Good day ppl.
I want to have MK’s local users authentication through ActiveDirectory database.
I have configured MK to use AAA which is FreeRADIUS on my Debian machine.
freeradius: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03
I’ve activated ldap module to redirect auth requests to active directory.
But when I’m trying to login I recieve this on radius side
rad_recv: Access-Request packet from host 192.168.71.2 port 46069, id=37, length=106
Service-Type = Login-User
User-Name = “davsharyan”
CHAP-Challenge = 0x9908cb3eaf74bb81ea3ff4ded3bea82c
CHAP-Password = 0x00274c77a53c1495fbc0edc43a26a4ef26
Calling-Station-Id = “192.168.33.115”
NAS-Identifier = “NAS”
NAS-IP-Address = 192.168.71.2Executing section authorize from file /etc/freeradius/sites-enabled/default
± entering group authorize {…}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d → /var/log/freeradius/radacct/192.168.71.2/auth-detail-20110703
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.71.2/auth-detail-20110703
[auth_log] expand: %t → Sun Jul 3 06:57:13 2011
++[auth_log] returns ok
[chap] Setting ‘Auth-Type := CHAP’
++[chap] returns ok
++[mschap] returns noop
[suffix] No ‘@’ in User-Name = “davsharyan”, looking up realm NULL
[suffix] No such realm “NULL”
++[suffix] returns noop
[ldap] performing user authorization for davsharyan
[ldap] expand: %{Stripped-User-Name} →
[ldap] … expanding second conditional
[ldap] expand: %{User-Name} → davsharyan
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) → (uid=davsharyan)
[ldap] expand: dc=domain,dc=am → dc=domain,dc=am
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 192.168.1.3:389, authentication 0
[ldap] bind as cn=davsharyan,cn=Users,dc=domain,dc=am/password to 192.168.1.3:389
[ldap] waiting for bind result …
[ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf
[ldap] (re)connection attempt failed
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Using Post-Auth-Type RejectExecuting group from file /etc/freeradius/sites-enabled/default
± entering group REJECT {…}
[attr_filter.access_reject] expand: %{User-Name} → davsharyan
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.71.2 port 46069, id=37, length=106
Waiting to send Access-Reject to client NASTest port 46069 - ID: 37
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 192.168.71.2 port 46069, id=37, length=106
Waiting to send Access-Reject to client NASTest port 46069 - ID: 37
Waking up in 0.3 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 37 to 192.168.71.2 port 46069
Waking up in 4.9 seconds.
It seems everything is configured properly, but the problem is that AD doesn’t store passwords in clear text ( this is normal )
lines from modules/ldap
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
Is it possible to do some tricks/hacks to get working ??
Here are configs
/etc/freeradius# grep -vE '(^$|#)' radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 2
status_server = yes
}
proxy_requests = no
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
/etc/freeradius# grep -vE '(^$|#)' sites-enabled/default
authorize {
preprocess
auth_log
chap
mschap
suffix
ldap {
notfound = return
}
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
pam
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
/etc/freeradius# grep -vE '(^$|#)' users
DEFAULT Reply-Message = "Barev %{User-Name} axper !"
Fall-Through = Yes
dav Cleartext-Password := "dav"
Mikrotik-Group = "remotefull",
Huntgroup-Name == "mk",
/etc/freeradius# grep -vE '(^$|#)' modules/ldap
ldap {
server = "192.168.1.3"
identity = "cn=davsharyan,cn=Users,dc=domain,dc=am"
password = password
basedn = "dc=domain,dc=am"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
Thanks
p.s. all the sensitive information have been changed.
