Re: [strongSwan] IPSEC vpn(strongswan) + users in AD
Hello Gregory,
Your log already gives the clues.
(15) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(15) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(15) mschap: Creating challenge hash with username: testuser
(15) mschap: Client is using MS-CHAPv2
(15) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
authentication
(EAP-)MSCHAPv2 is a Challenge-Response protocol that requires either plaintext
passwords
or (AFAIR) MD4 hashed passwords like in the AD. The RADIUS server needs to be
able to retrieve either the password, or
the hashes, or delegate authentication to a party that has access to that
information.
Kind regards
Noel
Am 26.02.21 um 19:39 schrieb Gregory Edigarov:
Good day,
some clues wanted.
strongswan -> freeradius -> AD
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@mailtest.go-lamp.com
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
freeradius - I could show config, but I need to do a cleanup first.
AD is out of my control
Radius request is shown below:
(15) Received Access-Request Id 95 from 127.0.0.1:42093 to
127.0.0.1:1812 length 227
(15) User-Name = "testuser"
(15) NAS-Port-Type = Virtual
(15) Service-Type = Framed-User
(15) NAS-Port = 10
(15) NAS-Port-Id = "ikev2-vpn"
(15) NAS-IP-Address = 185.78.235.225
(15) Called-Station-Id = "185.78.235.225[4500]"
(15) Calling-Station-Id = "82.117.245.149[53824]"
(15) EAP-Message =
0x020200431a0202003e31e2af5f308985e5021868674940c015e4e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d006564696761726f76
(15) NAS-Identifier = "strongSwan"
(15) State = 0xb601b33cb703a9c425336eef8323aee1
(15) Message-Authenticator = 0x39a3a2b21bdd858e031ee2064b307a51
(15) session-state: No cached attributes
(15) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) policy filter_password {
(15) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(15) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(15) } # policy filter_password = notfound
(15) [preprocess] = ok
(15) [mschap] = noop
(15) eap: Peer sent EAP Response (code 2) ID 2 length 67
(15) eap: No EAP Start, assuming it's an on-going EAP conversation
(15) [eap] = updated
(15) files: users: Matched entry DEFAULT at line 152
(15) [files] = ok
rlm_ldap (ldap): Reserved connection (16)
(15) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(15) ldap: --> (samaccountname=testuser)
(15) ldap: Performing search in "dc=office,dc=local" with filter
"(samaccountname=testuser)", scope "sub"
(15) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.office.local/DC=ForestDnsZones,DC=office,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.office.local/DC=DomainDnsZones,DC=office,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://office.local/CN=Configuration,DC=office,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(15) ldap: User object found at DN "CN=Some Name,OU=Network & Technical
support,DC=office,DC=local"
(15) ldap: Processing user attributes
(15) ldap: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(15) ldap: WARNING: PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (16) - Was referred to a different
LDAP server
(15) [ldap] = ok
(15) [expi
Re: [strongSwan] IPSEC vpn(strongswan) + users in AD
On 26.02.21 19:39, Gregory Edigarov wrote:
> Good day,
>
> some clues wanted.
>
> strongswan -> freeradius -> AD
>
> conn ikev2-vpn
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=@mailtest.go-lamp.com
> leftcert=server-cert.pem
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> right=%any
> rightid=%any
> rightauth=eap-radius
> rightsourceip=10.10.10.0/24
> rightdns=8.8.8.8,8.8.4.4
> rightsendcert=never
> eap_identity=%identity
>
> freeradius - I could show config, but I need to do a cleanup first.
>
> AD is out of my control
>
> Radius request is shown below:
> (15) Received Access-Request Id 95 from 127.0.0.1:42093 to
> 127.0.0.1:1812 length 227
> (15) User-Name = "testuser"
> (15) NAS-Port-Type = Virtual
> (15) Service-Type = Framed-User
> (15) NAS-Port = 10
> (15) NAS-Port-Id = "ikev2-vpn"
> (15) NAS-IP-Address = 185.78.235.225
> (15) Called-Station-Id = "185.78.235.225[4500]"
> (15) Calling-Station-Id = "82.117.245.149[53824]"
> (15) EAP-Message =
> 0x020200431a0202003e31e2af5f308985e5021868674940c015e4e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d006564696761726f76
> (15) NAS-Identifier = "strongSwan"
> (15) State = 0xb601b33cb703a9c425336eef8323aee1
> (15) Message-Authenticator = 0x39a3a2b21bdd858e031ee2064b307a51
> (15) session-state: No cached attributes
> (15) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (15) authorize {
> (15) policy filter_username {
> (15) if (&User-Name) {
> (15) if (&User-Name) -> TRUE
> (15) if (&User-Name) {
> (15) if (&User-Name =~ / /) {
> (15) if (&User-Name =~ / /) -> FALSE
> (15) if (&User-Name =~ /@[^@]*@/ ) {
> (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (15) if (&User-Name =~ /\.\./ ) {
> (15) if (&User-Name =~ /\.\./ ) -> FALSE
> (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (15) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) -> FALSE
> (15) if (&User-Name =~ /\.$/) {
> (15) if (&User-Name =~ /\.$/) -> FALSE
> (15) if (&User-Name =~ /@\./) {
> (15) if (&User-Name =~ /@\./) -> FALSE
> (15) } # if (&User-Name) = notfound
> (15) } # policy filter_username = notfound
> (15) policy filter_password {
> (15) if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) {
> (15) if (&User-Password && (&User-Password !=
> "%{string:User-Password}")) -> FALSE
> (15) } # policy filter_password = notfound
> (15) [preprocess] = ok
> (15) [mschap] = noop
> (15) eap: Peer sent EAP Response (code 2) ID 2 length 67
> (15) eap: No EAP Start, assuming it's an on-going EAP conversation
> (15) [eap] = updated
> (15) files: users: Matched entry DEFAULT at line 152
> (15) [files] = ok
> rlm_ldap (ldap): Reserved connection (16)
> (15) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (15) ldap: --> (samaccountname=testuser)
> (15) ldap: Performing search in "dc=office,dc=local" with filter
> "(samaccountname=testuser)", scope "sub"
> (15) ldap: Waiting for search result...
