Hello Jay,
it's been a while i didn't answer to the mailing list.
First quick question, does your ldap support the password in clear text
or nthash ? (if no then you can't make it work).
After that what you have to do is to define your ldap configuration in
Freeradius (There is no gui for that in packetfence) in
mod-available/ldap.
(https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Installation_Guide.asciidoc#eap-authentication-against-openldap).
And don't forget to add (it disable the call to ntlm_auth):
update control {
MS-CHAP-Use-NTLM-Auth := No
}
in fact something like that:
Next in /usr/local/pf/raddb/sites-available/packetfence-tunnel add in
the authorize section:
authorize {
suffix
ntdomain
eap {
ok = return
}
files
openldap
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}
Restart radius and run it in debug mode to see exactly what it happen
(raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000)
Hope it will help
Regards
Fabrice
Le 2018-10-02 à 07:37, Jay Hauss via PacketFence-users a écrit :
Hello,
I've been trying to test PacketFence on our corporate network, but I
keep running into roadblocks. I've tried to follow the PacketFence
installation guide but am not able to do so because */we do not use
Microsoft Active Directory/*. The installation documentation guide is
good but unfortunately written sequentially -- it pre-supposes you
have access to an AD environment and in order to do the steps in later
chapters (Say, Chapter 11), you had to have set up everything
successfully in Chapter 4/5....
Our corporate environment contains little to no Microsoft products
(only supporting the odd legacy workstation or laptop). Everything
else is macOS, Linux or BSD.
All we're looking to do is simply have the Radius server set the VLAN
on the port based on authentication. If you authenticate, you get
network access. Otherwise, nothing. The most basic and simple use case
of this software (which is why I'm sure the install guide starts there).
I am using the following setup:
-PacketFence 8.1 installed on CentOS 7.5 (IP: 10.111.111.1)
-Cisco 2960X 48 port switch (IP: 10.111.111.2)
-Test LDAP server (OpenDJ 2.5.2) which has been configured the same as
our corporate LDAP server.
I managed to get everything installed nicely but run into issues at
section 5.2 (Titled: Connecting PacketFence to a Microsoft Active
Directory). Having no AD, I couldn't complete step 5.2 in its entirety
(I have no Domain to define or REALM to join) but instead went to
Authentication Sources and added my internal LDAP server. I receive
the "Sucess !" message when trying the test button. I then configured
the switch as in sections 5.3, 5.4 and 5.5. I even got out a Windows
10 Laptop to do step 5.6. However, it has never worked. I can never
move beyond step 5.7.
Symptoms:
When I connect the ethernet cable to the laptop, I am immediately
prompted for a Username/Password which I provide. However it says
"Authentication Failed".
I've captured the output from the Radius debug using the following
command run as root (Section 12.3): raddebug -t 300 -f
/usr/local/pf/var/run/radiusd.sock
##### raddebug #####
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Creating challenge hash
with username: testuser
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Client is using MS-CHAPv2
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Executing:
/usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}:
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: --> --username=testuser
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: Creating challenge hash
with username: testuser
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: EXPAND
--challenge=%{mschap:Challenge:-00}
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: -->
--challenge=8881e30a07b259b3
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: EXPAND
--nt-response=%{mschap:NT-Response:-00}
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: -->
--nt-response=10a441d370fdb1c7723ca301f3885e45ca2bcd6ca6f61dd9
(13) Mon Oct 1 12:06:01 2018: ERROR: mschap: Program returned code
(1) and output 'Reading winbind reply failed! (0xc0000001)'
(13) Mon Oct 1 12:06:01 2018: Debug: mschap: External script failed
(13) Mon Oct 1 12:06:01 2018: ERROR: mschap: External script says:
Reading winbind reply failed! (0xc0000001)
(13) Mon Oct 1 12:06:01 2018: ERROR: mschap: MS-CHAP2-Response is
incorrect
(13) Mon Oct 1 12:06:01 2018: Debug: [mschap] = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # else = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # else = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # policy
packetfence-mschap-authenticate = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # else = reject
(13) Mon Oct 1 12:06:01 2018: Debug: } # Auth-Type MS-CHAP = reject
(13) Mon Oct 1 12:06:01 2018: Debug: eap: Sending EAP Failure (code
4) ID 8 length 4
##################
Or example of the issue from radius.log
#### radius.log ####
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Closing
connection (0): Hit idle_timeout, was idle for 96 seconds
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Closing
connection (1): Hit idle_timeout, was idle for 96 seconds
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Opening
additional connection (2), 1 of 64 pending slots used
Oct 1 13:55:43 packetfence8-1 auth[35178]: Need 2 more connections to
reach min connections (3)
Oct 1 13:55:43 packetfence8-1 auth[35178]: rlm_sql (sql): Opening
additional connection (3), 1 of 63 pending slots used
Oct 1 13:55:43 packetfence8-1 auth[35178]: (13) mschap: ERROR:
Program returned code (1) and output 'Reading winbind reply failed!
(0xc0000001)'
Oct 1 13:55:43 packetfence8-1 auth[35178]: (13) Login incorrect
(mschap: Program returned code (1) and output 'Reading winbind reply
failed! (0xc0000001)'): [testuser] (from client 10.111.111.2 port
50121 cli a0:ce:c8:09:9a:b4 via TLS tunnel)
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: This
means you need to read the PREVIOUS messages in the debug output
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: to find
out the reason why the user was rejected
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: Look for
"reject" or "fail". Those earlier messages will tell you
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) eap_peap: what went
wrong, and how to fix the problem
Oct 1 13:55:43 packetfence8-1 auth[35178]: (14) Login incorrect
(eap_peap: The users session was previously rejected: returning reject
(again.)): [testuser] (from client 10.111.111.2 port 50121 cli
a0:ce:c8:09:9a:b4)
Oct 1 13:55:43 packetfence8-1 auth[35178]: [mac:a0:ce:c8:09:9a:b4]
Rejected user: testuser
###############
I've seen the "windbind reply fail previously" posted on the message
board here but for a different use case:
https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg15094.html
I tried adding the required portions to packetfence-tunnel template file:
##########
# The ldap module reads passwords from the LDAP database.
ldap
if (ok) {
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
}
##########
But now my Radius server won't start up. It's saying there's no LDAP
module installed. Here is the output from 'journalctl -xe':
##########
Oct 01 14:56:41 packetfence8-1.testdomain.local radiusd[43004]:
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel[122]: Failed to
find "ldap" as a module or policy.
Oct 01 14:56:41 packetfence8-1.testdomain.local radiusd[43004]:
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel[122]: Please
verify that the configuration exists in
/usr/local/pf/raddb/mods-enabled/ldap.
Oct 01 14:56:41 packetfence8-1.testdomain.local radiusd[43004]:
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel[25]: Errors
parsing authorize section.
##########
I don't want to start hacking around with the Freeradius instance in
PacketFence blindly. I don't know Freeradius (and was hoping
PacketFence would buffer me from having to hack together config files)
but it appears this is where my issues are.
So! Could anybody recommend a way to move forward ?
I don't want to believe that PacketFence has AD as a requirement for
usage, but it seems like every guide or tutorial about Packetfence
involves it. Every error code or issue I look up has something to do
with AD. It even appears to be an integral part of the PacketFence GUI.
I hope in the future the developpers would take into consideration
that not everybody uses Microsoft products.
-J
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
