Wifi + Active Directory without ntlm

classic Classic list List threaded Threaded
16 messages Options
| Threaded
Open this post in threaded view
|

Wifi + Active Directory without ntlm

Users mailing list
Hi,

Source data:
Active directory
freeradius 3.0.21

In /etc/freeradius/mods-enabled/mschap

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key —domain=DOMAIN.COM<http://domain.com/> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"


Freeradius ldap module installed and configured


Question: Is it possible to configure freeradius with Active Directory without ntlm ? If possible, how ? )
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Matthew Newton-3


On 14/05/2020 13:19, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
> Freeradius ldap module installed and configured
>
> Question: Is it possible to configure freeradius with Active Directory without ntlm ? If possible, how ? )

To do what? Just get policy information/groups etc, or to authenticate?

FreeRADIUS can use LDAP to query AD to get group information etc just
fine. However, AD won't give you a password over LDAP. So in the vast
majority of cases if you want to authenticate you need to use mschap.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Users mailing list
Ideally, I want to authenticate the domain user and if he is in the domain, check his group. If not in the group, do not connect to wifi. Is this possible without ntlm ?

14 мая 2020 г., в 16:07, Matthew Newton <[hidden email]<mailto:[hidden email]>> написал(а):

o do what? Just get policy information/groups etc, or to authenticate?

FreeRADIUS can use LDAP to query AD to get group information etc just fine. However, AD won't give you a password over LDAP. So in the vast majority of cases if you want to authenticate you need to use mschap.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Matthew Newton-3
On 14/05/2020 14:32, Клеусов Владимир Сергеевич via Freeradius-Users wrote:
> Ideally, I want to authenticate the domain user and if he is in the domain, check his group. If not in the group, do not connect to wifi. Is this possible without ntlm ?
What EAP type(s)?

EAP-TTLS/PAP, it might be possible.

Pretty much anything else (i.e. the most common case), no.

Matthew

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Alan DeKok-2
In reply to this post by Users mailing list
On May 14, 2020, at 9:32 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>
> Ideally, I want to authenticate the domain user and if he is in the domain, check his group. If not in the group, do not connect to wifi. Is this possible without ntlm ?

  Read this:  http://deployingradius.com/documents/protocols/compatibility.html

  AD is in the column for "NT-Hash / ntlm_auth".  Those are your options.

  And as a general rule, we give the *simplest* possible way to get things done.  We have to use FreeRADIUS, too.  It's just not helpful to make things complicated.

  So if we recommend ntlm, it's because ntlm is the simplest way to get things done.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Josef Vybíhal
In reply to this post by Users mailing list
Is it possible, that you mean that you just don't want to use ntlm_auth
command? If yes, then read the winbind comment section in the mschap module
config.
# winbind_username = "%{mschap:User-Name}"
# winbind_domain = "%{mschap:NT-Domain}"

or this
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind

On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
Freeradius-Users <[hidden email]> wrote:

> Ideally, I want to authenticate the domain user and if he is in the
> domain, check his group. If not in the group, do not connect to wifi. Is
> this possible without ntlm ?
>
> 14 мая 2020 г., в 16:07, Matthew Newton <[hidden email]<mailto:
> [hidden email]>> написал(а):
>
> o do what? Just get policy information/groups etc, or to authenticate?
>
> FreeRADIUS can use LDAP to query AD to get group information etc just
> fine. However, AD won't give you a password over LDAP. So in the vast
> majority of cases if you want to authenticate you need to use mschap.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Users mailing list
The idea was to link freeradius and ad via an ldap module. That is, do not install samba and windbind. To authentifizierte using the ldap module. That is, it will not work like this. Right ? So the ldap module is it for other LDAP implementations, such as openldap ?