> rlm_ldap (ldap): Rebinding to URL
> ldap://ForestDnsZones.office.local/DC=ForestDnsZones,DC=office,DC=local
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL
> ldap://DomainDnsZones.office.local/DC=DomainDnsZones,DC=office,DC=local
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL
> ldap://office.local/CN=Configuration,DC=office,DC=local
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> (15) ldap: User object found at DN "CN=Some Name,OU=Network & Technical
> support,DC=office,DC=local"
> (15) ldap: Processing user attributes
> (15) ldap: WARNING: No "known good" password added. Ensure the admin
> user has permission to read the password attribute
> (15) ldap: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Deleting connection (16) - Was referred to a different
> LDAP server
> (15) [ldap] = ok
> (15) [expiration] = noop
> (15) [logintime] = noop
> (15) } # authorize = updated
> (15) Found Auth-Type = eap
> (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (15) authenticate {
> (15) eap: Expiring EAP session with state 0xb601b33cb703a9c4
> (15) eap: Finished EAP session with state 0xb601b33cb703a9c4
> (15) eap: Previous EAP request found for state 0xb601b33cb703a9c4,
> released from the list
> (15) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (15) eap: Calling submodule eap_ms
[strongSwan] IPSEC vpn(strongswan) + users in AD
Good day,
some clues wanted.
strongswan -> freeradius -> AD
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@mailtest.go-lamp.com
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
freeradius - I could show config, but I need to do a cleanup first.
AD is out of my control
Radius request is shown below:
(15) Received Access-Request Id 95 from 127.0.0.1:42093 to
127.0.0.1:1812 length 227
(15) User-Name = "testuser"
(15) NAS-Port-Type = Virtual
(15) Service-Type = Framed-User
(15) NAS-Port = 10
(15) NAS-Port-Id = "ikev2-vpn"
(15) NAS-IP-Address = 185.78.235.225
(15) Called-Station-Id = "185.78.235.225[4500]"
(15) Calling-Station-Id = "82.117.245.149[53824]"
(15) EAP-Message =
0x020200431a0202003e31e2af5f308985e5021868674940c015e4e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d006564696761726f76
(15) NAS-Identifier = "strongSwan"
(15) State = 0xb601b33cb703a9c425336eef8323aee1
(15) Message-Authenticator = 0x39a3a2b21bdd858e031ee2064b307a51
(15) session-state: No cached attributes
(15) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) policy filter_password {
(15) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(15) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(15) } # policy filter_password = notfound
(15) [preprocess] = ok
(15) [mschap] = noop
(15) eap: Peer sent EAP Response (code 2) ID 2 length 67
(15) eap: No EAP Start, assuming it's an on-going EAP conversation
(15) [eap] = updated
(15) files: users: Matched entry DEFAULT at line 152
(15) [files] = ok
rlm_ldap (ldap): Reserved connection (16)
(15) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(15) ldap: --> (samaccountname=testuser)
(15) ldap: Performing search in "dc=office,dc=local" with filter
"(samaccountname=testuser)", scope "sub"
(15) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.office.local/DC=ForestDnsZones,DC=office,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.office.local/DC=DomainDnsZones,DC=office,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://office.local/CN=Configuration,DC=office,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(15) ldap: User object found at DN "CN=Some Name,OU=Network & Technical
support,DC=office,DC=local"
(15) ldap: Processing user attributes
(15) ldap: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(15) ldap: WARNING: PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (16) - Was referred to a different
LDAP server
(15) [ldap] = ok
(15) [expiration] = noop
(15) [logintime] = noop
(15) } # authorize = updated
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15) authenticate {
(15) eap: Expiring EAP session with state 0xb601b33cb703a9c4
(15) eap: Finished EAP session with state 0xb601b33cb703a9c4
(15) eap: Previous EAP request found for state 0xb601b33cb703a9c4,
released from the list
(15) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(15) eap: Calling submodule eap_mschapv2 to process data
(15) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(15) eap_mschapv2: authenticate {
(15) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(15) mschap: WARNING: No Cleartext-Password configured.
