Re: [strongSwan] IPSEC vpn(strongswan) + users in AD
Hello Gregory, Your log already gives the clues. (15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (15) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (15) mschap: Creating challenge hash with username: testuser (15) mschap: Client is using MS-CHAPv2 (15) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (EAP-)MSCHAPv2 is a Challenge-Response protocol that requires either plaintext passwords or (AFAIR) MD4 hashed passwords like in the AD. The RADIUS server needs to be able to retrieve either the password, or the hashes, or delegate authentication to a party that has access to that information. Kind regards Noel Am 26.02.21 um 19:39 schrieb Gregory Edigarov: Good day, some clues wanted. strongswan -> freeradius -> AD conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@mailtest.go-lamp.com leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity freeradius - I could show config, but I need to do a cleanup first. AD is out of my control Radius request is shown below: (15) Received Access-Request Id 95 from 127.0.0.1:42093 to 127.0.0.1:1812 length 227 (15) User-Name = "testuser" (15) NAS-Port-Type = Virtual (15) Service-Type = Framed-User (15) NAS-Port = 10 (15) NAS-Port-Id = "ikev2-vpn" (15) NAS-IP-Address = 185.78.235.225 (15) Called-Station-Id = "185.78.235.225[4500]" (15) Calling-Station-Id = "82.117.245.149[53824]" (15) EAP-Message = 0x020200431a0202003e31e2af5f308985e5021868674940c015e4e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d006564696761726f76 (15) NAS-Identifier = "strongSwan" (15) State = 0xb601b33cb703a9c425336eef8323aee1 (15) Message-Authenticator = 0x39a3a2b21bdd858e031ee2064b307a51 (15) session-state: No cached attributes (15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) policy filter_password { (15) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (15) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (15) } # policy filter_password = notfound (15) [preprocess] = ok (15) [mschap] = noop (15) eap: Peer sent EAP Response (code 2) ID 2 length 67 (15) eap: No EAP Start, assuming it's an on-going EAP conversation (15) [eap] = updated (15) files: users: Matched entry DEFAULT at line 152 (15) [files] = ok rlm_ldap (ldap): Reserved connection (16) (15) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (15) ldap: --> (samaccountname=testuser) (15) ldap: Performing search in "dc=office,dc=local" with filter "(samaccountname=testuser)", scope "sub" (15) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.office.local/DC=ForestDnsZones,DC=office,DC=local rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.office.local/DC=DomainDnsZones,DC=office,DC=local rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://office.local/CN=Configuration,DC=office,DC=local rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (15) ldap: User object found at DN "CN=Some Name,OU=Network & Technical support,DC=office,DC=local" (15) ldap: Processing user attributes (15) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (15) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (16) - Was referred to a different LDAP server (15) [ldap] = ok (15) [expi
Re: [strongSwan] IPSEC vpn(strongswan) + users in AD
On 26.02.21 19:39, Gregory Edigarov wrote: > Good day, > > some clues wanted. > > strongswan -> freeradius -> AD > > conn ikev2-vpn > auto=add > compress=no > type=tunnel > keyexchange=ikev2 > fragmentation=yes > forceencaps=yes > dpdaction=clear > dpddelay=300s > rekey=no > left=%any > leftid=@mailtest.go-lamp.com > leftcert=server-cert.pem > leftsendcert=always > leftsubnet=0.0.0.0/0 > right=%any > rightid=%any > rightauth=eap-radius > rightsourceip=10.10.10.0/24 > rightdns=8.8.8.8,8.8.4.4 > rightsendcert=never > eap_identity=%identity > > freeradius - I could show config, but I need to do a cleanup first. > > AD is out of my control > > Radius request is shown below: > (15) Received Access-Request Id 95 from 127.0.0.1:42093 to > 127.0.0.1:1812 length 227 > (15) User-Name = "testuser" > (15) NAS-Port-Type = Virtual > (15) Service-Type = Framed-User > (15) NAS-Port = 10 > (15) NAS-Port-Id = "ikev2-vpn" > (15) NAS-IP-Address = 185.78.235.225 > (15) Called-Station-Id = "185.78.235.225[4500]" > (15) Calling-Station-Id = "82.117.245.149[53824]" > (15) EAP-Message = > 0x020200431a0202003e31e2af5f308985e5021868674940c015e4e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d006564696761726f76 > (15) NAS-Identifier = "strongSwan" > (15) State = 0xb601b33cb703a9c425336eef8323aee1 > (15) Message-Authenticator = 0x39a3a2b21bdd858e031ee2064b307a51 > (15) session-state: No cached attributes > (15) # Executing section authorize from file > /etc/freeradius/3.0/sites-enabled/default > (15) authorize { > (15) policy filter_username { > (15) if (&User-Name) { > (15) if (&User-Name) -> TRUE > (15) if (&User-Name) { > (15) if (&User-Name =~ / /) { > (15) if (&User-Name =~ / /) -> FALSE > (15) if (&User-Name =~ /@[^@]*@/ ) { > (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE > (15) if (&User-Name =~ /\.\./ ) { > (15) if (&User-Name =~ /\.\./ ) -> FALSE > (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { > (15) if ((&User-Name =~ /@/) && (&User-Name !~ > /@(.+)\.(.+)$/)) -> FALSE > (15) if (&User-Name =~ /\.$/) { > (15) if (&User-Name =~ /\.