> 14 мая 2020 г., в 16:40, Josef Vybíhal <[hidden email]> написал(а):
>
> Is it possible, that you mean that you just don't want to use ntlm_auth
> command? If yes, then read the winbind comment section in the mschap module
> config.
> # winbind_username = "%{mschap:User-Name}"
> # winbind_domain = "%{mschap:NT-Domain}"
>
> or this
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>
> On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
> Freeradius-Users <[hidden email]> wrote:
>
>> Ideally, I want to authenticate the domain user and if he is in the
>> domain, check his group. If not in the group, do not connect to wifi. Is
>> this possible without ntlm ?
>>
>> 14 мая 2020 г., в 16:07, Matthew Newton <[hidden email]<mailto:
>> [hidden email]>> написал(а):
>>
>> o do what? Just get policy information/groups etc, or to authenticate?
>>
>> FreeRADIUS can use LDAP to query AD to get group information etc just
>> fine. However, AD won't give you a password over LDAP. So in the vast
>> majority of cases if you want to authenticate you need to use mschap.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Alan DeKok-2
On May 14, 2020, at 10:56 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>
> The idea was to link freeradius and ad via an ldap module. That is, do not install samba and windbind. To authentifizierte using the ldap module. That is, it will not work like this. Right ?

  That question has been asked and answered about 4 times now.  The answer won't change if you keep asking the same question.  The only thing you'll do is annoy the people who are trying to help you.

> So the ldap module is it for other LDAP implementations, such as openldap ?

  The LDAP module is for any server which implements LDAP.  Like AD.

  But as you were already told, the issue isn't LDAP.  It's AD.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Fabrice Durand
In reply to this post by Users mailing list
I did this kind of configuration a long time ago and most of the work
needs to be done on the AD side.

The idea is to mimic what a Edirectory server do (universal password)
and create a ldap attribute where you will store the NTHASH of the
user/computer.

https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute


The other way is to extract the NTHASH for each users, store it
somewhere (sql per example) and configure FreeRADIUS to fetch the NTHASH
based on the username.

https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py


Regards

Fabrice

Le 20-05-14 à 10 h 56, Клеусов Владимир Сергеевич via Freeradius-Users a
écrit :

> The idea was to link freeradius and ad via an ldap module. That is, do not install samba and windbind. To authentifizierte using the ldap module. That is, it will not work like this. Right ? So the ldap module is it for other LDAP implementations, such as openldap ?
>
>> 14 мая 2020 г., в 16:40, Josef Vybíhal <[hidden email]> написал(а):
>>
>> Is it possible, that you mean that you just don't want to use ntlm_auth
>> command? If yes, then read the winbind comment section in the mschap module
>> config.
>> # winbind_username = "%{mschap:User-Name}"
>> # winbind_domain = "%{mschap:NT-Domain}"
>>
>> or this
>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>>
>> On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
>> Freeradius-Users <[hidden email]> wrote:
>>
>>> Ideally, I want to authenticate the domain user and if he is in the
>>> domain, check his group. If not in the group, do not connect to wifi. Is
>>> this possible without ntlm ?
>>>
>>> 14 мая 2020 г., в 16:07, Matthew Newton <[hidden email]<mailto:
>>> [hidden email]>> написал(а):
>>>
>>> o do what? Just get policy information/groups etc, or to authenticate?
>>>
>>> FreeRADIUS can use LDAP to query AD to get group information etc just
>>> fine. However, AD won't give you a password over LDAP. So in the vast
>>> majority of cases if you want to authenticate you need to use mschap.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Fabrice Durand
[hidden email] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Users mailing list
Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?

