[RADIATOR] Auth By LDAP against AD
Louis Twomey
louis.twomey at heanet.ie
Wed May 5 07:08:14 CDT 2010
Hi Jay,
I learned today that I was incorrect when I stated that a cleartext password is
needed when authenticating via LDAP. While that is perhaps the simplest means
of authenticating users, by the Radius server simply binding to the LDAP server
using the user's cleartext credentials, it is also possible to authenticate the
user if they supply a hash of their password via MSCHAPv2. In the latter
scenario, the supplied hash can be matched against the NT-Password attribute
stored in the user's LDAP entry. The Radius server process is different, and
your LDAP server needs an NT-Password hash/attribute for each user, but the end
result is the same.
Sorry for my misleading previous post.
Regards,
Louis.
"Louis Twomey" wrote the following on 21/04/10 10:42:
> Hi Jay,
> You may already be aware of this, but if authenticating via LDAP your users'
> wireless clients will need to be configured to use PAP instead of MSCHAPv2 so
> that the user password is passed to the Radius server as cleartext (within the
> SSL tunnel). The Radius server will verify the user credentials by binding to
> the LDAP server as that user, so it needs access to the real/cleartext password
> to do so. So migrating to an LDAP back-end has implications for your users too.
>
> Regards,
> Louis Twomey.
>
> "Hugh Irvine" wrote the following on 20/04/10 23:06:
>> Hello Jay -
>>
>> I think you should stick with AuthBy NTLM.
>>
>> Note that the LDAP lookup blocks too, and in any case you cannot get the password from AD anyway (this is a restriction imposed by AD).
>>
>> regards
>>
>> Hugh
>>
>>
>> On 21 Apr 2010, at 06:16, McNealy, Justin S wrote:
>>
>>> Hugh,
>>> We’re having an issue getting our authby LDAP2 against AD working properly. We’re running version 4.5.1 on a RHEL 5 server. We see it doing the lookup but then we get ether a bad password (with TTLS) or "EAP result: 1, Not authenticated by this AuthBy" (with PEAP). Seems like there’s a failure passing the password but authby NTLM works fine. Our config is below along with what we were seeing in the trace 4’s.
>>>
>>> We’re doing this to stem worries that the hold caused by AuthBy NTLM could cause issues. How much havoc does that block cause. Are we chasing our tails to prevent an issue that we most likely will not notice? We have roughly 2000-3000 users a day and are using WPA2 Enterprise.
>>>
>>> Any thoughts
>>>
>>>
>>> Thanks
>>> Jay
>>>
>>>
>>>
>>> <Client 10.24.97.0/24>
>>> IdenticalClients 10.24.238.41,10.24.238.42
>>> Secret fsdfsdfsd
>>> Identifier wlan
>>> DupInterval 2
>>> NasType Cisco
>>> SNMPCommunity private
>>> IgnoreAcctSignature 1
>>>
>>> <AuthBy LDAP2>
>>> Identifier LDAPAuthentication
>>> Host aD.Host.clean
>>> AuthDN CN=Radiator,OU=System Admin,OU=adsf,DC=adsf ,DC=local
>>> AuthPassword asdfasdfasdf
>>> BaseDN OU=AD Users,DC=clinlan,DC=local
>>> UsernameAttr sAMAccountName
>>> ServerChecksPassword
>>> #Debug 255
>>> Timeout 2
>>> FailureBackoffTime 1
>>> </AuthBy>
>>>
>>> <AuthBy NTLM>
>>> Identifier NTLMAuthentication
>>> Domain clinlan
>>> #Group Domain Users
>>> #DomainController zulu
>>> EAPType MSCHAP-V2
>>> </AuthBy>
>>>
>>>
>>>
>>> <Handler TunnelledByPEAP=1>
>>> AuthByPolicy ContinueUntilAccept
>>> RewriteUsername s/(.*)\\(.*)/$2/
>>>
>>>
>>> AuthBy LDAPAuthentication
>>>
>>> AuthBy NTLMAuthentication
>>>
>>> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>>> #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
