Radius Authorization against ActiveDirectory and the users file

Posted by mohrphium on Server Fault See other posts from Server Fault or by mohrphium
Published on 2012-07-02T08:27:12Z Indexed on 2012/07/02 9:17 UTC
Read the original article Hit count: 654

Filed under:
|
|

I have a problem with my freeradius server configuration. I want to be able to authenticate users against Windows ActiveDirectory (2008 R2) and the users file, because some of my co-workers are not listed in AD.

We use the freeradius server to authenticate WLAN users. (PEAP/MSCHAPv2)

AD Authentication works great, but I still have problems with the /etc/freeradius/users file

When I run freeradius -X -x I get the following:

Mon Jul  2 09:15:58 2012 : Info: ++++[chap] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++++[mschap] returns noop
Mon Jul  2 09:15:58 2012 : Info: [suffix] No '@' in User-Name = "testtest", looking up realm NULL
Mon Jul  2 09:15:58 2012 : Info: [suffix] Found realm "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Stripped-User-Name = "testtest"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Realm = "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Authentication realm is LOCAL.
Mon Jul  2 09:15:58 2012 : Info: ++++[suffix] returns ok
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP packet type response id 1 length 13
Mon Jul  2 09:15:58 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Jul  2 09:15:58 2012 : Info: ++++[eap] returns updated
Mon Jul  2 09:15:58 2012 : Info: [files] users: Matched entry testtest at line 1
Mon Jul  2 09:15:58 2012 : Info: ++++[files] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++++[expiration] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++++[logintime] returns noop
Mon Jul  2 09:15:58 2012 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
Mon Jul  2 09:15:58 2012 : Info: ++++[pap] returns noop
Mon Jul  2 09:15:58 2012 : Info: +++- else else returns updated
Mon Jul  2 09:15:58 2012 : Info: ++- else else returns updated
Mon Jul  2 09:15:58 2012 : Info: Found Auth-Type = EAP
Mon Jul  2 09:15:58 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Jul  2 09:15:58 2012 : Info: +- entering group authenticate {...}
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP Identity
Mon Jul  2 09:15:58 2012 : Info: [eap] processing type tls
Mon Jul  2 09:15:58 2012 : Info: [tls] Initiate
Mon Jul  2 09:15:58 2012 : Info: [tls] Start returned 1
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 199 to 192.168.61.11 port 3072
    EAP-Message = 0x010200061920
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x85469e2a854487589fb1196910cb8ae3
Mon Jul  2 09:15:58 2012 : Info: Finished request 125.
Mon Jul  2 09:15:58 2012 : Debug: Going to the next request
Mon Jul  2 09:15:58 2012 : Debug: Waking up in 2.4 seconds.

After that it repeats the login attempt and at some point tries to authenticate against ActiveDirectory with ntlm, which doesn't work since the user exists only in the users file.

Can someone help me out here?

Thanks.

PS: Hope this helps, freeradius trying to auth against AD:

Mon Jul  2 09:15:58 2012 : Info: ++[chap] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++[mschap] returns noop
Mon Jul  2 09:15:58 2012 : Info: [suffix] No '@' in User-Name = "testtest", looking up realm NULL
Mon Jul  2 09:15:58 2012 : Info: [suffix] Found realm "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Stripped-User-Name = "testtest"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Realm = "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Authentication realm is LOCAL.
Mon Jul  2 09:15:58 2012 : Info: ++[suffix] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++[control] returns ok
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP packet type response id 7 length 67
Mon Jul  2 09:15:58 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns updated
Mon Jul  2 09:15:58 2012 : Info: [files] users: Matched entry testtest at line 1
Mon Jul  2 09:15:58 2012 : Info: ++[files] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++[smbpasswd] returns notfound
Mon Jul  2 09:15:58 2012 : Info: ++[expiration] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++[logintime] returns noop
Mon Jul  2 09:15:58 2012 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
Mon Jul  2 09:15:58 2012 : Info: ++[pap] returns noop
Mon Jul  2 09:15:58 2012 : Info: Found Auth-Type = EAP
Mon Jul  2 09:15:58 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Mon Jul  2 09:15:58 2012 : Info: +- entering group authenticate {...}
Mon Jul  2 09:15:58 2012 : Info: [eap] Request found, released from the list
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP/mschapv2
Mon Jul  2 09:15:58 2012 : Info: [eap] processing type mschapv2
Mon Jul  2 09:15:58 2012 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Mon Jul  2 09:15:58 2012 : Info: [mschapv2] +- entering group MS-CHAP {...}
Mon Jul  2 09:15:58 2012 : Info: [mschap] Creating challenge hash with username: testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap] Told to do MS-CHAPv2 for testtest with NT-Password
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --username=%{mschap:User-Name:-None} -> --username=testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap] No NT-Domain was found in the User-Name.
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: %{mschap:NT-Domain} -> 
Mon Jul  2 09:15:58 2012 : Info: [mschap]   ... expanding second conditional
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --domain=%{%{mschap:NT-Domain}:-AD.CXO.NAME} -> --domain=AD.CXO.NAME
Mon Jul  2 09:15:58 2012 : Info: [mschap]  mschap2: 82
Mon Jul  2 09:15:58 2012 : Info: [mschap] Creating challenge hash with username: testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --challenge=%{mschap:Challenge:-00} -> --challenge=dd441972f987d68b
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=7e6c537cd5c26093789cf7831715d378e16ea3e6c5b1f579
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program output: Logon failure (0xc000006d) 
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program: returned: 1
Mon Jul  2 09:15:58 2012 : Info: [mschap] External script failed.
Mon Jul  2 09:15:58 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Mon Jul  2 09:15:58 2012 : Info: ++[mschap] returns reject
Mon Jul  2 09:15:58 2012 : Info: [eap] Freeing handler
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns reject
Mon Jul  2 09:15:58 2012 : Info: Failed to authenticate the user.
Mon Jul  2 09:15:58 2012 : Auth: Login incorrect (mschap: External script says Logon failure (0xc000006d)): [testtest] (from client techap01 port 0 via TLS tunnel)

PPS: Maybe the problem is located here: In /etc/freeradius/modules/ntlm_auth I have set ntlm to:

program = "/usr/bin/ntlm_auth --request-nt-key --domain=AD.CXO.NAME --username=%{mschap:User-Name} --password=%{User-Password}"

I need this, so users can login without adding @ad.cxo.name to their usernames. But how can I tell freeradius to try both logins, [email protected] (should fail) testtest (against users file - should work)

© Server Fault or respective owner

Related posts about radius

Related posts about freeradius