Problem mit FreeRADIUS mit Anbindung an AD
Hallo,
ich habe ein Problem mit meiner FreeRADIUS-Konfiguration.
Versuche mit NTRadPing und mit "radtest" funktionieren, ebenso ntlm_auth über Konsole.
Was nicht geht ist die Benutzeranmeldung, wenn man sich über einen AccessPoint verbindet.
Hier sind die Logs von "freeradius -X":
NTRadPing
Going to the next request
Waking up in 0.3 seconds.
Cleaning up request 4 ID 5 with timestamp +106
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host <IP> port 62659, id=8, length=43
User-Name = "User"
User-Password = "Password"
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> TRUE
+++? if (!control:Auth-Type && User-Password) -> TRUE
+++- entering if (!control:Auth-Type && User-Password) {...}
[control] returns noop
+++- if (!control:Auth-Type && User-Password) returns noop
++- policy ntlm_auth.authorize returns noop
Found Auth-Type = ntlm_auth
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=User
[ntlm_auth] expand: --password=%{User-Password} -> --password=Password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
++[exec] returns noop
Sending Access-Accept of id 8 to 10.0.1.165 port 62659
Finished request 7.
Going to the next request
Waking up in 1.8 seconds.
Cleaning up request 5 ID 6 with timestamp +110
Waking up in 1.3 seconds.
Cleaning up request 6 ID 7 with timestamp +111
Waking up in 1.7 seconds.
Cleaning up request 7 ID 8 with timestamp +113
Ready to process requests.
radtest
Going to the next request
Waking up in 1.8 seconds.
Cleaning up request 5 ID 6 with timestamp +110
Waking up in 1.3 seconds.
Cleaning up request 6 ID 7 with timestamp +111
Waking up in 1.7 seconds.
Cleaning up request 7 ID 8 with timestamp +113
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 53165, id=31, length=73
User-Name = "User"
User-Password = "Password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0xb1a874926be72970d32e52a65ff5e1b8
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> TRUE
+++? if (!control:Auth-Type && User-Password) -> TRUE
+++- entering if (!control:Auth-Type && User-Password) {...}
[control] returns noop
+++- if (!control:Auth-Type && User-Password) returns noop
++- policy ntlm_auth.authorize returns noop
Found Auth-Type = ntlm_auth
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=User
[ntlm_auth] expand: --password=%{User-Password} -> --password=Password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
++[exec] returns noop
Sending Access-Accept of id 31 to 127.0.0.1 port 53165
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
radtest
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 8 ID 31 with timestamp +166
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 33125, id=28, length=129
User-Name = "<User>"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0xd9bd228def8ce72c3c9a1db8bbc0c71c
MS-CHAP-Challenge = 0x9211cf203effcf6e
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000212f163d158bed24d7a55fe5bce31da32ff9dde32c64f1f0
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> FALSE
? Skipping (User-Password)
+++? if (!control:Auth-Type && User-Password) -> FALSE
++- policy ntlm_auth.authorize returns noop
Found Auth-Type = MSCHAP
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=User
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}OMAIN} -> --domain=DOMAIN
[mschap] mschap1: 92
[mschap] expand: --challenge=%{mschap:Challenge0} -> --challenge=9211cf203effcf6e
[mschap] expand: --nt-response=%{mschap:NT-Response0} -> --nt-response=212f163d158bed24d7a55fe5bce31da32ff9dde32c64f1f0
Exec-Program output: NT_KEY: 9E41CC913E3A0FF58DE47D891F829D3D
Exec-Program-Wait: plaintext: NT_KEY: 9E41CC913E3A0FF58DE47D891F829D3D
Exec-Program: returned: 0
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
++[exec] returns noop
Sending Access-Accept of id 28 to 127.0.0.1 port 33125
MS-CHAP-MPPE-Keys = 0x00000000000000009e41cc913e3a0ff58de47d891f829d3d0000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Verbindung über den AccessPoint
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 28 with timestamp +188
Ready to process requests.
rad_recv: Access-Request packet from host IP_AP port 2048, id=6, length=147
User-Name = "User"
NAS-IP-Address = IP_AP
NAS-Port = 0
Called-Station-Id = "B0-48-7A-CE-4F-89:WLAN-Test"
Calling-Station-Id = "00-13-CE-C8-89-8A"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020100080165736a
Message-Authenticator = 0xb5fcb781b8baf1e6a08277d2053f77f8
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> FALSE
+++? if (!control:Auth-Type && User-Password) -> FALSE
++- policy ntlm_auth.authorize returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
++- group REJECT returns noop
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 6 to 172.16.50.11 port 2048
Waking up in 4.9 seconds.
Woran kann das liegen?
ich habe ein Problem mit meiner FreeRADIUS-Konfiguration.
Versuche mit NTRadPing und mit "radtest" funktionieren, ebenso ntlm_auth über Konsole.
Was nicht geht ist die Benutzeranmeldung, wenn man sich über einen AccessPoint verbindet.
Hier sind die Logs von "freeradius -X":
NTRadPing
Going to the next request
Waking up in 0.3 seconds.
Cleaning up request 4 ID 5 with timestamp +106
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host <IP> port 62659, id=8, length=43
User-Name = "User"
User-Password = "Password"
- Executing section authorize from file /etc/freeradius/sites-enabled/default
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> TRUE
+++? if (!control:Auth-Type && User-Password) -> TRUE
+++- entering if (!control:Auth-Type && User-Password) {...}
[control] returns noop
+++- if (!control:Auth-Type && User-Password) returns noop
++- policy ntlm_auth.authorize returns noop
Found Auth-Type = ntlm_auth
- Executing group from file /etc/freeradius/sites-enabled/default
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=User
[ntlm_auth] expand: --password=%{User-Password} -> --password=Password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
- Executing section post-auth from file /etc/freeradius/sites-enabled/default
++[exec] returns noop
Sending Access-Accept of id 8 to 10.0.1.165 port 62659
Finished request 7.
