Re: Issues authenticating vs 2003 AD
I have read the docs, maybe I am just missing where there example was,
I see the entries commented but not for what I need I guess (or I
missed).
I have reconfigured radiusd.conf again to see it I can authenticate
and am still having trouble
Can you look at these configs and tell me where you see issues?
radiusd.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
#with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
authorize {
preprocess
# auth_log
# attr_filter
# chap
mschap
# digest
# IPASS
suffix
# ntdomain
# eap
# files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
preacct {
preprocess
suffix
proxy.conf
realm gtdsolutions.org {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
users
DEFAULT Auth-Type = mschap
Fall-Through = 1
attempted login from a windows host via l2tp
output of radiusd -X -A
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32771, id=169, length=90
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
CHAP-Password = 0x44ac3d380292ea549c27ecce30ec2afe9c
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm gtdsolutions.org for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm gtdsolutions.org
rlm_realm: Adding Stripped-User-Name = tporritt
rlm_realm: Proxying request from user tporritt to realm gtdsolutions.org
rlm_realm: Adding Realm = gtdsolutions.org
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Ok using these settings it seems to authenticate with radtest
Radius.conf
ldap {
server = domcon.company.org
basedn = dc=company,dc=org
filter =
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
password_attribute = userPassword
identity = cn=administrator,cn=Users,dc=company,dc=org
password = password
[EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret
Sending Access-Request of id 201 to 127.0.0.1:1812
User-Name = user
User-Password = userpass
NAS-IP-Address = redguard.company.net
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=201, length=20
And the output of radius -X -A shows
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tporritt
radius_xlat: '(sAMAccountName=tporritt)'
radius_xlat: 'dc=gtdsolutions,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=gtdsolutions,dc=org, with filter
(sAMAccountName=tporritt)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tporritt authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by tporritt with password pantera
rlm_ldap: user DN: CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org
rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 1
rlm_ldap: bind as CN=Tim
Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to
gtds-domcon.gtdsolutions.org:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user tporritt authenticated succesfully
modcall[authenticate]: module ldap returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 201 to 127.0.0.1:32770
Finished request 1
These two look to me like they authenticated the user successfully.
I have l2tp handling authentication which puts it to pppd
In /etc/ppp/options.l2tpd I have
# added for radius auth with radius
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
lcp-echo-failure 30
lcp-echo-interval 5
plugin radius.so
Is it possible that this will work?
I tried using ntlm_auth with no luck from pppd as it gave me
Aug 18 10:13:56 redguard pppd[2260]: WINBIND plugin initialized.
Aug 18 10:13:56 redguard pppd[2260]: In file /etc/ppp/options.l2tpd:
unrecognized option '--helper-protocol=ntlm-server-1'
The line I had was
# winbind auth
plugin winbind.so
ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
Just looking for a way (and preferably and example) of the
authentication vs AD since I don't seem to understand how to do it. I
have looked in radius.conf and enabled the ntlm authentication but it
seems to insist upon using chap and not mschap-v2, is there a
difference? It still complains about the no cleartext password
an example would be greatly apprecated!
Thanks
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Sorry to keep asking but can you post an example (using mschap) to authenticate from freeradius to AD using the ntlm_auth method? On 8/18/05, Alan DeKok [EMAIL PROTECTED] wrote: Tim P [EMAIL PROTECTED] wrote: Ok using these settings it seems to authenticate with radtest ... [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret i.e. clear-text password. rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... i.e. NO PASSWORD WAS RETURNED BY AD. rlm_ldap: bind as CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to gtds-domcon.gtdsolutions.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tporritt authenticated succesfully i.e. You're binding to AD as the user. You are using AD as an authentication oracle. You hand it bits of information, and it returns yes/no. You are NOT using AD as a database. These two look to me like they authenticated the user successfully. Yes. Now try MSCHAP. In /etc/ppp/options.l2tpd I have .. Is it possible that this will work? Yes. But you're not getting the password from AD. As I said: AD will not supply the password. Nothing in what you've posted contradicts that. Just looking for a way (and preferably and example) of the authentication vs AD since I don't seem to understand how to do it. I have looked in radius.conf and enabled the ntlm authentication but it seems to insist upon using chap and not mschap-v2, is there a difference? The client asks for CHAP, so that's what the RADIUS server sees. The RADIUS server DOES NOT, and CAN NOT change the authentication method the client uses. It still complains about the no cleartext password Because, as I've said repeatedly, AD doesn't supply the password to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issues authenticating vs 2003 AD
I am handing off a qurest from pppd to radius and am failing with a valid user in the domain. Here is the output of radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=39, length=72 Service-Type = Framed-User Framed-Protocol = PPP User-Name = ppptest CHAP-Password = 0xa3de2596eae8f89f46e35d612d8858ac55 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = ppptest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ppptest radius_xlat: '(sAMAccountName=ppptest)' radius_xlat: 'dc=company,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to domcon.company.org:389, authentication 0 rlm_ldap: bind as cn=administrator,cn=Users,dc=company,dc=org/password to domcon.company.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=company,dc=org, with filter (sAMAccountName=ppptest) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ppptest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by ppptest with CHAP password rlm_chap: Could not find clear text password for user ppptest modcall[authenticate]: module chap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 39 to 127.0.0.1:32769 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 39 with timestamp 4303762d Nothing to do. Sleeping until we see a request. Any ideas? Both mschap and chap are enabled in the radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Thought it was configured, I beleive I have tested it positive in the
past, I want to use ntlm_auth, I had this in there and had tested it
as far as i know:
Radius.conf
ldap {
server = domcon.company.org
basedn = dc=company,dc=org
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
password_attribute = userPassword
identity = cn=administrator,cn=Users,dc=company,dc=org
password = password
Will this not work, if not how to config the ntml?
