tingel
Goto Top

Problem mit FreeRADIUS mit Anbindung an AD

Hallo,

ich habe ein Problem mit meiner FreeRADIUS-Konfiguration.
Versuche mit NTRadPing und mit "radtest" funktionieren, ebenso ntlm_auth über Konsole.
Was nicht geht ist die Benutzeranmeldung, wenn man sich über einen AccessPoint verbindet.

Hier sind die Logs von "freeradius -X":
NTRadPing

Going to the next request
Waking up in 0.3 seconds.
Cleaning up request 4 ID 5 with timestamp +106
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host <IP> port 62659, id=8, length=43
User-Name = "User"
User-Password = "Password"
  1. Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> TRUE
+++? if (!control:Auth-Type && User-Password) -> TRUE
+++- entering if (!control:Auth-Type && User-Password) {...}
[control] returns noop
+++- if (!control:Auth-Type && User-Password) returns noop
++- policy ntlm_auth.authorize returns noop
Found Auth-Type = ntlm_auth
  1. Executing group from file /etc/freeradius/sites-enabled/default
+- entering group ntlm_auth {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=User
[ntlm_auth] expand: --password=%{User-Password} -> --password=Password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
  1. Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 8 to 10.0.1.165 port 62659
Finished request 7.
Going to the next request
Waking up in 1.8 seconds.
Cleaning up request 5 ID 6 with timestamp +110
Waking up in 1.3 seconds.
Cleaning up request 6 ID 7 with timestamp +111
Waking up in 1.7 seconds.
Cleaning up request 7 ID 8 with timestamp +113
Ready to process requests.


radtest

Going to the next request
Waking up in 1.8 seconds.
Cleaning up request 5 ID 6 with timestamp +110
Waking up in 1.3 seconds.
Cleaning up request 6 ID 7 with timestamp +111
Waking up in 1.7 seconds.
Cleaning up request 7 ID 8 with timestamp +113
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 53165, id=31, length=73
User-Name = "User"
User-Password = "Password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0xb1a874926be72970d32e52a65ff5e1b8
  1. Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> TRUE
+++? if (!control:Auth-Type && User-Password) -> TRUE
+++- entering if (!control:Auth-Type && User-Password) {...}
[control] returns noop
+++- if (!control:Auth-Type && User-Password) returns noop
++- policy ntlm_auth.authorize returns noop
Found Auth-Type = ntlm_auth
  1. Executing group from file /etc/freeradius/sites-enabled/default
+- entering group ntlm_auth {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=User
[ntlm_auth] expand: --password=%{User-Password} -> --password=Password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
  1. Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 31 to 127.0.0.1 port 53165
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.


radtest

Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 8 ID 31 with timestamp +166
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 33125, id=28, length=129
User-Name = "<User>"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0xd9bd228def8ce72c3c9a1db8bbc0c71c
MS-CHAP-Challenge = 0x9211cf203effcf6e
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000212f163d158bed24d7a55fe5bce31da32ff9dde32c64f1f0
  1. Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> FALSE
? Skipping (User-Password)
+++? if (!control:Auth-Type && User-Password) -> FALSE
++- policy ntlm_auth.authorize returns noop
Found Auth-Type = MSCHAP
  1. Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=User
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}face-big-smileOMAIN} -> --domain=DOMAIN
[mschap] mschap1: 92
[mschap] expand: --challenge=%{mschap:Challengeface-surprise0} -> --challenge=9211cf203effcf6e
[mschap] expand: --nt-response=%{mschap:NT-Responseface-surprise0} -> --nt-response=212f163d158bed24d7a55fe5bce31da32ff9dde32c64f1f0
Exec-Program output: NT_KEY: 9E41CC913E3A0FF58DE47D891F829D3D
Exec-Program-Wait: plaintext: NT_KEY: 9E41CC913E3A0FF58DE47D891F829D3D
Exec-Program: returned: 0
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
  1. Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 28 to 127.0.0.1 port 33125
MS-CHAP-MPPE-Keys = 0x00000000000000009e41cc913e3a0ff58de47d891f829d3d0000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.


Verbindung über den AccessPoint

Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 28 with timestamp +188
Ready to process requests.
rad_recv: Access-Request packet from host IP_AP port 2048, id=6, length=147
User-Name = "User"
NAS-IP-Address = IP_AP
NAS-Port = 0
Called-Station-Id = "B0-48-7A-CE-4F-89:WLAN-Test"
Calling-Station-Id = "00-13-CE-C8-89-8A"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020100080165736a
Message-Authenticator = 0xb5fcb781b8baf1e6a08277d2053f77f8
  1. Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> FALSE
+++? if (!control:Auth-Type && User-Password) -> FALSE
++- policy ntlm_auth.authorize returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
  1. Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
++- group REJECT returns noop
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 6 to 172.16.50.11 port 2048
Waking up in 4.9 seconds.


Woran kann das liegen?

Content-ID: 268788

Url: https://administrator.de/contentid/268788

Ausgedruckt am: 26.11.2024 um 08:11 Uhr

119944
119944 10.04.2015 um 13:46:47 Uhr
Goto Top
Hi,

Kennst du diese Anleitung schon?
Ubuntu 14.04 - 16.04 - 18.04 - 20.04 LTS Server - Freeradius mit AD-Anbindung

Würde an deiner Stelle erstmal die Konfigs vergleichen.

VG
Val
tingel
tingel 10.04.2015 um 14:03:39 Uhr
Goto Top
Danke für den Link.
Jedoch soll es ohne Zertifikate konfiguriert werden, hab ich vergessen zu erwähnen.
aqui
Lösung aqui 10.04.2015, aktualisiert am 15.05.2023 um 16:26:14 Uhr
Goto Top
Hier findest du eine abtippfertige FreeRadius Konfig die eine wasserdichte Funktion mit dem AD garantiert:
Netzwerk Management Server mit Raspberry Pi
Oder auch hier:
Freeradius Management mit WebGUI

Grundlagen wie immer hier:
Netzwerk Zugangskontrolle mit 802.1x und FreeRadius am LAN Switch