>>> PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
>>> </Handler>
>>>
>>> <Handler Client-Identifier=wlan>
>>> #AuthByPolicy ContinueUntilAccept
>>> AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
>>> StripFromRequest Class
>>>
>>> <AuthBy FILE>
>>> Filename %D/users
>>> EAPType PEAP,TTLS
>>> EAPTLS_CAFile %D/certificates/production/verisign-combo.crt
>>> EAPTLS_CertificateFile %D/certificates/production/%h.pem
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_PrivateKeyFile %D/certificates/production/%h.pem
>>> EAPTLS_PrivateKeyPassword pass
>>> EAPTLS_VerifyDepth 3
>>> EAPTLS_MaxFragmentSize 1000
>>> AutoMPPEKeys
>>> SSLeayTrace 4
>>> EAPTLS_PEAPVersion 1
>>> EAPTLS_PEAPBrokenV1Label
>>> EAPAnonymous %0
>>> </AuthBy>
>>>
>>> #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
>>> AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
>>> </Handler>
>>>
>>>
>>>
>>>
>>>
>>> Tue Apr 20 14:51:29 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
>>> Tue Apr 20 14:51:29 2010: DEBUG: Rewrote user name to Name
>>> Tue Apr 20 14:51:29 2010: DEBUG: Deleting session for Name, 10.24.238.42, 29
>>> Tue Apr 20 14:51:29 2010: DEBUG: Handling with Radius::AuthLDAP2: LDAPAuthentication
>>> Tue Apr 20 14:51:29 2010: DEBUG: Handling with EAP: code 2, 2, 6, 26
>>> Tue Apr 20 14:51:29 2010: DEBUG: Response type 26
>>> Tue Apr 20 14:51:29 2010: DEBUG: EAP result: 1, Not authenticated by this AuthBy
>>> Tue Apr 20 14:51:29 2010: DEBUG: AuthBy LDAP2 result: REJECT, Not authenticated by this AuthBy
>>> Tue Apr 20 14:51:29 2010: DEBUG: Handling with Radius::AuthNTLM: NTLMAuthentication
>>> Tue Apr 20 14:51:29 2010: DEBUG: Handling with EAP: code 2, 2, 6, 26
>>> Tue Apr 20 14:51:29 2010: DEBUG: Response type 26
>>> Tue Apr 20 14:51:29 2010: DEBUG: EAP result: 0,
>>> Tue Apr 20 14:51:29 2010: DEBUG: AuthBy NTLM result: ACCEPT,
>>> Tue Apr 20 14:51:29 2010: DEBUG: Access accepted for Name
>>> Tue Apr 20 14:51:29 2010: DEBUG: Returned PEAP tunnelled packet dump:
>>> Code: Access-Accept
>>> Identifier: UNDEF
>>> Authentic: 1<234><183><138><210><208><170><248><161>=<164><249><150><209><26><238>
>>> Attributes:
>>> EAP-Message = <3><2><0><4>
>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> User-Name = "Name"
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Disabling NTLM
>>>
>>>
>>> Tue Apr 20 15:15:47 2010: DEBUG: Radius::AuthLDAP2 looks for match with Name [Name]
>>> Tue Apr 20 15:15:47 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: : Name [Name]
>>> Tue Apr 20 15:15:47 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
>>> Tue Apr 20 15:15:47 2010: DEBUG: AuthBy LDAP2 result: REJECT, EAP MSCHAP-V2 Authentication failure
>>> Tue Apr 20 15:15:47 2010: INFO: Access rejected for Name: EAP MSCHAP-V2 Authentication failure
>>> Tue Apr 20 15:15:47 2010: DEBUG: Returned PEAP tunnelled packet dump:
>>> Code: Access-Reject
>>> Identifier: UNDEF
>>> Authentic: <195>{l<182><252><138>m<151><134>E<225><157>i')M
>>> Attributes:
>>> EAP-Message = <4><1><0><4>
>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> Reply-Message = "Request Denied"
>>>
>>> Tue Apr 20 15:15:47 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
>>> Tue Apr 20 15:15:47 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
>>> Tue Apr 20 15:15:47 2010: DEBUG: Access challenged for Name: EAP PEAP inner authentication redispatched to a Handler
>>> Tue Apr 20 15:15:47 2010: DEBUG: Packet dump:
>>> *** Sending to 10.24.238.42 port 32769 ....
