How to configure Windows 10 -> ipsec -> freeradius/ldap -> samba4



  • I've spent a few days messing with this and I've gotten most of the pieces working individually, but not all together.  I'm not sure if that's because it simply isn't possible, or because I'm lacking the necessary understanding.

    Following the excellent guide (https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2), I was able to setup an ipsec vpn between a windows 10 client and pfsense 2.3.2.  If I'm OK with authenticating against plain text passwords stored on the firewall, that's good enough.

    I then installed the freeRadius package and got it configured to authenticate against my Samba4 server via LDAP. I am able to validate this using the radtest tool and by adding a new Authentication Server under System/User Manager/Authentication server and testing with the Diagnostics / Authentication tool.

    My next step was to change the VPN / IPsec / Mobile Clients / Extended AUthentication (Xauth) section to authenticate against my freeRadius authentication source, and change VPN / IPsec / Mobile Clients / Edit Phase 1 / Authentication Method from "EAP-MSChapv2" to "EAP-RADIUS".

    After restarting the IPSec service, I started FreeRADIUS (radiusd -X) from the shell so that I could monitor the auth attempt.  I configured my windows 10 client to use Microsoft: Protected EAP (PEAP).  For testing purposes, I've disable any certificate / server checking on the windows client.

    Having made these changes, my windows client will no longer authenticate.  I can see that StrongSwan is talking to the FreeRADIUS server and that none of the auth attempts being made are succeeding.

    At this point, I can't figure out if what I'm trying to do is just not possible, or if I need to change IPSec settings, or Radius settings, or Samba4 settings, or Windows client settings, or some combination of the above.  Can somebody provide insight into what I need to adjust, or how I can further diagnose things?

    Thanks.

    FreeRADIUS logs are below.

