Re: [PacketFence-users] packetfence freeipa (ldap) mschapv2 not working
The answer is in the packetfence.log file. Paste it when you connect. Le lun. 31 oct. 2022, 18 h 23, Alexander a écrit : > thank you very much! I achieved what was described by changing the base > config. i Get* [mschap] = ok. * But I am now getting a different error! > Could you see the file attachment? > > (0) mschap: Found NT-Password > (0) mschap: Client is using MS-CHAPv1 with NT-Password > (0) mschap: adding MS-CHAPv1 MPPE keys > *(0) [mschap] = ok* > > *..* > (0) rest: Expanding URI components > (0) rest: EXPAND http://containers-gateway.internal:7070 > (0) rest:--> http://containers-gateway.internal:7070 > (0) rest: EXPAND //radius/rest/authorize > (0) rest:--> //radius/rest/authorize > (0) rest: Sending HTTP POST to " > http://containers-gateway.internal:7070//radius/rest/authorize; > (0) rest: Encoding attribute "User-Name" > (0) rest: Encoding attribute "NAS-IP-Address" > (0) rest: Encoding attribute "NAS-Port" > (0) rest: Encoding attribute "Event-Timestamp" > (0) rest: Encoding attribute "Message-Authenticator" > (0) rest: Encoding attribute "MS-CHAP-Response" > (0) rest: Encoding attribute "MS-CHAP-Challenge" > (0) rest: Encoding attribute "Stripped-User-Name" > (0) rest: Encoding attribute "Realm" > (0) rest: Encoding attribute "Module-Failure-Message" > (0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address" > (0) rest: Encoding attribute "PacketFence-UserNameAttribute" > (0) rest: Encoding attribute "PacketFence-KeyBalanced" > (0) rest: Encoding attribute "PacketFence-Radius-Ip" > (0) rest: Encoding attribute "PacketFence-NTLMv2-Only" > (0) rest: Processing response header > > > > > *(0) rest: Status : 401 (Unauthorized)(0) rest: Type : json > (application/json)(0) rest: Adding reply:REST-HTTP-Status-Code = "401"(0) > rest: ERROR: Server returned:(0) rest: ERROR: > {"control:PacketFence-Authorization-Status":"allow"}* > rlm_rest (rest): Released connection (0) > *..* > > пн, 31 окт. 2022 г. в 22:37, Fabrice Durand : > >> Hello Alexander, >> >> the difference is on the default radius config, it calls the ldap module >> in the authorize section. >> >> You can follow this logic in >> https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute >> (it´s based on freeradius 2 but the logic is there) >> >> ``` >> >> authorize { >> >> >> suffix >> ntdomain >> >> ldap >> if (ok) { >> update control { >> MS-CHAP-Use-NTLM-Auth := No >> } >> } >> >> ``` >> >> Regards >> >> Fabrice >> >> >> Le lun. 31 oct. 2022 à 13:25, Alexander via PacketFence-users < >> packetfence-users@lists.sourceforge.net> a écrit : >> >>> Hello friends! I need help >>> >>> i am testing *local installed freeradius* configuration to work with >>> freeipa (ldap) on nthash via mschap-v2 >>> >>> what did i do for this: >>> >>> 1) yum install freeradius-ldap >>> 2) ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap >>> 3) change /etc/raddb/mods-available/ldap >>> >>> server = ''server.dmosk.local" >>> identity = 'uid=services,cn=users,cn=accounts,dc=test,dc=com' >>> password = my_password >>> base_dn = 'cn=users,cn=accounts,dc=test,dc=com' >>> update { >>> ... >>> control:NT-Password := 'ipaNTHash' >>> ... >>> 4)change /etc/raddb/mods-available/eap >>> ... >>> default_eap_type = mschapv2 >>> ... >>> 5) reload freeradius >>> 6) TESTING: >>> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 >>> >>> and get Received *Access-ACCEPT* >>> >>> *Question:* >>> Can anyone tell me how to set up this configuration on packetfence? >>> I tried to do this, but it didn't work for me: >>> 1. Create authentication source - LDAP - define server, identity, >>> password, base_dn, Username Attribute. And checked through the test button >>> 2. add update control:NT-Password := 'ipaNTHash' to file >>> /usr/local/pf/raddb/mods-enabled/ldap_packetfence >>> 3. change default_eap_type = mschapv2 >>> in /usr/local/pf/raddb/mods-enabled/eap >>> 4. add to Standard Connection Profile sources ldap >>> 5. tried adding default and null in tab stripping to Realms - ldap source >>> 6. TESTING: >>> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 >>> and get: >>> >>> Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:56955 >>> length 61 >>> MS-CHAP-Error = "\000E=691 R=0 C=1cef2a7d250330ff V=2" >>> (0) -: Expected Access-Accept got Access-Reject >>> >>> I do not understand what the problem is. I also attached the logs of >>> freeradius running in debug mode(/usr/sbin/freeradius -d >>> /usr/local/pf/raddb -n auth -fxx -l stdout). See attachment. Pleae help me >>> >>> ___ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> ___
Re: [PacketFence-users] packetfence freeipa (ldap) mschapv2 not working
thank you very much! I achieved what was described by changing the base config. i Get* [mschap] = ok. * But I am now getting a different error! Could you see the file attachment? (0) mschap: Found NT-Password (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: adding MS-CHAPv1 MPPE keys *(0) [mschap] = ok* *..* (0) rest: Expanding URI components (0) rest: EXPAND http://containers-gateway.internal:7070 (0) rest:--> http://containers-gateway.internal:7070 (0) rest: EXPAND //radius/rest/authorize (0) rest:--> //radius/rest/authorize (0) rest: Sending HTTP POST to " http://containers-gateway.internal:7070//radius/rest/authorize; (0) rest: Encoding attribute "User-Name" (0) rest: Encoding attribute "NAS-IP-Address" (0) rest: Encoding attribute "NAS-Port" (0) rest: Encoding attribute "Event-Timestamp" (0) rest: Encoding attribute "Message-Authenticator" (0) rest: Encoding attribute "MS-CHAP-Response" (0) rest: Encoding attribute "MS-CHAP-Challenge" (0) rest: Encoding attribute "Stripped-User-Name" (0) rest: Encoding attribute "Realm" (0) rest: Encoding attribute "Module-Failure-Message" (0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address" (0) rest: Encoding attribute "PacketFence-UserNameAttribute" (0) rest: Encoding attribute "PacketFence-KeyBalanced" (0) rest: Encoding attribute "PacketFence-Radius-Ip" (0) rest: Encoding attribute "PacketFence-NTLMv2-Only" (0) rest: Processing response header *(0) rest: Status : 401 (Unauthorized)(0) rest: Type : json (application/json)(0) rest: Adding reply:REST-HTTP-Status-Code = "401"(0) rest: ERROR: Server returned:(0) rest: ERROR: {"control:PacketFence-Authorization-Status":"allow"}* rlm_rest (rest): Released connection (0) *..* пн, 31 окт. 2022 г. в 22:37, Fabrice Durand : > Hello Alexander, > > the difference is on the default radius config, it calls the ldap module > in the authorize section. > > You can follow this logic in > https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute > (it´s based on freeradius 2 but the logic is there) > > ``` > > authorize { > > > suffix > ntdomain > > ldap > if (ok) { > update control { > MS-CHAP-Use-NTLM-Auth := No > } > } > > ``` > > Regards > > Fabrice > > > Le lun. 31 oct. 2022 à 13:25, Alexander via PacketFence-users < > packetfence-users@lists.sourceforge.net> a écrit : > >> Hello friends! I need help >> >> i am testing *local installed freeradius* configuration to work with >> freeipa (ldap) on nthash via mschap-v2 >> >> what did i do for this: >> >> 1) yum install freeradius-ldap >> 2) ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap >> 3) change /etc/raddb/mods-available/ldap >> >> server = ''server.dmosk.local" >> identity = 'uid=services,cn=users,cn=accounts,dc=test,dc=com' >> password = my_password >> base_dn = 'cn=users,cn=accounts,dc=test,dc=com' >> update { >> ... >> control:NT-Password := 'ipaNTHash' >> ... >> 4)change /etc/raddb/mods-available/eap >> ... >> default_eap_type = mschapv2 >> ... >> 5) reload freeradius >> 6) TESTING: >> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 >> >> and get Received *Access-ACCEPT* >> >> *Question:* >> Can anyone tell me how to set up this configuration on packetfence? >> I tried to do this, but it didn't work for me: >> 1. Create authentication source - LDAP - define server, identity, >> password, base_dn, Username Attribute. And checked through the test button >> 2. add update control:NT-Password := 'ipaNTHash' to file >> /usr/local/pf/raddb/mods-enabled/ldap_packetfence >> 3. change default_eap_type = mschapv2 >> in /usr/local/pf/raddb/mods-enabled/eap >> 4. add to Standard Connection Profile sources ldap >> 5. tried adding default and null in tab stripping to Realms - ldap source >> 6. TESTING: >> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 >> and get: >> >> Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:56955 >> length 61 >> MS-CHAP-Error = "\000E=691 R=0 C=1cef2a7d250330ff V=2" >> (0) -: Expected Access-Accept got Access-Reject >> >> I do not understand what the problem is. I also attached the logs of >> freeradius running in debug mode(/usr/sbin/freeradius -d >> /usr/local/pf/raddb -n auth -fxx -l stdout). See attachment. Pleae help me >> >> ___ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > logs.rtf Description: RTF file ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] packetfence freeipa (ldap) mschapv2 not working
Hello Alexander, the difference is on the default radius config, it calls the ldap module in the authorize section. You can follow this logic in https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute (it´s based on freeradius 2 but the logic is there) ``` authorize { suffix ntdomain ldap if (ok) { update control { MS-CHAP-Use-NTLM-Auth := No } } ``` Regards Fabrice Le lun. 31 oct. 2022 à 13:25, Alexander via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hello friends! I need help > > i am testing *local installed freeradius* configuration to work with > freeipa (ldap) on nthash via mschap-v2 > > what did i do for this: > > 1) yum install freeradius-ldap > 2) ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap > 3) change /etc/raddb/mods-available/ldap > > server = ''server.dmosk.local" > identity = 'uid=services,cn=users,cn=accounts,dc=test,dc=com' > password = my_password > base_dn = 'cn=users,cn=accounts,dc=test,dc=com' > update { > ... > control:NT-Password := 'ipaNTHash' > ... > 4)change /etc/raddb/mods-available/eap > ... > default_eap_type = mschapv2 > ... > 5) reload freeradius > 6) TESTING: > radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 > > and get Received *Access-ACCEPT* > > *Question:* > Can anyone tell me how to set up this configuration on packetfence? > I tried to do this, but it didn't work for me: > 1. Create authentication source - LDAP - define server, identity, > password, base_dn, Username Attribute. And checked through the test button > 2. add update control:NT-Password := 'ipaNTHash' to file > /usr/local/pf/raddb/mods-enabled/ldap_packetfence > 3. change default_eap_type = mschapv2 > in /usr/local/pf/raddb/mods-enabled/eap > 4. add to Standard Connection Profile sources ldap > 5. tried adding default and null in tab stripping to Realms - ldap source > 6. TESTING: > radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 > and get: > > Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:56955 > length 61 > MS-CHAP-Error = "\000E=691 R=0 C=1cef2a7d250330ff V=2" > (0) -: Expected Access-Accept got Access-Reject > > I do not understand what the problem is. I also attached the logs of > freeradius running in debug mode(/usr/sbin/freeradius -d > /usr/local/pf/raddb -n auth -fxx -l stdout). See attachment. Pleae help me > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users