>>> Code: Access-Challenge
>>> Identifier: 229
>>> Authentic: <178>]<220><177>d<250>W<220>'<145><174>$<199><2>h<19>
>>> Attributes:
>>> EAP-Message = <1><11><0>+<25><1><23><3><1><0> <216>{<239><130>o3<138>+<129><223>t<130>7<19><171>A(<200><146><191><193>V<255>Z<208>mF<134><162>C<232><5>
>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>>
>>>
>>> TTLS Authentication
>>>
>>>
>>>
>>> G: Radius::AuthLDAP2 looks for match with Nameoss [Nameoss]
>>> Tue Apr 20 15:19:08 2010: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: Nameoss [Nameoss]
>>> Tue Apr 20 15:19:08 2010: INFO: Connecting to dc1.emr.co.edu:389
>>> Tue Apr 20 15:19:08 2010: INFO: Attempting to bind to LDAP server dc1.emr.co.edu:389
>>> Tue Apr 20 15:19:08 2010: DEBUG: No entries for DEFAULT found in LDAP database
>>> Tue Apr 20 15:19:08 2010: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password
>>> Tue Apr 20 15:19:08 2010: DEBUG: Handling with Radius::AuthNTLM: NTLMAuthentication
>>> Tue Apr 20 15:19:08 2010: DEBUG: Radius::AuthNTLM looks for match with Nameoss [Nameoss]
>>> Tue Apr 20 15:19:08 2010: INFO: Starting NtlmAuthProg: /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>>> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes
>>> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
>>> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute LANMAN-Challenge: 62fd1d38a76dc97e
>>> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute NT-Response: 5fc23e2aa9e5c1401a805d10051f9c20bfeb2009b4065853
>>> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute NT-Domain:: ;sdfjk
>>> Tue Apr 20 15:19:08 2010: DEBUG: Passing attribute Username:: Yjklssdfjk
>>> Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: Authenticated: Yes
>>> Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: LANMAN-Session-Key: E8A85EB0FD85800C
>>> Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: User-Session-Keykjkljkl;j;jk;jkl;j
>>> Tue Apr 20 15:19:08 2010: DEBUG: Received attribute: .
>>> Tue Apr 20 15:19:08 2010: DEBUG: Radius::AuthNTLM ACCEPT: : Nameoss [Nameoss]
>>> Tue Apr 20 15:19:08 2010: DEBUG: AuthBy NTLM result: ACCEPT,
>>> Tue Apr 20 15:19:08 2010: DEBUG: Access accepted for Nameoss
>>> Tue Apr 20 15:19:08 2010: DEBUG: Returned TTLS tunnelled Diameter Packet dump:
>>> Code: Access-Accept
>>>
>>>
>>>
>>> PEAP auth.
>>>
>>>
>>>
>>> Tue Apr 20 15:27:05 2010: DEBUG: Radius::AuthLDAP2 looks for match with Nameoss [Nameoss]
>>> Tue Apr 20 15:27:05 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: : Nameoss [Nameoss]
>>> Tue Apr 20 15:27:05 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
>>> Tue Apr 20 15:27:05 2010: DEBUG: AuthBy LDAP2 result: REJECT, EAP MSCHAP-V2 Authentication failure
>>> Tue Apr 20 15:27:05 2010: INFO: Access rejected for Nameoss: EAP MSCHAP-V2 Authentication failure
>>> Tue Apr 20 15:27:05 2010: DEBUG: Returned PEAP tunnelled packet dump:
>>> Code: Access-Reject
>>> Identifier: UNDEF
>>> Authentic: <136>z<135><133>X<162><215>:#C<186><148><31><224>{<165>
>>> Attributes:
>>> EAP-Message = <4><1><0><4>
>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> Reply-Message = "Request Denied"
>>>
>>> Tue Apr 20 15:27:05 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
>>> Tue Apr 20 15:27:05 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
>>> Tue Apr 20 15:27:05 2010: DEBUG: Access challenged for anonymous: EAP PEAP inner authentication redispatched to a Handler
>>> Tue Apr 20 15:27:05 2010: DEBUG: Packet dump:
>>> *** Sending to 10.24.238.42 port 32769 ....
>>> Code: Access-Challenge
>>> Identifier: 0
>>> Authentic: <161>![j<183><224><248><130><161><2><175><207><186><179><195><131>
>>> Attributes:
>>> EAP-Message = <1><10><0>+<25><1><23><3><1><0> <242>yF<225><136>E<211><198><134><178>Ka<213><220><247><229><171><150><30><227>e<0><151>N<213><15><254>tt<252><17><140>
>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Tue Apr 20 15:27:05 2010: DEBUG: Calling-Station-Id = 0026.bb02.4b2b
>>> Tue Apr 20 15:27:05 2010: DEBUG: Called-Station-Id = 0027.0d07.cc00:n
>>> Tue Apr 20 15:27:05 2010: DEBUG: Packet dump:
>>> *** Received from 10.24.238.42 port 32769 ....
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>
--
HEAnet Limited louis.twomey at heanet.ie
5 George's Dock, IFSC, Dublin 1 Tel: +353-1-6609040
Web: http://www.heanet.ie Fax: +353-1-6603666
Registered in Ireland, no 275301 PGP key: C77D9256
--- Please consider the environment before printing this e-mail ---
More information about the radiator
mailing list