[SOLVED] Re: Cisco Aironet 1240AG, PEAP and Active directory
Thanks guy, it's working fine now with the version 3.2.15 of samba For anyone have problems with ntlm_auth OK but no access-accept receive after that, use this version of samba. Freeradius 2.1.8 samba 3.2.5 Cisco Aironet 1240G Johan Meiring a écrit : Abdessamad BARAKAT wrote: I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Search the list. You'll get lots of messages about it. As far as I Remember it needs to be 3.2 and below. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
On 09/02/10 20:42, Trevor Jennings wrote: Just out of curiosity, is there a reason why Samba is used in the AD authentication? Is that the only option for FreeRadius? I ask because I heard that ntlm_auth was not that stable. no problem wth stability here - version 3.2.x - where did you read/hear that it was not that stable? ntlm_auth does its work thousands of times per minute during our busy times. you need to use ntlm_auth because you are doing challenge response vs the AD - LDAP wont do the work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Aironet 1240AG, PEAP and Active directory
Hi guys,
I need your help for a strange problem.
I want to authenticate users connected to a Cisco Aironet 1240 AG with
their AD account
and sometimes it's working and sometimes not and now doesn't want to
work without changing something on the configuration...
The AD authentication with ntlm_auth is working fine but just after
that, the freeradius send a access-challenge to the aironet and nothing
after that, no access-accept or access-reject.
The windows part. works correctly (kinit, net join and ntlm_auth)
I use the virtual server inner-tunnel for handle EAP/PEAP stuff, listen
on different ports (auth 1814/ acct 1815)
The aironet and the freeradius are synchronized with the same ntp server.
Freeradius 2.1.8
samba 3.3.10
Debian 3.1
You can see a below the detail of a full session between the aironet and
the freeradius.
Many thanks for any tips.
rad_recv: Access-Request packet from host 10.0.0.77 port 1645, id=172,
length=146
User-Name = AD_DOMAIN\\user_test_wifi
Framed-MTU = 1400
Called-Station-Id = 001c.f661.2861
Calling-Station-Id = 0018.de10.fcef
Service-Type = Login-User
Message-Authenticator = 0xed65b0ebeb73a88b8467cc86843891e8
EAP-Message = 0x0201001501424f5552424f4e5c61626172616b6174
NAS-Port-Type = Wireless-802.11
NAS-Port = 879
NAS-Port-Id = 879
NAS-IP-Address = 10.0.0.77
Tue Feb 9 19:31:31 2010 : Info: server inner-tunnel {
Tue Feb 9 19:31:31 2010 : Info: +- entering group authorize {...}
Tue Feb 9 19:31:31 2010 : Info: ++[mschap] returns noop
Tue Feb 9 19:31:31 2010 : Info: [eap] EAP packet type response id 1
length 21
Tue Feb 9 19:31:31 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns updated
Tue Feb 9 19:31:31 2010 : Info: Found Auth-Type = EAP
Tue Feb 9 19:31:31 2010 : Info: +- entering group authenticate {...}
Tue Feb 9 19:31:31 2010 : Info: [eap] EAP Identity
Tue Feb 9 19:31:31 2010 : Info: [eap] processing type tls
Tue Feb 9 19:31:31 2010 : Info: [tls] Requiring client certificate
Tue Feb 9 19:31:31 2010 : Info: [tls] Initiate
Tue Feb 9 19:31:31 2010 : Info: [tls] Start returned 1
Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns handled
Tue Feb 9 19:31:31 2010 : Info: } # server inner-tunnel
Sending Access-Challenge of id 172 to 10.0.0.77 port 1645
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x630766f363056b37ef480b6cd7986d15
Tue Feb 9 19:31:31 2010 : Info: Finished request 0.
Tue Feb 9 19:31:31 2010 : Debug: Going to the next request
Tue Feb 9 19:31:31 2010 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.77 port 1645, id=173,
length=149
User-Name = AD_DOMAIN\\user_test_wifi
Framed-MTU = 1400
Called-Station-Id = 001c.f661.2861
Calling-Station-Id = 0018.de10.fcef
Service-Type = Login-User
Message-Authenticator = 0x412cd5decbd056652c741d532d91f91e
EAP-Message = 0x020200060319
NAS-Port-Type = Wireless-802.11
NAS-Port = 879
NAS-Port-Id = 879
State = 0x630766f363056b37ef480b6cd7986d15
NAS-IP-Address = 10.0.0.77
Tue Feb 9 19:31:31 2010 : Info: server inner-tunnel {
Tue Feb 9 19:31:31 2010 : Info: +- entering group authorize {...}
Tue Feb 9 19:31:31 2010 : Info: ++[mschap] returns noop
Tue Feb 9 19:31:31 2010 : Info: [eap] EAP packet type response id 2
length 6
Tue Feb 9 19:31:31 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns updated
Tue Feb 9 19:31:31 2010 : Info: Found Auth-Type = EAP
Tue Feb 9 19:31:31 2010 : Info: +- entering group authenticate {...}
Tue Feb 9 19:31:31 2010 : Info: [eap] Request found, released from the list
Tue Feb 9 19:31:31 2010 : Info: [eap] EAP NAK
Tue Feb 9 19:31:31 2010 : Info: [eap] EAP-NAK asked for EAP-Type/peap
Tue Feb 9 19:31:31 2010 : Info: [eap] processing type tls
Tue Feb 9 19:31:31 2010 : Info: [tls] Initiate
Tue Feb 9 19:31:31 2010 : Info: [tls] Start returned 1
Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns handled
Tue Feb 9 19:31:31 2010 : Info: } # server inner-tunnel
Sending Access-Challenge of id 173 to 10.0.0.77 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x630766f362047f37ef480b6cd7986d15
Tue Feb 9 19:31:31 2010 : Info: Finished request 1.
