[RADIATOR] Auth By LDAP against AD
Hugh Irvine
hugh at open.com.au
Tue Apr 20 17:06:59 CDT 2010
Hello Jay -
I think you should stick with AuthBy NTLM.
Note that the LDAP lookup blocks too, and in any case you cannot get the password from AD anyway (this is a restriction imposed by AD).
regards
Hugh
On 21 Apr 2010, at 06:16, McNealy, Justin S wrote:
> Hugh,
> We’re having an issue getting our authby LDAP2 against AD working properly. We’re running version 4.5.1 on a RHEL 5 server. We see it doing the lookup but then we get ether a bad password (with TTLS) or "EAP result: 1, Not authenticated by this AuthBy" (with PEAP). Seems like there’s a failure passing the password but authby NTLM works fine. Our config is below along with what we were seeing in the trace 4’s.
>
> We’re doing this to stem worries that the hold caused by AuthBy NTLM could cause issues. How much havoc does that block cause. Are we chasing our tails to prevent an issue that we most likely will not notice? We have roughly 2000-3000 users a day and are using WPA2 Enterprise.
>
> Any thoughts
>
>
> Thanks
> Jay
>
>
>
> <Client 10.24.97.0/24>
> IdenticalClients 10.24.238.41,10.24.238.42
> Secret fsdfsdfsd
> Identifier wlan
> DupInterval 2
> NasType Cisco
> SNMPCommunity private
> IgnoreAcctSignature 1
>
> <AuthBy LDAP2>
> Identifier LDAPAuthentication
> Host aD.Host.clean
> AuthDN CN=Radiator,OU=System Admin,OU=adsf,DC=adsf ,DC=local
> AuthPassword asdfasdfasdf
> BaseDN OU=AD Users,DC=clinlan,DC=local
> UsernameAttr sAMAccountName
> ServerChecksPassword
> #Debug 255
> Timeout 2
> FailureBackoffTime 1
> </AuthBy>
>
> <AuthBy NTLM>
> Identifier NTLMAuthentication
> Domain clinlan
> #Group Domain Users
> #DomainController zulu
> EAPType MSCHAP-V2
> </AuthBy>
>
>
>
> <Handler TunnelledByPEAP=1>
> AuthByPolicy ContinueUntilAccept
> RewriteUsername s/(.*)\\(.*)/$2/
>
>
> AuthBy LDAPAuthentication
>
> AuthBy NTLMAuthentication
>
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
> PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
> </Handler>
>
> <Handler Client-Identifier=wlan>
> #AuthByPolicy ContinueUntilAccept
> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
> StripFromRequest Class
>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP,TTLS
> EAPTLS_CAFile %D/certificates/production/verisign-combo.crt
> EAPTLS_CertificateFile %D/certificates/production/%h.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/production/%h.pem
> EAPTLS_PrivateKeyPassword pass
> EAPTLS_VerifyDepth 3
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 1
> EAPTLS_PEAPBrokenV1Label
> EAPAnonymous %0
> </AuthBy>
>
> #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
> </Handler>
>
>
>
>
>
> Tue Apr 20 14:51:29 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
> Tue Apr 20 14:51:29 2010: DEBUG: Rewrote user name to Name
> Tue Apr 20 14:51:29 2010: DEBUG: Deleting session for Name, 10.24.238.42, 29
> Tue Apr 20 14:51:29 2010: DEBUG: Handling with Radius::AuthLDAP2: LDAPAuthentication
> Tue Apr 20 14:51:29 2010: DEBUG: Handling with EAP: code 2, 2, 6, 26
> Tue Apr 20 14:51:29 2010: DEBUG: Response type 26
> Tue Apr 20 14:51:29 2010: DEBUG: EAP result: 1, Not authenticated by this AuthBy
> Tue Apr 20 14:51:29 2010: DEBUG: AuthBy LDAP2 result: REJECT, Not authenticated by this AuthBy
> Tue Apr 20 14:51:29 2010: DEBUG: Handling with Radius::AuthNTLM: NTLMAuthentication
> Tue Apr 20 14:51:29 2010: DEBUG: Handling with EAP: code 2, 2, 6, 26
> Tue Apr 20 14:51:29 2010: DEBUG: Response type 26
> Tue Apr 20 14:51:29 2010: DEBUG: EAP result: 0,
> Tue Apr 20 14:51:29 2010: DEBUG: AuthBy NTLM result: ACCEPT,
> Tue Apr 20 14:51:29 2010: DEBUG: Access accepted for Name
> Tue Apr 20 14:51:29 2010: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: 1<234><183><138><210><208><170><248><161>=<164><249><150><209><26><238>
> Attributes:
> EAP-Message = <3><2><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "Name"
>
>
>
>
>
>
>
>
>
> Disabling NTLM
>
>
> Tue Apr 20 15:15:47 2010: DEBUG: Radius::AuthLDAP2 looks for match with Name [Name]
> Tue Apr 20 15:15:47 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: : Name [Name]
> Tue Apr 20 15:15:47 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> Tue Apr 20 15:15:47 2010: DEBUG: AuthBy LDAP2 result: REJECT, EAP MSCHAP-V2 Authentication failure
> Tue Apr 20 15:15:47 2010: INFO: Access rejected for Name: EAP MSCHAP-V2 Authentication failure
> Tue Apr 20 15:15:47 2010: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: <195>{l<182><252><138>m<151><134>E<225><157>i')M
> Attributes:
> EAP-Message = <4><1><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> Tue Apr 20 15:15:47 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Tue Apr 20 15:15:47 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Tue Apr 20 15:15:47 2010: DEBUG: Access challenged for Name: EAP PEAP inner authentication redispatched to a Handler
> Tue Apr 20 15:15:47 2010: DEBUG: Packet dump:
> *** Sending to 10.24.238.42 port 32769 ....
