[SOLVED] Re: Cisco Aironet 1240AG, PEAP and Active directory
Thanks guy, it's working fine now with the version 3.2.15 of samba For anyone have problems with ntlm_auth OK but no access-accept receive after that, use this version of samba. Freeradius 2.1.8 samba 3.2.5 Cisco Aironet 1240G Johan Meiring a écrit : Abdessamad BARAKAT wrote: I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Search the list. You'll get lots of messages about it. As far as I Remember it needs to be 3.2 and below. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
On 09/02/10 20:42, Trevor Jennings wrote: Just out of curiosity, is there a reason why Samba is used in the AD authentication? Is that the only option for FreeRadius? I ask because I heard that ntlm_auth was not that stable. no problem wth stability here - version 3.2.x - where did you read/hear that it was not that stable? ntlm_auth does its work thousands of times per minute during our busy times. you need to use ntlm_auth because you are doing challenge response vs the AD - LDAP wont do the work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Aironet 1240AG, PEAP and Active directory
Hi guys, I need your help for a strange problem. I want to authenticate users connected to a Cisco Aironet 1240 AG with their AD account and sometimes it's working and sometimes not and now doesn't want to work without changing something on the configuration... The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. The windows part. works correctly (kinit, net join and ntlm_auth) I use the virtual server inner-tunnel for handle EAP/PEAP stuff, listen on different ports (auth 1814/ acct 1815) The aironet and the freeradius are synchronized with the same ntp server. Freeradius 2.1.8 samba 3.3.10 Debian 3.1 You can see a below the detail of a full session between the aironet and the freeradius. Many thanks for any tips. rad_recv: Access-Request packet from host 10.0.0.77 port 1645, id=172, length=146 User-Name = AD_DOMAIN\\user_test_wifi Framed-MTU = 1400 Called-Station-Id = 001c.f661.2861 Calling-Station-Id = 0018.de10.fcef Service-Type = Login-User Message-Authenticator = 0xed65b0ebeb73a88b8467cc86843891e8 EAP-Message = 0x0201001501424f5552424f4e5c61626172616b6174 NAS-Port-Type = Wireless-802.11 NAS-Port = 879 NAS-Port-Id = 879 NAS-IP-Address = 10.0.0.77 Tue Feb 9 19:31:31 2010 : Info: server inner-tunnel { Tue Feb 9 19:31:31 2010 : Info: +- entering group authorize {...} Tue Feb 9 19:31:31 2010 : Info: ++[mschap] returns noop Tue Feb 9 19:31:31 2010 : Info: [eap] EAP packet type response id 1 length 21 Tue Feb 9 19:31:31 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns updated Tue Feb 9 19:31:31 2010 : Info: Found Auth-Type = EAP Tue Feb 9 19:31:31 2010 : Info: +- entering group authenticate {...} Tue Feb 9 19:31:31 2010 : Info: [eap] EAP Identity Tue Feb 9 19:31:31 2010 : Info: [eap] processing type tls Tue Feb 9 19:31:31 2010 : Info: [tls] Requiring client certificate Tue Feb 9 19:31:31 2010 : Info: [tls] Initiate Tue Feb 9 19:31:31 2010 : Info: [tls] Start returned 1 Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns handled Tue Feb 9 19:31:31 2010 : Info: } # server inner-tunnel Sending Access-Challenge of id 172 to 10.0.0.77 port 1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x630766f363056b37ef480b6cd7986d15 Tue Feb 9 19:31:31 2010 : Info: Finished request 0. Tue Feb 9 19:31:31 2010 : Debug: Going to the next request Tue Feb 9 19:31:31 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.77 port 1645, id=173, length=149 User-Name = AD_DOMAIN\\user_test_wifi Framed-MTU = 1400 Called-Station-Id = 001c.f661.2861 Calling-Station-Id = 0018.de10.fcef Service-Type = Login-User Message-Authenticator = 0x412cd5decbd056652c741d532d91f91e EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 879 NAS-Port-Id = 879 State = 0x630766f363056b37ef480b6cd7986d15 NAS-IP-Address = 10.0.0.77 Tue Feb 9 19:31:31 2010 : Info: server inner-tunnel { Tue Feb 9 19:31:31 2010 : Info: +- entering group authorize {...} Tue Feb 9 19:31:31 2010 : Info: ++[mschap] returns noop Tue Feb 9 19:31:31 2010 : Info: [eap] EAP packet type response id 2 length 6 Tue Feb 9 19:31:31 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns updated Tue Feb 9 19:31:31 2010 : Info: Found Auth-Type = EAP Tue Feb 9 19:31:31 2010 : Info: +- entering group authenticate {...} Tue Feb 9 19:31:31 2010 : Info: [eap] Request found, released from the list Tue Feb 9 19:31:31 2010 : Info: [eap] EAP NAK Tue Feb 9 19:31:31 2010 : Info: [eap] EAP-NAK asked for EAP-Type/peap Tue Feb 9 19:31:31 2010 : Info: [eap] processing type tls Tue Feb 9 19:31:31 2010 : Info: [tls] Initiate Tue Feb 9 19:31:31 2010 : Info: [tls] Start returned 1 Tue Feb 9 19:31:31 2010 : Info: ++[eap] returns handled Tue Feb 9 19:31:31 2010 : Info: } # server inner-tunnel Sending Access-Challenge of id 173 to 10.0.0.77 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x630766f362047f37ef480b6cd7986d15 Tue Feb 9 19:31:31 2010 : Info: Finished request 1. Tue Feb 9 19:31:31 2010 : Debug: Going to the next request Tue Feb 9 19:31:31 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.77 port 1645, id=174, length=223 User-Name = AD_DOMAIN\\user_test_wifi Framed-MTU = 1400 Called-Station-Id = 001c.f661.2861 Calling-Station-Id = 0018.de10.fcef Service-Type = Login-User Message-Authenticator =