> 14 мая 2020 г., в 19:53, Fabrice Durand <[hidden email]> написал(а):
>
> I did this kind of configuration a long time ago and most of the work needs to be done on the AD side.
>
> The idea is to mimic what a Edirectory server do (universal password) and create a ldap attribute where you will store the NTHASH of the user/computer.
>
> https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
>
>
> The other way is to extract the NTHASH for each users, store it somewhere (sql per example) and configure FreeRADIUS to fetch the NTHASH based on the username.
>
> https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
>
>
> Regards
>
> Fabrice
>
> Le 20-05-14 à 10 h 56, Клеусов Владимир Сергеевич via Freeradius-Users a écrit :
>> The idea was to link freeradius and ad via an ldap module. That is, do not install samba and windbind. To authentifizierte using the ldap module. That is, it will not work like this. Right ? So the ldap module is it for other LDAP implementations, such as openldap ?
>>
>>> 14 мая 2020 г., в 16:40, Josef Vybíhal <[hidden email]> написал(а):
>>>
>>> Is it possible, that you mean that you just don't want to use ntlm_auth
>>> command? If yes, then read the winbind comment section in the mschap module
>>> config.
>>> # winbind_username = "%{mschap:User-Name}"
>>> # winbind_domain = "%{mschap:NT-Domain}"
>>>
>>> or this
>>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>>>
>>> On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
>>> Freeradius-Users <[hidden email]> wrote:
>>>
>>>> Ideally, I want to authenticate the domain user and if he is in the
>>>> domain, check his group. If not in the group, do not connect to wifi. Is
>>>> this possible without ntlm ?
>>>>
>>>> 14 мая 2020 г., в 16:07, Matthew Newton <[hidden email]<mailto:
>>>> [hidden email]>> написал(а):
>>>>
>>>> o do what? Just get policy information/groups etc, or to authenticate?
>>>>
>>>> FreeRADIUS can use LDAP to query AD to get group information etc just
>>>> fine. However, AD won't give you a password over LDAP. So in the vast
>>>> majority of cases if you want to authenticate you need to use mschap.
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> --
> Fabrice Durand
> [hidden email] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Alan DeKok-2


> On May 19, 2020, at 7:35 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>
> Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?

  That's a little confused.

  Doing MS-CHAP to AD requires ntlm_auth.

  If you have PAP, you can do normal LDAP bind to AD.

  If you're not using AD, then FreeRADIUS supports all standard encryption types.  But these only work for PAP.  NT hashed passwords also work for MS-CHAP.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Users mailing list
hanks, Working version of Tttls/pap and ldap module.


In /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
        private_key_file = /etc/freeradius/certs/ssl-cert-snakeoil.key
        certificate_file = /etc/freeradius/certs/ssl-cert-snakeoil.pem
        ca_file = /etc/freeradius/certs/ca-certificates.crt
        dh_file = ${certdir}/dh
        ca_path = ${cadir}
        cipher_list = "HIGH"
        cipher_server_preference = no
        ecdh_curve = "prime256v1"
        check_crl = no
        }
        ttls {
         tls = tls-common
         default_eap_type = md5
         copy_request_to_tunnel = no
         use_tunneled_reply = yes
         virtual_server = "inner-tunnel"
         }
}

But group access doesn't work.

In /etc/freeradius/users
LDAP-Group == "VPN_GROUP"
DEFAULT Group != "VPN_GROUP", Auth-Type := Reject

/etc/freeradius/mods-config/files/authorize[1]: Parse error (check) for entry LDAP-Group: Invalid attribute name
Failed reading /etc/freeradius/mods-config/files/authorize
/etc/freeradius/mods-enabled/files[9]: Instantiation failed for module «files"

Is it possible to configure group access in this configuration ?

> 19 мая 2020 г., в 16:04, Alan DeKok <[hidden email]> написал(а):
>
>
>
>> On May 19, 2020, at 7:35 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>>
>> Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?
>
> That's a little confused.
>
> Doing MS-CHAP to AD requires ntlm_auth.
>
> If you have PAP, you can do normal LDAP bind to AD.
>
> If you're not using AD, then FreeRADIUS supports all standard encryption types.  But these only work for PAP.  NT hashed passwords also work for MS-CHAP.
>
> Alan DeKok.
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Users mailing list
If /etc/freeradius/users

DEFAULT Auth-Type := LDAP, LDAP-Group == «test_group"
DEFAULT Ldap-Group != «test_group", Auth-Type := Reject

Then all users get access regardless of their membership in this group. Why can this happen ?