Tue Feb 9 19:31:31 2010 : Debug: Going to the next request
Tue Feb 9 19:31:31 2010 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.77 port 1645, id=174,
length=223
User-Name = AD_DOMAIN\\user_test_wifi
Framed-MTU = 1400
Called-Station-Id = 001c.f661.2861
Calling-Station-Id = 0018.de10.fcef
Service-Type = Login-User
Message-Authenticator =
Re: Cisco Aironet 1240AG, PEAP and Active directory
Abdessamad BARAKAT wrote: The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. Change Samba. It's a bug in Samba. i.e. install a different version of Samba (downgrade, etc.) until it starts working again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
Just out of curiosity, is there a reason why Samba is used in the AD authentication? Is that the only option for FreeRadius? I ask because I heard that ntlm_auth was not that stable. Cheers, - Trevor On Tue, Feb 9, 2010 at 3:36 PM, Alan DeKok al...@deployingradius.com wrote: Abdessamad BARAKAT wrote: The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. Change Samba. It's a bug in Samba. i.e. install a different version of Samba (downgrade, etc.) until it starts working again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
Trevor Jennings wrote: Just out of curiosity, is there a reason why Samba is used in the AD authentication? Is that the only option for FreeRadius? Samba is the only option for *anyone* to do MS-CHAP authentication against AD. Remember: AD isn't an LDAP server. LDAP servers let you query for the password. AD doesn't let you do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Thanks Alan Alan DeKok a écrit : Abdessamad BARAKAT wrote: The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. Change Samba. It's a bug in Samba. i.e. install a different version of Samba (downgrade, etc.) until it starts working again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
Abdessamad BARAKAT wrote: I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Search the list. You'll get lots of messages about it. As far as I Remember it needs to be 3.2 and below. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Aironet 1240AG, PEAP and Active directory
I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Version 3.0.35 is working for me. I went through the downgrade process quite a few months ago and settled on that version. It's been fine ever since. Regards, Leighton --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with Active Directory
Hi all,
I've got a freeradius 1.0.1 server running fine with OpenLDAP and now I
would like to authenticate against an Active Directory server. I can do it
with TLS, but when I try to do it with PEAP, it doesn works. I read about it
and found out that should be put on radiusd.conf something with ntlm_auth
On my mschap section I have:
ntlm_auth =
/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain
=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{msc
hap:NT-Response:-00}
And my log is attached(sorry if too long).
Does anybody know what should I do? It is possible to do what I want to?
I apologize in advance if it is very simple.
Thanks for any help!
__
Este mensaje, y en su caso, cualquier fichero anexo al mismo,
puede contener informacion clasificada por su emisor como confidencial
en el marco de su Sistema de Gestion de Seguridad de la
Informacion siendo para uso exclusivo del destinatario, quedando
prohibida su divulgacion copia o distribucion a terceros sin la
autorizacion expresa del remitente. Si Vd. ha recibido este mensaje
erroneamente, se ruega lo notifique al remitente y proceda a su borrado.
Gracias por su colaboracion.
__
This message including any attachments may contain confidential
information, according to our Information Security Management System,
and intended solely for a specific individual to whom they are addressed.
Any unauthorised copy, disclosure or distribution of this message
is strictly forbidden. If you have received this transmission in error,
please notify the sender immediately and delete it.
__
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with Active Directory
Sorry the log file was not attached, here it goes.
Hi all,
I've got a freeradius 1.0.1 server running fine with OpenLDAP and now I
would like to authenticate against an Active Directory server. I can do it
with TLS, but when I try to do it with PEAP, it doesn works. I read about it
and found out that should be put on radiusd.conf something with ntlm_auth
On my mschap section I have:
ntlm_auth =
/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain
=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{msc
hap:NT-Response:-00}
And my log is attached(sorry if too long).
Does anybody know what should I do? It is possible to do what I want to?
I apologize in advance if it is very simple.
Thanks for any help!
__
Este mensaje, y en su caso, cualquier fichero anexo al mismo,
puede contener informacion clasificada por su emisor como confidencial
en el marco de su Sistema de Gestion de Seguridad de la
Informacion siendo para uso exclusivo del destinatario, quedando
prohibida su divulgacion copia o distribucion a terceros sin la
autorizacion expresa del remitente. Si Vd. ha recibido este mensaje
erroneamente, se ruega lo notifique al remitente y proceda a su borrado.
Gracias por su colaboracion.
__
This message including any attachments may contain confidential
information, according to our Information Security Management System,
and intended solely for a specific individual to whom they are addressed.
Any unauthorised copy, disclosure or distribution of this message
is strictly forbidden. If you have received this transmission in error,
please notify the sender immediately and delete it.
__
rad.log
Description: Binary data
PEAP and Active directory working
Thank you all for the help on my issue. There was a problem with Samba not conencting correctly to my pdc. I can now authenticate over 802.1x to my AD using my username and password. The final question I have here deals with the ntdomain hack. Radiusd.conf says not to use it, Iand I can strip the realm off of realm\\username, but when doing this, I get the error: Identity does not match username setting from eap identity. I have also seen a patch to correct this, but it was from a couple years ago. Is this fixed in 1.0.1? How can I make this work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