Re: Cisco Aironet 1240AG, PEAP and Active directory
Abdessamad BARAKAT wrote: The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. Change Samba. It's a bug in Samba. i.e. install a different version of Samba (downgrade, etc.) until it starts working again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
Just out of curiosity, is there a reason why Samba is used in the AD authentication? Is that the only option for FreeRadius? I ask because I heard that ntlm_auth was not that stable. Cheers, - Trevor On Tue, Feb 9, 2010 at 3:36 PM, Alan DeKok al...@deployingradius.com wrote: Abdessamad BARAKAT wrote: The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. Change Samba. It's a bug in Samba. i.e. install a different version of Samba (downgrade, etc.) until it starts working again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
Trevor Jennings wrote: Just out of curiosity, is there a reason why Samba is used in the AD authentication? Is that the only option for FreeRadius? Samba is the only option for *anyone* to do MS-CHAP authentication against AD. Remember: AD isn't an LDAP server. LDAP servers let you query for the password. AD doesn't let you do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Thanks Alan Alan DeKok a écrit : Abdessamad BARAKAT wrote: The AD authentication with ntlm_auth is working fine but just after that, the freeradius send a access-challenge to the aironet and nothing after that, no access-accept or access-reject. Change Samba. It's a bug in Samba. i.e. install a different version of Samba (downgrade, etc.) until it starts working again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1240AG, PEAP and Active directory
Abdessamad BARAKAT wrote: I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Search the list. You'll get lots of messages about it. As far as I Remember it needs to be 3.2 and below. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Aironet 1240AG, PEAP and Active directory
I have tried verson 3.3.10 and 3.4.5. Which stable version can you recommend ? Version 3.0.35 is working for me. I went through the downgrade process quite a few months ago and settled on that version. It's been fine ever since. Regards, Leighton --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with Active Directory
Hi all, I've got a freeradius 1.0.1 server running fine with OpenLDAP and now I would like to authenticate against an Active Directory server. I can do it with TLS, but when I try to do it with PEAP, it doesn works. I read about it and found out that should be put on radiusd.conf something with ntlm_auth On my mschap section I have: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain =%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{msc hap:NT-Response:-00} And my log is attached(sorry if too long). Does anybody know what should I do? It is possible to do what I want to? I apologize in advance if it is very simple. Thanks for any help! __ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. __ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with Active Directory
Sorry the log file was not attached, here it goes. Hi all, I've got a freeradius 1.0.1 server running fine with OpenLDAP and now I would like to authenticate against an Active Directory server. I can do it with TLS, but when I try to do it with PEAP, it doesn works. I read about it and found out that should be put on radiusd.conf something with ntlm_auth On my mschap section I have: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain =%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{msc hap:NT-Response:-00} And my log is attached(sorry if too long). Does anybody know what should I do? It is possible to do what I want to? I apologize in advance if it is very simple. Thanks for any help! __ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. __ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. __ rad.log Description: Binary data
PEAP and Active directory working
Thank you all for the help on my issue. There was a problem with Samba not conencting correctly to my pdc. I can now authenticate over 802.1x to my AD using my username and password. The final question I have here deals with the ntdomain hack. Radiusd.conf says not to use it, Iand I can strip the realm off of realm\\username, but when doing this, I get the error: Identity does not match username setting from eap identity. I have also seen a patch to correct this, but it was from a couple years ago. Is this fixed in 1.0.1? How can I make this work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html