Going to the next request
Waking up in 1.8 seconds.
Cleaning up request 5 ID 6 with timestamp +110
Waking up in 1.3 seconds.
Cleaning up request 6 ID 7 with timestamp +111
Waking up in 1.7 seconds.
Cleaning up request 7 ID 8 with timestamp +113
Ready to process requests.
radtest
Going to the next request
Waking up in 1.8 seconds.
Cleaning up request 5 ID 6 with timestamp +110
Waking up in 1.3 seconds.
Cleaning up request 6 ID 7 with timestamp +111
Waking up in 1.7 seconds.
Cleaning up request 7 ID 8 with timestamp +113
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 53165, id=31, length=73
User-Name = "User"
User-Password = "Password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0xb1a874926be72970d32e52a65ff5e1b8
- Executing section authorize from file /etc/freeradius/sites-enabled/default
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> TRUE
+++? if (!control:Auth-Type && User-Password) -> TRUE
+++- entering if (!control:Auth-Type && User-Password) {...}
[control] returns noop
+++- if (!control:Auth-Type && User-Password) returns noop
++- policy ntlm_auth.authorize returns noop
Found Auth-Type = ntlm_auth
- Executing group from file /etc/freeradius/sites-enabled/default
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=User
[ntlm_auth] expand: --password=%{User-Password} -> --password=Password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
- Executing section post-auth from file /etc/freeradius/sites-enabled/default
++[exec] returns noop
Sending Access-Accept of id 31 to 127.0.0.1 port 53165
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
radtest
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 8 ID 31 with timestamp +166
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 33125, id=28, length=129
User-Name = "<User>"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0xd9bd228def8ce72c3c9a1db8bbc0c71c
MS-CHAP-Challenge = 0x9211cf203effcf6e
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000212f163d158bed24d7a55fe5bce31da32ff9dde32c64f1f0
- Executing section authorize from file /etc/freeradius/sites-enabled/default
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> FALSE
? Skipping (User-Password)
+++? if (!control:Auth-Type && User-Password) -> FALSE
++- policy ntlm_auth.authorize returns noop
Found Auth-Type = MSCHAP
- Executing group from file /etc/freeradius/sites-enabled/default
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=User
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}OMAIN} -> --domain=DOMAIN
[mschap] mschap1: 92
[mschap] expand: --challenge=%{mschap:Challenge0} -> --challenge=9211cf203effcf6e
[mschap] expand: --nt-response=%{mschap:NT-Response0} -> --nt-response=212f163d158bed24d7a55fe5bce31da32ff9dde32c64f1f0
Exec-Program output: NT_KEY: 9E41CC913E3A0FF58DE47D891F829D3D
Exec-Program-Wait: plaintext: NT_KEY: 9E41CC913E3A0FF58DE47D891F829D3D
Exec-Program: returned: 0
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
- Executing section post-auth from file /etc/freeradius/sites-enabled/default
++[exec] returns noop
Sending Access-Accept of id 28 to 127.0.0.1 port 33125
MS-CHAP-MPPE-Keys = 0x00000000000000009e41cc913e3a0ff58de47d891f829d3d0000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Verbindung über den AccessPoint
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 28 with timestamp +188
Ready to process requests.
rad_recv: Access-Request packet from host IP_AP port 2048, id=6, length=147
User-Name = "User"
NAS-IP-Address = IP_AP
NAS-Port = 0
Called-Station-Id = "B0-48-7A-CE-4F-89:WLAN-Test"
Calling-Station-Id = "00-13-CE-C8-89-8A"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020100080165736a
Message-Authenticator = 0xb5fcb781b8baf1e6a08277d2053f77f8
- Executing section authorize from file /etc/freeradius/sites-enabled/default
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++- entering policy ntlm_auth.authorize {...}
+++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> FALSE
+++? if (!control:Auth-Type && User-Password) -> FALSE
++- policy ntlm_auth.authorize returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
- Executing group from file /etc/freeradius/sites-enabled/default
++- group REJECT returns noop
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 6 to 172.16.50.11 port 2048
Waking up in 4.9 seconds.
Woran kann das liegen?
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 268788
Url: https://administrator.de/contentid/268788
Ausgedruckt am: 26.11.2024 um 08:11 Uhr
3 Kommentare
Neuester Kommentar
Hi,
Kennst du diese Anleitung schon?
Ubuntu 14.04 - 16.04 - 18.04 - 20.04 LTS Server - Freeradius mit AD-Anbindung
Würde an deiner Stelle erstmal die Konfigs vergleichen.
VG
Val
Kennst du diese Anleitung schon?
Ubuntu 14.04 - 16.04 - 18.04 - 20.04 LTS Server - Freeradius mit AD-Anbindung
Würde an deiner Stelle erstmal die Konfigs vergleichen.
VG
Val
Hier findest du eine abtippfertige FreeRadius Konfig die eine wasserdichte Funktion mit dem AD garantiert:
Netzwerk Management Server mit Raspberry Pi
Oder auch hier:
Freeradius Management mit WebGUI
Grundlagen wie immer hier:
Netzwerk Zugangskontrolle mit 802.1x und FreeRadius am LAN Switch
Netzwerk Management Server mit Raspberry Pi
Oder auch hier:
Freeradius Management mit WebGUI
Grundlagen wie immer hier:
Netzwerk Zugangskontrolle mit 802.1x und FreeRadius am LAN Switch