    
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=231, length=140
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x0200000a017065746572
            NAS-Identifier = "strongSwan"
            Message-Authenticator = 0x67b4cf3e2648f4d4310dcc5b7f35a440
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 0 length 10
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] = updated
    ++[files] = noop
    ++policy redundant {
    [ldap] performing user authorization for TestUser
    [ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
    [ldap]  ... expanding second conditional
    [ldap]  expand: %{User-Name} -> TestUser
    [ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser)
    [ldap]  expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net
      [ldap] ldap_get_conn: Checking Id: 0
      [ldap] ldap_get_conn: Got Id: 0
      [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser)
    [ldap] looking for check items in directory...
    [ldap] looking for reply items in directory...
    WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
      [ldap] ldap_release_conn: Release Id: 0
    +++[ldap] = ok
    ++} # policy redundant = ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] = noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: IP_Removed[5205]
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] = notfound
    ++[expiration] = noop
    ++[logintime] = noop
    [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
    ++[pap] = noop
    +} # group authorize = updated
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] EAP Identity
    [eap] processing type md5
    rlm_eap_md5: Issuing Challenge
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 231 to 127.0.0.1 port 9312
            EAP-Message = 0x0101001604105ae5d4baf16a7c509dab031e5459c66f
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xeb78b47ceb79b0460627db70884014f4
    Finished request 1.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=232, length=154
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x020100060319
            NAS-Identifier = "strongSwan"
            State = 0xeb78b47ceb79b0460627db70884014f4
            Message-Authenticator = 0x722d1fb10f2c9da44fcb479cb0c60bd6
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 1 length 6
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] = updated
    ++[files] = noop
    ++policy redundant {
    [ldap] performing user authorization for TestUser
    [ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
    [ldap]  ... expanding second conditional
    [ldap]  expand: %{User-Name} -> TestUser
    [ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser)
    [ldap]  expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net
      [ldap] ldap_get_conn: Checking Id: 0
      [ldap] ldap_get_conn: Got Id: 0
      [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser)
    [ldap] looking for check items in directory...
    [ldap] looking for reply items in directory...
    WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
      [ldap] ldap_release_conn: Release Id: 0
    +++[ldap] = ok
    ++} # policy redundant = ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] = noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: IP_Removed[5205]
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] = notfound
    ++[expiration] = noop
    ++[logintime] = noop
    [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
    ++[pap] = noop
    +} # group authorize = updated
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP NAK
    [eap] EAP-NAK asked for EAP-Type/peap
    [eap] processing type tls
    [tls] Initiate
    [tls] Start returned 1
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 232 to 127.0.0.1 port 9312
            EAP-Message = 0x010200061920
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xeb78b47cea7aad460627db70884014f4
    Finished request 2.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=233, length=330
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x020200b61980000000ac16030300a7010000a3030357b4dc78407bc5ba6bbc4d071dd2496862c0382a2a98bfd51de17792084c11fe00003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a0040003800320013000500040100003e000500050100000000000a0006000400170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100
            NAS-Identifier = "strongSwan"
            State = 0xeb78b47cea7aad460627db70884014f4
            Message-Authenticator = 0x34580bb6d0e426bad60229ec572b92f4
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 2 length 182
    [eap] Continuing tunnel setup.
    ++[eap] = ok
    +} # group authorize = ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
      TLS Length 172
    [peap] Length Included
    [peap] eaptls_verify returned 11
    [peap]     (other): before/accept initialization
    [peap]     TLS_accept: before/accept initialization
    [peap] <<< Unknown TLS version [length 00a7]
    [peap]     TLS_accept: SSLv3 read client hello A
    [peap] >>> Unknown TLS version [length 0039]
    [peap]     TLS_accept: SSLv3 write server hello A
    [peap] >>> Unknown TLS version [length 08d0]
    [peap]     TLS_accept: SSLv3 write certificate A
    [peap] >>> Unknown TLS version [length 014d]
    [peap]     TLS_accept: SSLv3 write key exchange A
    [peap] >>> Unknown TLS version [length 0004]
    [peap]     TLS_accept: SSLv3 write server done A
    [peap]     TLS_accept: SSLv3 flush data
