Re: Issues authenticating vs 2003 AD
I understand you have said that repeatedly what I am asking is where is that chap coming from? I am not sure if it is coming from pppd or l2tpd or my windows client as I have radius properly configured correct? The client is windows xp sp2 with a vpn tunnel going to the box, ipsec works fine, l2tp recieves the auth request and hands it to pppd which then passes it to radius. On the windows side I have set it to only use mschap-v2 (also tried it with only ms chap) so it would seem the windows client is configured properly. So does my radius config look correct and another peice of the chain is broken and for some reason passing auth as chap? I'm sorry I'm not that knowledgable when it comes to radius, this is my first time using it, please be patient, I am just trying to figure out how it works (and yes I have read the conf file but still am not 100% sure of it). Thanks, Tim On 8/19/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Tim P <[EMAIL PROTECTED]> wrote: > > I have reconfigured radiusd.conf again to see it I can authenticate > > and am still having trouble > > > > Can you look at these configs and tell me where you see issues? > > The client is doing CHAP. You have configured the MSCHAP module to > use ntlm_auth. > > CHAP is not MSCHAP. CHAP will not work with AD. I've said this repeatedly. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
I have read the docs, maybe I am just missing where there example was, I see the entries commented but not for what I need I guess (or I missed). I have reconfigured radiusd.conf again to see it I can authenticate and am still having trouble Can you look at these configs and tell me where you see issues? radiusd.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes #with_ntdomain_hack = no ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } authorize { preprocess # auth_log # attr_filter # chap mschap # digest # IPASS suffix # ntdomain # eap # files # sql # etc_smbpasswd # ldap # daily # checkval } authenticate { Auth-Type MS-CHAP { mschap } } preacct { preprocess suffix proxy.conf realm gtdsolutions.org { type= radius authhost= LOCAL accthost= LOCAL } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } users DEFAULT Auth-Type = mschap Fall-Through = 1 attempted login from a windows host via l2tp output of radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32771, id=169, length=90 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0x44ac3d380292ea549c27ecce30ec2afe9c NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "gtdsolutions.org" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gtdsolutions.org" rlm_realm: Adding Stripped-User-Name = "tporritt" rlm_realm: Proxying request from user tporritt to realm gtdsolutions.org rlm_realm: Adding Realm = "gtdsolutions.org" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Sorry to keep asking but can you post an example (using mschap) to authenticate from freeradius to AD using the ntlm_auth method? On 8/18/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Tim P <[EMAIL PROTECTED]> wrote: > > Ok using these settings it seems to authenticate with radtest > ... > > [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret > > i.e. clear-text password. > > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > i.e. NO PASSWORD WAS RETURNED BY AD. > > > rlm_ldap: bind as CN=Tim > > Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to > > gtds-domcon.gtdsolutions.org:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: Bind was successful > > rlm_ldap: user tporritt authenticated succesfully > > i.e. You're binding to AD as the user. > > You are using AD as an "authentication oracle". You hand it bits of > information, and it returns yes/no. You are NOT using AD as a database. > > > These two look to me like they authenticated the user successfully. > > Yes. Now try MSCHAP. > > > In /etc/ppp/options.l2tpd I have > .. > > Is it possible that this will work? > > Yes. But you're not getting the password from AD. > > As I said: AD will not supply the password. Nothing in what you've > posted contradicts that. > > > Just looking for a way (and preferably and example) of the > > authentication vs AD since I don't seem to understand how to do it. I > > have looked in radius.conf and enabled the ntlm authentication but it > > seems to insist upon using chap and not mschap-v2, is there a > > difference? > > The client asks for CHAP, so that's what the RADIUS server sees. > The RADIUS server DOES NOT, and CAN NOT change the authentication > method the client uses. > > > It still complains about the "no cleartext password" > > Because, as I've said repeatedly, AD doesn't supply the password to > you. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Ok using these settings it seems to authenticate with radtest > Radius.conf > ldap { > server = "domcon.company.org" > basedn = "dc=company,dc=org" > filter = > "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" > password_attribute = "userPassword" > identity = "cn=administrator,cn=Users,dc=company,dc=org" > password = password [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret Sending Access-Request of id 201 to 127.0.0.1:1812 User-Name = "user" User-Password = "userpass" NAS-IP-Address = redguard.company.net NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=201, length=20 And the output of radius -X -A shows rlm_ldap: - authorize rlm_ldap: performing user authorization for tporritt radius_xlat: '(sAMAccountName=tporritt)' radius_xlat: 'dc=gtdsolutions,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=gtdsolutions,dc=org, with filter (sAMAccountName=tporritt) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tporritt authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "tporritt" with password "pantera" rlm_ldap: user DN: CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 1 rlm_ldap: bind as CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to gtds-domcon.gtdsolutions.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tporritt authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 201 to 127.0.0.1:32770 Finished request 1 These two look to me like they authenticated the user successfully. I have l2tp handling authentication which puts it to pppd In /etc/ppp/options.l2tpd I have # added for radius auth with radius refuse-chap refuse-mschap require-mschap-v2 require-mppe lcp-echo-failure 30 lcp-echo-interval 5 plugin radius.so Is it possible that this will work? I tried using ntlm_auth with no luck from pppd as it gave me Aug 18 10:13:56 redguard pppd[2260]: WINBIND plugin initialized. Aug 18 10:13:56 redguard pppd[2260]: In file /etc/ppp/options.l2tpd: unrecognized option '--helper-protocol=ntlm-server-1' The line I had was # winbind auth plugin winbind.so ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 Just looking for a way (and preferably and example) of the authentication vs AD since I don't seem to understand how to do it. I have looked in radius.conf and enabled the ntlm authentication but it seems to insist upon using chap and not mschap-v2, is there a difference? It still complains about the "no cleartext password" an example would be greatly apprecated! Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Thought it was configured, I beleive I have tested it positive in the past, I want to use ntlm_auth, I had this in there and had tested it as far as i know: Radius.conf ldap { server = "domcon.company.org" basedn = "dc=company,dc=org" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" password_attribute = "userPassword" identity = "cn=administrator,cn=Users,dc=company,dc=org" password = password Will this not work, if not how to config the ntml? On 8/17/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Tim P <[EMAIL PROTECTED]> wrote: > > I am handing off a qurest from pppd to radius and am failing with a > > valid user in the domain. > > No. > > The server is failing because it doesn't have a clear-text password. > > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > The LDAP module doesn't get a clear-text password from AD, so the > server can't authenticate the user. > > > Any ideas? Both mschap and chap are enabled in the radiusd.conf > > AD won't give the server clear-text passwords. So doing CHAP to AD > is *impossible*. > > You CAN use MS-CHAP, but for that you've got to configure ntlm_auth. > > Remember, AD is *not* and LDAP server. It just pretends to be one > sometimes. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issues authenticating vs 2003 AD
I am handing off a qurest from pppd to radius and am failing with a valid user in the domain. Here is the output of radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=39, length=72 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "ppptest" CHAP-Password = 0xa3de2596eae8f89f46e35d612d8858ac55 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ppptest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ppptest radius_xlat: '(sAMAccountName=ppptest)' radius_xlat: 'dc=company,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to domcon.company.org:389, authentication 0 rlm_ldap: bind as cn=administrator,cn=Users,dc=company,dc=org/password to domcon.company.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=company,dc=org, with filter (sAMAccountName=ppptest) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ppptest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by "ppptest" with CHAP password rlm_chap: Could not find clear text password for user ppptest modcall[authenticate]: module "chap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 39 to 127.0.0.1:32769 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 39 with timestamp 4303762d Nothing to do. Sleeping until we see a request. Any ideas? Both mschap and chap are enabled in the radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Windows 2003 Active Directory Authentication (2)
It sounded to me like you were saying I will never get radius to authenticate vs my ldap directory. Anyway I fixed the problem and now authenticate. I needed to change that users file to use LDAP as the DEFAULT Auth-Type and it now authenticates. I now have to figure out a L2TPNS problem I am having (kills my network on startup) and get that to handle auth requests which it passes to ldap via radius. On 7/27/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Tim P <[EMAIL PROTECTED]> wrote: > > I am trying to get a l2tpns server to authenticate to freeradius that > > takes it's userbase from windows 2003 active directory. Are you > > saying then that there is no way for me to use ldap as my user store? > > What part of my response was unclear? > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Windows 2003 Active Directory Authentication (2)
I am trying to get a l2tpns server to authenticate to freeradius that takes it's userbase from windows 2003 active directory. Are you saying then that there is no way for me to use ldap as my user store? On 7/26/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Tim P <[EMAIL PROTECTED]> wrote: > > I am having trouble getting my radius setup to authenticate to windows > > 2003 active directory. > > That will work only for PAP, if that's all you need. > > > radiusd.conf - I didn't find a system or System auth type, did I > > miss something? > > See the "users" file: > > > users: Matched entry DEFAULT at line 152 > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Windows 2003 Active Directory Authentication (2)
Previous post sent before I was done, here is the full post: I am having trouble getting my radius setup to authenticate to windows 2003 active directory. when using the following string "radtest administrator "password" localhost 2 radiussecret rad_recv: Access-Request packet from host 127.0.0.1:32775, id=240, length=65 User-Name = "administrator" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "administrator", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for administrator radius_xlat: '(sAMAccountName=administrator)' radius_xlat: 'dc=company,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 0 rlm_ldap: bind as cn=administrator,cn=Users,dc=company,dc=org/password to domcon.company.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=company,dc=org, with filter (sAMAccountName=administrator) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user administrator authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 radiusd.conf - I didn't find a system or System auth type, did I miss something? ldap { server = "domcon.company.org" basedn = "dc=company,dc=org" filter = "(sAMAccountName=%u)" password_attribute = "userPassword" identity = "cn=administrator,cn=Users,dc=company,dc=org" password = password ldap# this is enabled Auth-Type LDAP { ldap } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Windows 2003 Active Directory Authentication
I am having trouble getting my radius setup to authenticate to windows 2003 active directory. when using the following string " radiusd.conf ldap { server = "gtds-domcon.gtdsolutions.org" basedn = "dc=gtdsolutions,dc=org" filter = "(sAMAccountName=%u)" password_attribute = "userPassword" identity = "cn=administrator,cn=Users,dc=gtdsolutions,dc=org" password = pantera ldap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html