$/) -> FALSE > (15) if (&User-Name =~ /@\./) { > (15) if (&User-Name =~ /@\./) -> FALSE > (15) } # if (&User-Name) = notfound > (15) } # policy filter_username = notfound > (15) policy filter_password { > (15) if (&User-Password && (&User-Password != > "%{string:User-Password}")) { > (15) if (&User-Password && (&User-Password != > "%{string:User-Password}")) -> FALSE > (15) } # policy filter_password = notfound > (15) [preprocess] = ok > (15) [mschap] = noop > (15) eap: Peer sent EAP Response (code 2) ID 2 length 67 > (15) eap: No EAP Start, assuming it's an on-going EAP conversation > (15) [eap] = updated > (15) files: users: Matched entry DEFAULT at line 152 > (15) [files] = ok > rlm_ldap (ldap): Reserved connection (16) > (15) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) > (15) ldap: --> (samaccountname=testuser) > (15) ldap: Performing search in "dc=office,dc=local" with filter > "(samaccountname=testuser)", scope "sub" > (15) ldap: Waiting for search result... > rlm_ldap (ldap): Rebinding to URL > ldap://ForestDnsZones.office.local/DC=ForestDnsZones,DC=office,DC=local > rlm_ldap (ldap): Waiting for bind result... > rlm_ldap (ldap): Rebinding to URL > ldap://DomainDnsZones.office.local/DC=DomainDnsZones,DC=office,DC=local > rlm_ldap (ldap): Waiting for bind result... > rlm_ldap (ldap): Rebinding to URL > ldap://office.local/CN=Configuration,DC=office,DC=local > rlm_ldap (ldap): Waiting for bind result... > rlm_ldap (ldap): Bind successful > rlm_ldap (ldap): Bind successful > rlm_ldap (ldap): Bind successful > (15) ldap: User object found at DN "CN=Some Name,OU=Network & Technical > support,DC=office,DC=local" > (15) ldap: Processing user attributes > (15) ldap: WARNING: No "known good" password added. Ensure the admin > user has permission to read the password attribute > (15) ldap: WARNING: PAP authentication will *NOT* work with Active > Directory (if that is what you were trying to configure) > rlm_ldap (ldap): Deleting connection (16) - Was referred to a different > LDAP server > (15) [ldap] = ok > (15) [expiration] = noop > (15) [logintime] = noop > (15) } # authorize = updated > (15) Found Auth-Type = eap > (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default > (15) authenticate { > (15) eap: Expiring EAP session with state 0xb601b33cb703a9c4 > (15) eap: Finished EAP session with state 0xb601b33cb703a9c4 > (15) eap: Previous EAP request found for state 0xb601b33cb703a9c4, > released from the list > (15) eap: Peer sent packet with method EAP MSCHAPv2 (26) > (15) eap: Calling submodule eap_ms
[strongSwan] IPSEC vpn(strongswan) + users in AD
Good day, some clues wanted. strongswan -> freeradius -> AD conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@mailtest.go-lamp.com leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity freeradius - I could show config, but I need to do a cleanup first. AD is out of my control Radius request is shown below: (15) Received Access-Request Id 95 from 127.0.0.1:42093 to 127.0.0.1:1812 length 227 (15) User-Name = "testuser" (15) NAS-Port-Type = Virtual (15) Service-Type = Framed-User (15) NAS-Port = 10 (15) NAS-Port-Id = "ikev2-vpn" (15) NAS-IP-Address = 185.78.235.225 (15) Called-Station-Id = "185.78.235.225[4500]" (15) Calling-Station-Id = "82.117.245.149[53824]" (15) EAP-Message = 0x020200431a0202003e31e2af5f308985e5021868674940c015e4e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d006564696761726f76 (15) NAS-Identifier = "strongSwan" (15) State = 0xb601b33cb703a9c425336eef8323aee1 (15) Message-Authenticator = 0x39a3a2b21bdd858e031ee2064b307a51 (15) session-state: No cached attributes (15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) policy filter_password { (15) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (15) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (15) } # policy filter_password = notfound (15) [preprocess] = ok (15) [mschap] = noop (15) eap: Peer sent EAP Response (code 2) ID 2 length 67 (15) eap: No EAP Start, assuming it's an on-going EAP conversation (15) [eap] = updated (15) files: users: Matched entry DEFAULT at line 152 (15) [files] = ok rlm_ldap (ldap): Reserved connection (16) (15) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (15) ldap: --> (samaccountname=testuser) (15) ldap: Performing search in "dc=office,dc=local" with filter "(samaccountname=testuser)", scope "sub" (15) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.office.local/DC=ForestDnsZones,DC=office,DC=local rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.office.local/DC=DomainDnsZones,DC=office,DC=local rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://office.local/CN=Configuration,DC=office,DC=local rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (15) ldap: User object found at DN "CN=Some Name,OU=Network & Technical support,DC=office,DC=local" (15) ldap: Processing user attributes (15) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (15) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (16) - Was referred to a different LDAP server (15) [ldap] = ok (15) [expiration] = noop (15) [logintime] = noop (15) } # authorize = updated (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) authenticate { (15) eap: Expiring EAP session with state 0xb601b33cb703a9c4 (15) eap: Finished EAP session with state 0xb601b33cb703a9c4 (15) eap: Previous EAP request found for state 0xb601b33cb703a9c4, released from the list (15) eap: Peer sent packet with method EAP MSCHAPv2 (26) (15) eap: Calling submodule eap_mschapv2 to process data (15) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15) eap_mschapv2: authenticate { (15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (15) mschap: WARNING: No Cleartext-Password configured.