    [peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
    [peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
    In SSL Handshake Phase
    In SSL Accept mode
    [peap] eaptls_process returned 13
    [peap] EAPTLS_HANDLED
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 233 to 127.0.0.1 port 9312
            EAP-Message = 0x0103040019c000000a6e16030300390200003503036e5a1647e67ef56ee625453cd826f06f970abe4b13c21fd20f49f57dae77d11200c03000000dff01000100000b00040300010216030308d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966
            EAP-Message = 0x696361746520417574686f72697479301e170d3136303831323232353131325a170d3137303831323232353131325a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c971618489ecbdc46a213ab89d709a9dfdc5be11f1965816430cde9d70ac2117d1aa5118cfd5ea36d2d613a0670dde
            EAP-Message = 0x72a22aebfbb869d0342d621520d0dd39d5b5fb27389d3c68ae8a7ab32b14b3c167d4d37b987a0af9c743a77079f66c4df42f21e72b88be5c74262b0306630f3168d9761b6e7b4aa943c34813547f19009283c2f6abd7c514e1f7e5cd3d12798ca8542a3c451af43bde7a3b0cfa99f455c73bfb0e64d11a1596c1d809ea54ec93be93813c0c2471f9d31f99e4a52d2a8f384b91c41ab42ee13d69cb20e7b0112311bee5aeb734351187c521b25ffe5a6168f19556446de072e4e8034defb266a559dd1e1e6a1bbd87e0ba95f5b08aa5497f0203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba0
            EAP-Message = 0x29a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100303e3eb4de9a6f0c492db62dfab6e18a675dc7704328e96ae538da7c3eed3c3f9781055dcb81ffdd3260a249e345a7f7f7e2eaa463aced976f51f6052a87a1db994b44d0707e71290e2748dbe502ed9db68e18fdf249c97d9647b86cab3e7646970f3b17e5c5e4512c4c62b173859238b0a1808b7f52183d701c43403efb0d8484c6e5a6f081996ac31b28fd8862c97c8beedbcf3241140c1ab03cdfe90f4ddbb8186f258dea0808c1dc1035035452c093981f2bb271d0188cf0d565c2f693
            EAP-Message = 0xe0a3e05f8b413f52ce9ffba2
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xeb78b47ce97bad460627db70884014f4
    Finished request 3.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=234, length=154
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x020300061900
            NAS-Identifier = "strongSwan"
            State = 0xeb78b47ce97bad460627db70884014f4
            Message-Authenticator = 0x7be72d92ae0aebeab57a4e51a66d7705
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 3 length 6
    [eap] Continuing tunnel setup.
    ++[eap] = ok
    +} # group authorize = ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] Received TLS ACK
    [peap] ACK handshake fragment handler
    [peap] eaptls_verify returned 1
    [peap] eaptls_process returned 13
    [peap] EAPTLS_HANDLED
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 234 to 127.0.0.1 port 9312
            EAP-Message = 0x010403fc1940a03cb8b4b47f05602d8181f4b64ef50f87fb7e9965f7f5d3d5e637c7ec2f5ef6ade033f4e72cfa3cd4fb440979bd32dda6140653850004e5308204e1308203c9a003020102020900baffaa390de57455300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e
            EAP-Message = 0x170d3136303831323232353131325a170d3137303831323232353131325a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100be3bb728409915dbd51039e0f3db0b8f733a97ab215977671b95e113475b77a909e579946abcb214
            EAP-Message = 0x9261885323b697347225b2e61e055e6ad1e67b72422f3ca8b66ec8d83108297044e639655999dbf0a25a6a521db9b2fd475e46924cfe19b50118613170b9fc9f94f46637969e8f52436088c2bde69bfceea116975a48fd265f15f4e6a51aff332770e9a64296b2f1dbeef3628d0cfe3737f3155380a65fbcad3afc5d406338c3581924d0d4ddac126baa6e81756e09bf9ee8ea2d97d1962d7fecd08d0752a3a5f82fc6cf42e18e0c91a1b46ab2f2a810ec1ac254597bfc9c24a6d960edf68d1f9f8949bff7f226817234f34c1f51bab84a0fd4631ef2bbb70203010001a382013430820130301d0603551d0e041604147743252dbe117026c25ccb85d6
            EAP-Message = 0x386d7114cfe0893081c80603551d230481c03081bd80147743252dbe117026c25ccb85d6386d7114cfe089a18199a48196308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479820900baffaa390de57455300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f777777
            EAP-Message = 0x2e6578616d706c65
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xeb78b47ce87cad460627db70884014f4
    Finished request 4.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=235, length=154
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x020400061900
            NAS-Identifier = "strongSwan"
            State = 0xeb78b47ce87cad460627db70884014f4
            Message-Authenticator = 0x8898dca0e4c57984409c6552f4df211c
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 4 length 6
    [eap] Continuing tunnel setup.
    ++[eap] = ok
    +} # group authorize = ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] Received TLS ACK
    [peap] ACK handshake fragment handler
    [peap] eaptls_verify returned 1
    [peap] eaptls_process returned 13
    [peap] EAPTLS_HANDLED
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 235 to 127.0.0.1 port 9312
            EAP-Message = 0x0105028819002e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100b9fba2ddae79919edc86cfd1f7464421b4563bb851098b29a6382676d6195db3f3a93e53dfe558e54cfc3eba56ea625752c300ffa2c4573b7277c2676a2c7a8a136eccab50eba408e174bef608b48034aba0ffca52074097418ff271ea5cb5c66afe4a1d3e60e8910f47895e95783891cad3a3656bba1c891877866bb548ce79c4cea486227eb7af32422fbb76087f74ee98d6b171d7c54fcaf386a8035db6bbebe91b4115416f04245a07f3165c2b300c0146cb532ad12d7e5c4707e04d60aae3cba9ebce56df3bf67b48fa72445c8c