> Code: Access-Challenge
> Identifier: 229
> Authentic: <178>]<220><177>d<250>W<220>'<145><174>$<199><2>h<19>
> Attributes:
> EAP-Message = <1><11><0>+<25><1><23><3><1><0> <216>{<239><130>o3<138>+<129><223>t<130>7<19><171>A(<200><146><191><193>V<255>Z<208>mF<134><162>C<232><5>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
> TTLS Authentication
>
>
>
> G: Radius::AuthLDAP2 looks for match with Nameoss [Nameoss]
> Tue Apr 20 15:19:08 2010: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: Nameoss [Nameoss]
> Tue Apr 20 15:19:08 2010: INFO: Connecting to dc1.emr.co.edu:389
> Tue Apr 20 15:19:08 2010: INFO: Attempting to bind to LDAP server dc1.emr.co.edu:389
> Tue Apr 20 15:19:08 2010: DEBUG: No entries for DEFAULT found in LDAP database
> Tue Apr 20 15:19:08 2010: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password
> Tue Apr 20 15:19:08 2010: DEBUG: Handling with Radius::AuthNTLM: NTLMAuthentication
> Tue Apr 20 15:19:08 2010: DEBUG: Radius::AuthNTLM looks for match with Nameoss [Nameoss]
> Tue Apr 20 15:19:08 2010: INFO: Starting NtlmAuthProg: /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes
> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute LANMAN-Challenge: 62fd1d38a76dc97e
> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute NT-Response: 5fc23e2aa9e5c1401a805d10051f9c20bfeb2009b4065853
> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute NT-Domain:: ;sdfjk
> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute Username:: Yjklssdfjk
> Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: Authenticated: Yes
> Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: LANMAN-Session-Key: E8A85EB0FD85800C
> Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: User-Session-Keykjkljkl;j;jk;jkl;j
> Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: .
> Tue Apr 20 15:19:08 2010: DEBUG: Radius::AuthNTLM ACCEPT: : Nameoss [Nameoss]
> Tue Apr 20 15:19:08 2010: DEBUG: AuthBy NTLM result: ACCEPT,
> Tue Apr 20 15:19:08 2010: DEBUG: Access accepted for Nameoss
> Tue Apr 20 15:19:08 2010: DEBUG: Returned TTLS tunnelled Diameter Packet dump:
> Code: Access-Accept
>
>
>
> PEAP auth.
>
>
>
> Tue Apr 20 15:27:05 2010: DEBUG: Radius::AuthLDAP2 looks for match with Nameoss [Nameoss]
> Tue Apr 20 15:27:05 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: : Nameoss [Nameoss]
> Tue Apr 20 15:27:05 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> Tue Apr 20 15:27:05 2010: DEBUG: AuthBy LDAP2 result: REJECT, EAP MSCHAP-V2 Authentication failure
> Tue Apr 20 15:27:05 2010: INFO: Access rejected for Nameoss: EAP MSCHAP-V2 Authentication failure
> Tue Apr 20 15:27:05 2010: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: <136>z<135><133>X<162><215>:#C<186><148><31><224>{<165>
> Attributes:
> EAP-Message = <4><1><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> Tue Apr 20 15:27:05 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Tue Apr 20 15:27:05 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Tue Apr 20 15:27:05 2010: DEBUG: Access challenged for anonymous: EAP PEAP inner authentication redispatched to a Handler
> Tue Apr 20 15:27:05 2010: DEBUG: Packet dump:
> *** Sending to 10.24.238.42 port 32769 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic: <161>![j<183><224><248><130><161><2><175><207><186><179><195><131>
> Attributes:
> EAP-Message = <1><10><0>+<25><1><23><3><1><0> <242>yF<225><136>E<211><198><134><178>Ka<213><220><247><229><171><150><30><227>e<0><151>N<213><15><254>tt<252><17><140>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Apr 20 15:27:05 2010: DEBUG: Calling-Station-Id = 0026.bb02.4b2b
> Tue Apr 20 15:27:05 2010: DEBUG: Called-Station-Id = 0027.0d07.cc00:n
> Tue Apr 20 15:27:05 2010: DEBUG: Packet dump:
> *** Received from 10.24.238.42 port 32769 ....
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list