[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: freeradius auth in win AD
From:       Matthew Newton <mcn4 () leicester ! ac ! uk>
Date:       2016-06-16 14:04:32
Message-ID: 20160616140432.GC109585 () rootmail ! cc ! le ! ac ! uk
[Download RAW message or body]

On Thu, Jun 16, 2016 at 02:19:47PM +0200, Zenon Matuszyk wrote:
...
> ++[mschap] returns noop
> ++[digest] returns noop
> [eap] EAP packet type response id 3 length 29
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
>   [ldap] Entering ldap_groupcmp()
> [files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
> [files]         expand: %{Stripped-User-Name} ->
> [files]         ... expanding second conditional
> [files]         expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl
> [files]         expand:
> (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (userPrincipalName=aa.aa@stud.wcc.domain.pl)
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection

You should probably move the LDAP searches to later on in the
inner tunnel or post-auth to save hammering the LDAP server so
much.


> ++[pap] returns noop
> Found Auth-Type = ntlm_auth
> Found Auth-Type = EAP
> Warning:  Found 2 auth-types on request for user 'aa.aa@stud.wcc.domain.pl'

This isn't good. Find out what is setting Auth-Type to ntlm_auth
and get rid of it. You're doing PEAP/EAP-MSCHAPv2 so Auth-Type
should be set to EAP (as the eap module does for you).

> [mschapv2] # Executing group from file
> /etc/freeradius-eduroam//sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: aa.aa@stud.wcc.domain.pl
> [mschap] Told to do MS-CHAPv2 for aa.aa@stud.wcc.domain.pl with NT-Password
> [mschap]        expand: %{Stripped-User-Name} ->

You've not got Stripped-User-Name...

> [mschap]        ... expanding second conditional
> [mschap]        expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl
> [mschap]        expand: --username=%{%{Stripped-User-Name}:-%{User-Name}} ->
> --username=aa.aa@stud.wcc.domain.pl

...so ntlm_auth is being called with User-Name, which is
aa.aa@stud.wcc.domain.pl.

It's likely it needs to be called with "aa.aa" instead - test with
calling ntlm_auth yourself on the command line to see what works.

Then set up Stripped-User-Name. In FreeRADIUS 3 you should be able
to call the "split_username_nai" policy to do this for you, or
otherwise either write your own unlang or use the realm (suffix)
module to split it off.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]