            EAP-Message = 0x40b0f8f8a5e7ccb24cf83b328b7b3e8ab27aa651e2fa4234cde8b28e719de9c63a2bf50a476ddd9b2b39a79797634d75160303014d0c00014903001741048681d854807695e849e2dd640f520876bd03b7eb15997d74778ddcac91ba7746b1a82f7f40c2c1303ad840a6579a9e8b9788478fd702ec571900c7d18b873ca20401010029be1d728c241f5668f9b5fcd3d4d10e1da37290ab3b9efbfe7fabda698df1c8f45254cb57e914a4305acbb831649185883610bdb4fae6a5ddeeb5240616d97591b18167a21a6228133b2c207399b0c57fa1d93bbfc5209121780f2b187c17df52e620fdd8eb680ebeea87864ff6c55db45239deabadfec51ec76f
            EAP-Message = 0x56b2b2fdca71dc3f4c6bd4bd089e64fb355e9020de05a8b426be2428c4be148813ae9139bc2d54077c1d3e6b778a866a945a9bb77db30dd8ce201459dc5c61a0b1b26a40cea4f169609e8949fc53e43ffebbdbf0206581cc80165ccff36be9756dc1f7aa20caaa1906221eb3f79155afc1635b29c10093d22af50fa8db71b15f6ddd4ac7b416030300040e000000
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xeb78b47cef7dad460627db70884014f4
    Finished request 5.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=236, length=284
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x0205008819800000007e16030300461000004241047757fb960bf7f99812200263aa2780883aca69ac5fcb73d9f376ef076b2c9e0a8466e42a44ef655b6a73a05d4e375972bd3f6804eb7e2df30a697fb91d6d6ad814030300010116030300280000000000000000964c30df5cecb1bb27ca583b050b22fbd67ffb96e65441fac7b6f60b256c6cde
            NAS-Identifier = "strongSwan"
            State = 0xeb78b47cef7dad460627db70884014f4
            Message-Authenticator = 0x58484ef7b4767608c12b685c356dbeb5
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 5 length 136
    [eap] Continuing tunnel setup.
    ++[eap] = ok
    +} # group authorize = ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
      TLS Length 126
    [peap] Length Included
    [peap] eaptls_verify returned 11
    [peap] <<< Unknown TLS version [length 0046]
    [peap]     TLS_accept: SSLv3 read client key exchange A
    [peap]     TLS_accept: SSLv3 read certificate verify A
    [peap] <<< Unknown TLS version [length 0001]
    [peap] <<< Unknown TLS version [length 0010]
    [peap]     TLS_accept: SSLv3 read finished A
    [peap] >>> Unknown TLS version [length 0001]
    [peap]     TLS_accept: SSLv3 write change cipher spec A
    [peap] >>> Unknown TLS version [length 0010]
    [peap]     TLS_accept: SSLv3 write finished A
    [peap]     TLS_accept: SSLv3 flush data
    [peap]     (other): SSL negotiation finished successfully
    SSL Connection Established
    [peap] eaptls_process returned 13
    [peap] EAPTLS_HANDLED
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 236 to 127.0.0.1 port 9312
            EAP-Message = 0x0106003919001403030001011603030028f12ba754bee30bf915504ae770ed305d665f01e6bda106b85b2dcd097f9d8040dbc28d65d81c2497
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xeb78b47cee7ead460627db70884014f4
    Finished request 6.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=237, length=154
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x020600061900
            NAS-Identifier = "strongSwan"
            State = 0xeb78b47cee7ead460627db70884014f4
            Message-Authenticator = 0xc8534ef2496dc0beb58be833fadf1174
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 6 length 6
    [eap] Continuing tunnel setup.
    ++[eap] = ok
    +} # group authorize = ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] Received TLS ACK
    [peap] ACK handshake is finished
    [peap] eaptls_verify returned 3
    [peap] eaptls_process returned 3
    [peap] EAPTLS_SUCCESS
    [peap] Session established.  Decoding tunneled attributes.
    [peap] Peap state TUNNEL ESTABLISHED
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 237 to 127.0.0.1 port 9312
            EAP-Message = 0x010700281900170303001df12ba754bee30bfabf55d82bb2ae79562f72483a8dc8a6b3482f8a0a9c
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xeb78b47ced7fad460627db70884014f4
    Finished request 7.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=238, length=189
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x020700291900170303001e0000000000000001721f0bd90cbbacf904adb63a4d88f60f44774966589e
            NAS-Identifier = "strongSwan"
            State = 0xeb78b47ced7fad460627db70884014f4
            Message-Authenticator = 0xf0c383b0797787a613991fd552aae4b2
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 7 length 41
    [eap] Continuing tunnel setup.
    ++[eap] = ok
    +} # group authorize = ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] eaptls_verify returned 7
    [peap] Done initial handshake
    [peap] eaptls_process returned 7
    [peap] EAPTLS_OK
    [peap] Session established.  Decoding tunneled attributes.
    [peap] Peap state WAITING FOR INNER IDENTITY
    [peap] Identity - TestUser
    [peap] Got inner identity 'TestUser'
    [peap] Setting default EAP type for tunneled EAP session.
    [peap] Got tunneled request
            EAP-Message = 0x0207000a017065746572
    server  {
    [peap] Setting User-Name to TestUser
    Sending tunneled request
            EAP-Message = 0x0207000a017065746572
            FreeRADIUS-Proxied-To = 127.0.0.1
            User-Name = "TestUser"
    server  {
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 7 length 10
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] = updated
    ++[files] = noop
    ++policy redundant {
    [ldap] performing user authorization for TestUser
    [ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
    [ldap]  ... expanding second conditional