On 8/17/05, Alan DeKok [EMAIL PROTECTED] wrote:
Tim P [EMAIL PROTECTED] wrote:
I am handing off a qurest from pppd to radius and am failing with a
valid user in the domain.
No.
The server is failing because it doesn't have a clear-text password.
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
The LDAP module doesn't get a clear-text password from AD, so the
server can't authenticate the user.
Any ideas? Both mschap and chap are enabled in the radiusd.conf
AD won't give the server clear-text passwords. So doing CHAP to AD
is *impossible*.
You CAN use MS-CHAP, but for that you've got to configure ntlm_auth.
Remember, AD is *not* and LDAP server. It just pretends to be one
sometimes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Windows 2003 Active Directory Authentication (2)
I am trying to get a l2tpns server to authenticate to freeradius that takes it's userbase from windows 2003 active directory. Are you saying then that there is no way for me to use ldap as my user store? On 7/26/05, Alan DeKok [EMAIL PROTECTED] wrote: Tim P [EMAIL PROTECTED] wrote: I am having trouble getting my radius setup to authenticate to windows 2003 active directory. That will work only for PAP, if that's all you need. radiusd.conf - I didn't find a system or System auth type, did I miss something? See the users file: users: Matched entry DEFAULT at line 152 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Windows 2003 Active Directory Authentication (2)
It sounded to me like you were saying I will never get radius to authenticate vs my ldap directory. Anyway I fixed the problem and now authenticate. I needed to change that users file to use LDAP as the DEFAULT Auth-Type and it now authenticates. I now have to figure out a L2TPNS problem I am having (kills my network on startup) and get that to handle auth requests which it passes to ldap via radius. On 7/27/05, Alan DeKok [EMAIL PROTECTED] wrote: Tim P [EMAIL PROTECTED] wrote: I am trying to get a l2tpns server to authenticate to freeradius that takes it's userbase from windows 2003 active directory. Are you saying then that there is no way for me to use ldap as my user store? What part of my response was unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Windows 2003 Active Directory Authentication
I am having trouble getting my radius setup to authenticate to windows
2003 active directory.
when using the following string
radiusd.conf
module configureation section
ldap {
server = gtds-domcon.gtdsolutions.org
basedn = dc=gtdsolutions,dc=org
filter = (sAMAccountName=%u)
password_attribute = userPassword
identity = cn=administrator,cn=Users,dc=gtdsolutions,dc=org
password = pantera
authorize section
ldap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Windows 2003 Active Directory Authentication (2)
Previous post sent before I was done, here is the full post:
I am having trouble getting my radius setup to authenticate to windows
2003 active directory.
when using the following string radtest administrator password
localhost 2 radiussecret
rad_recv: Access-Request packet from host 127.0.0.1:32775, id=240, length=65
User-Name = administrator
User-Password = password
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = administrator, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for administrator
radius_xlat: '(sAMAccountName=administrator)'
radius_xlat: 'dc=company,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 0
rlm_ldap: bind as cn=administrator,cn=Users,dc=company,dc=org/password
to domcon.company.org:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=company,dc=org, with filter
(sAMAccountName=administrator)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns notfound for request 0
modcall: group authenticate returns notfound for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
radiusd.conf - I didn't find a system or System auth type, did I
miss something?
module configureation section
ldap {
server = domcon.company.org
basedn = dc=company,dc=org
filter = (sAMAccountName=%u)
password_attribute = userPassword
identity = cn=administrator,cn=Users,dc=company,dc=org
password = password
authorize section
ldap# this is enabled
authenticate sectoin
Auth-Type LDAP {
ldap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
