsa
NAS-Identifier = VDK-F-FGWAN
Framed-IP-Address = 30.48.67.87
Fortinet-Client-IP-Address = 192.168.1.74
Fortinet-Vdom-Name = root
Calling-Station-Id = 192.168.1.74
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 193.188.X.X,NAS-IP-Address
= 193.188.X.X,Acct-Session-Id = 0fa5011f,User-Name = rsa'
[acct_unique] Acct-Unique-Session-ID = f774c3b998804d6a.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/193.188.X.X/detail-20101022
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/193.188.X.X/detail-20101022
[detail]expand: %t - Fri Oct 22 09:04:24 2010
++[detail] returns ok
++[unix] returns noop
[radutmp]   expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp]   expand: %{User-Name} - rsa
  rlm_radutmp: No NAS-Port seen.  Cannot do anything.
  rlm_radumtp: WARNING:

Re: freeradius with NTLM authentication

2010-10-22 Thread Phil Mayers 

On 10/22/2010 07:12 AM, Ramzi Abdallah wrote:


exactly right the firewall is prompting the user to authenticate using
its internal captive portal page.

... requires authentication. now instead of authenticating via the
firewall captive portal I want to use NTLM to check is the user is
already authenticated on the AD and if so pass the authorization to
the radius for accounting.

the firewall has the option to do NTLM authentication on the protected
policy but I am trying to fit the Radius as well for accounting
perpouses


Well, it's the HTTP server (in this case, the firewall captive portal) 
that asks/makes the client do NTLM. If you want single signon you'll 
need to enable it there. There's nothing you can do at the radius server 
to enable this.


Maybw the firewall will still do radius accounting even with NTLM enabled?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius with NTLM authentication

2010-10-21 Thread Ramzi Abdallah 



I have configured
freeradius version 2.1.9 with mySQL backend and Active Directory integration
(NTLM) for the purpose of using it to authenticate users against firewall 
protected
policies. 



So far it’s all working. When
a user hits a firewall protected policy he is prompted to authenticate after 
which
the radius query the AD for the username and password. If the user credentials
are correct access is granted.

 

The bit that I cannot
figure out is how to let the Radius use NTLM to check if the user is already
logged in the domain controller and if so not to prompt him for his
username and password via the firewall captive portal.  Is that doable or I 
missed the idea behind the
Active Directory integration?

 

 

thank you

 

Ramzi

  

  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius with NTLM authentication

2010-10-21 Thread Phil Mayers 

On 10/21/2010 10:40 PM, Ramzi Abdallah wrote:

I have configured freeradius version 2.1.9 with mySQL backend and Active
Directory integration (NTLM) for the purpose of using it to authenticate
users against firewall protected policies.


So far it’s all working. When a user hits a firewall protected policy he
is prompted to authenticate after which the radius query the AD for the
username and password. If the user credentials are correct access is
granted.


What is prompting here? How is the firewall asking the user for a 
password? Is this web intercept?


If so, then the NAS is the firewall, and when a user makes an HTTP 
request, it is asking for their credentials via some kind of HTTP auth, 
then sending them to the radius server, yes?



Also, FreeRadius can't be querying AD for the password. The LDAP 
server embedded into Active Directory will not give up the password. How 
have you got FreeRadius configured - be precise, or better yet, post the 
debug output of a successful request.




The bit that I cannot figure out is how to let the Radius use NTLM to
check if the user is already logged in the domain controller and if so
not to prompt him for his username and password via the firewall captive
portal. Is that doable or I missed the idea behind the Active Directory
integration?


I'm not sure I really understand what you want, but if I do, it's 
impossible. If you can give more details about your setup I can answer 
further, but basically the firewall is doing the prompting - the 
firewall would have to implement NTLM auth, not FreeRadius.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html