> 28 мая 2020 г., в 11:32, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> написал(а):
>
> hanks, Working version of Tttls/pap and ldap module.
>
>
> In /etc/freeradius/mods-enabled/eap
> eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = ${max_requests}
> tls-config tls-common {
> private_key_file = /etc/freeradius/certs/ssl-cert-snakeoil.key
> certificate_file = /etc/freeradius/certs/ssl-cert-snakeoil.pem
> ca_file = /etc/freeradius/certs/ca-certificates.crt
> dh_file = ${certdir}/dh
> ca_path = ${cadir}
> cipher_list = "HIGH"
> cipher_server_preference = no
> ecdh_curve = "prime256v1"
> check_crl = no
> }
> ttls {
>         tls = tls-common
>         default_eap_type = md5
>         copy_request_to_tunnel = no
>         use_tunneled_reply = yes
>         virtual_server = "inner-tunnel"
>         }
> }
>
> But group access doesn't work.
>
> In /etc/freeradius/users
> LDAP-Group == "VPN_GROUP"
> DEFAULT Group != "VPN_GROUP", Auth-Type := Reject
>
> /etc/freeradius/mods-config/files/authorize[1]: Parse error (check) for entry LDAP-Group: Invalid attribute name
> Failed reading /etc/freeradius/mods-config/files/authorize
> /etc/freeradius/mods-enabled/files[9]: Instantiation failed for module «files"
>
> Is it possible to configure group access in this configuration ?
>
>> 19 мая 2020 г., в 16:04, Alan DeKok <[hidden email]> написал(а):
>>
>>
>>
>>> On May 19, 2020, at 7:35 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>>>
>>> Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?
>>
>> That's a little confused.
>>
>> Doing MS-CHAP to AD requires ntlm_auth.
>>
>> If you have PAP, you can do normal LDAP bind to AD.
>>
>> If you're not using AD, then FreeRADIUS supports all standard encryption types.  But these only work for PAP.  NT hashed passwords also work for MS-CHAP.
>>
>> Alan DeKok.
>>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Alan DeKok-2


> On May 28, 2020, at 7:41 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>
> If /etc/freeradius/users
>
> DEFAULT Auth-Type := LDAP, LDAP-Group == «test_group"
> DEFAULT Ldap-Group != «test_group", Auth-Type := Reject
>
> Then all users get access regardless of their membership in this group. Why can this happen ?

  Well, the debug output should tell you.

  But this kind of thing is generally easier to do in an "unlang" policy, instead of the "users" file:

        if (LDAP-Group == "test") {
                update control {
                        Auth-Type := ldap
                }
        }
        else {
                reject
        }

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Users mailing list
How do I start debag to see what happens when I connect ? freeradius -X can do this ?

> 28 мая 2020 г., в 15:07, Alan DeKok <[hidden email]> написал(а):
>
>
>
>> On May 28, 2020, at 7:41 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>>
>> If /etc/freeradius/users
>>
>> DEFAULT Auth-Type := LDAP, LDAP-Group == «test_group"
>> DEFAULT Ldap-Group != «test_group", Auth-Type := Reject
>>
>> Then all users get access regardless of their membership in this group. Why can this happen ?
>
>  Well, the debug output should tell you.
>
>  But this kind of thing is generally easier to do in an "unlang" policy, instead of the "users" file:
>
> if (LDAP-Group == "test") {
> update control {
> Auth-Type := ldap
> }
> }
> else {
> reject
> }
>
>  Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Wifi + Active Directory without ntlm

Alan DeKok-2


> On May 28, 2020, at 8:48 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>
> How do I start debag to see what happens when I connect ? freeradius -X can do this ?

  Yes.

  http://wiki.freeradius.org/list-help

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html