[RADIATOR] PEAP / MSCHAPv2 NTLM Auth + additional LDAP attribute check

Heikki Vatiainen hvn at open.com.au
Wed May 11 15:51:21 CDT 2011 

On 05/11/2011 07:48 PM, Onno Witvliet wrote:

Hello Onno,

> I'm trying to configure Radiator to authenticate our users with PEAP / MSCHAPv2.
> 
> We're running Radiator on Linux and we want to authenticate against MS
> Active Directory.
> 
> The authentication with NTLM works fine, but we want to check if the
> user is allowed to use
> the wireless network by checking the msNPAllowDialin property in
> Active Directory.
> 
> As far as I can tell, for this additional check to work, I need to
> query AD via LDAP
> for the property msNPAllowDialin and check the value of the property.

This sounds correct.

> I've tried several things, but I can't figure out how I can query the
> AD via LDAP, without Radiator
> trying to authenticate the LDAP query with MSCHAPv2 (with
> Access-Reject as a result)

Please see below for changes in your config. You are close and there are
only a couple of things that need changes.

> I'm trying to use PostSearchHook to check if msNPAllowDialin exists
> and if the value equals YES
> to return an Access-Accept, else return Access-Reject

I think the hook is not needed. Please see below for more.

> I've 3 questions:
> 
> 1) Is this the right approach to solve this problem

Yes.

> 2) How can I query via LDAP without (EAP) authentication

NoEAP and NoCheckPassword. Instead a SearchFilter is defined for
checking the user exists and has the attribute correctly set.

> 3) How can I return Access-Accept / Access-Reject from the PostSearchHook

You could arrange for check items to fail, but I think hook is not
needed at all.

> Any hints would be appreciated.

Try the changes I have added below and let us know how it works. You may
want to check the reference manual for more details about the options I
added or changed.

> Onno Witvliet
> Hogeschool Inholland
> The Netherlands
> 
> 
> Overview config:
> 
> <AuthBy FILE>
>   Identifier outer-tunnel-auth
> 
>   Filename %D/dot1x_anon
> 
>   EAPType PEAP
> 
>   # Certificates
>   EAPTLS_CAFile /etc/radiator/certificates/ca.pem
>   EAPTLS_CertificateFile /etc/radiator/certificates/server.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile /etc/radiator/certificates/server.key
>   EAPTLS_MaxFragmentSize 1000
> 
>   EAPTLS_PEAPVersion 0
> 
>   AutoMPPEKeys
> </AuthBy>
> 
> <AuthBy NTLM>
>   Identifier    AuthNTLM
> 
>   EAPType      MSCHAP-V2
>   Domain        DOMAIN
>   NtlmAuthProg  /usr/bin/ntlm_auth -s /etc/samba/our-winbindd.conf
> --helper-protocol=ntlm-server-1
>   UsernameMatchesWithoutRealm
> </AuthBy>
> 
> <AuthBy LDAP2>
>   Identifier    AuthLDAP
>   Host          x.x.x.x
> 
>   AuthDN        cn=admin,dc=domain,dc=nl
>   AuthPassword  secret
> 
>   BaseDN        ou=users,dc=domain,dc=nl
>   UsernameAttr  sAMAccountName
>   PasswordAttr

Remove PasswordAttr

Add these:
NoCheckPassword
NoEAP
SearchFilter (&(%0=%x)(msNPAllowDialin=YES))

>   AuthAttrDef   msNPAllowDialin,GENERIC,request

You can keep this, otherwise the LDAP server will return all possible
attributes.

You can also add these for better performance:
NoDefault
NoDefaultIfFound

> #  PostSearchHook sub { my $attr = $_[4]->get('msNPAllowDialin'); \
> #    $_[3]->get_reply->add_attr('Dialin-Allowed', 1); }

Remove the hook or keep it commented out.

>   Debug 255
> </AuthBy>
> 
> <Handler User-Name=/.+ at domain.nl)/>
>   Identifier outer-handler
> 
>   AuthBy outer-tunnel-auth
> </Handler>
> 
> <Handler TunnelledByPEAP=1>
>   Identifier inner-handler
> 
>   <AuthBy GROUP>
>     AuthByPolicy ContinueUntilReject

Use a different policy:
AuthByPolicy ContinueWhileAccept

>     # Authenticate against AD with ntlm_auth
>     AuthBy AuthNTLM
> 
>     # check msNPAllowDialin property against AD with LDAP
>     AuthBy AuthLDAP
>   </AuthBy>
> </Handler>


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list