    [ldap]  expand: %{User-Name} -> TestUser
    [ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser)
    [ldap]  expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net
      [ldap] ldap_get_conn: Checking Id: 0
      [ldap] ldap_get_conn: Got Id: 0
      [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser)
    [ldap] looking for check items in directory...
    [ldap] looking for reply items in directory...
    WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
      [ldap] ldap_release_conn: Release Id: 0
    +++[ldap] = ok
    ++} # policy redundant = ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] = noop
    rlm_checkval: Could not find item named Calling-Station-Id in request
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] = notfound
    ++[expiration] = noop
    ++[logintime] = noop
    [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
    ++[pap] = noop
    +} # group authorize = updated
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] EAP Identity
    [eap] processing type mschapv2
    rlm_eap_mschapv2: Issuing Challenge
    ++[eap] = handled
    +} # group authenticate = handled
    } # server
    [peap] Got tunneled reply code 11
            EAP-Message = 0x0108001f1a0108001a10bfc631df6dee265fb599c42474e4f6157065746572
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0x2d20f6832d28ec24c59800e3c9a23387
    [peap] Got tunneled reply RADIUS code Access-Challenge
            EAP-Message = 0x0108001f1a0108001a10bfc631df6dee265fb599c42474e4f6157065746572
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0x2d20f6832d28ec24c59800e3c9a23387
    [peap] Got tunneled Access-Challenge
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 238 to 127.0.0.1 port 9312
            EAP-Message = 0x0108003e19001703030033f12ba754bee30bfbc6ad2bd0df630792fe01306fce5a37dc89e18ba89e1ee7eb53590300f868541d09311e9792638b464abcb5
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xeb78b47cec70ad460627db70884014f4
    Finished request 8.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=239, length=243
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x0208005f190017030300540000000000000002da9adb4d99a9ac37134c734a1837dc50969996f4694839b6633032bb83f6403843de4854af075ccfe2869e8d6f9f419067b3783d624601c4062f79f2aea1dc20d0251ad40164c33374575e3e
            NAS-Identifier = "strongSwan"
            State = 0xeb78b47cec70ad460627db70884014f4
            Message-Authenticator = 0xc69ab484d3649ccef3a1d705adec6d6e
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 8 length 95
    [eap] Continuing tunnel setup.
    ++[eap] = ok
    +} # group authorize = ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] eaptls_verify returned 7
    [peap] Done initial handshake
    [peap] eaptls_process returned 7
    [peap] EAPTLS_OK
    [peap] Session established.  Decoding tunneled attributes.
    [peap] Peap state phase2
    [peap] EAP type mschapv2
    [peap] Got tunneled request
            EAP-Message = 0x020800401a0208003b31fd1afe750dbd255cd4207670f4789029000000000000000058ab4a3f8aa93e65a81d9d826e223aef2e29cf987ca0c640007065746572
    server  {
    [peap] Setting User-Name to TestUser
    Sending tunneled request
            EAP-Message = 0x020800401a0208003b31fd1afe750dbd255cd4207670f4789029000000000000000058ab4a3f8aa93e65a81d9d826e223aef2e29cf987ca0c640007065746572
            FreeRADIUS-Proxied-To = 127.0.0.1
            User-Name = "TestUser"
            State = 0x2d20f6832d28ec24c59800e3c9a23387
    server  {
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 8 length 64
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] = updated
    ++[files] = noop
    ++policy redundant {
    [ldap] performing user authorization for TestUser
    [ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
    [ldap]  ... expanding second conditional
    [ldap]  expand: %{User-Name} -> TestUser
    [ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser)
    [ldap]  expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net
      [ldap] ldap_get_conn: Checking Id: 0
      [ldap] ldap_get_conn: Got Id: 0
      [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser)
    [ldap] looking for check items in directory...
    [ldap] looking for reply items in directory...
    WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
      [ldap] ldap_release_conn: Release Id: 0
    +++[ldap] = ok
    ++} # policy redundant = ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] = noop
    rlm_checkval: Could not find item named Calling-Station-Id in request
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] = notfound
    ++[expiration] = noop
    ++[logintime] = noop
    [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
    ++[pap] = noop
    +} # group authorize = updated
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/mschapv2
    [eap] processing type mschapv2
    [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    [mschapv2] +group MS-CHAP {
    [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
    [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
    [mschap] Creating challenge hash with username: TestUser
    [mschap] Client is using MS-CHAPv2 for TestUser, we need NT-Password
    [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
    [mschap] FAILED: MS-CHAP2-Response is incorrect
    ++[mschap] = reject
    +} # group MS-CHAP = reject
    [eap] Freeing handler
    ++[eap] = reject
    +} # group authenticate = reject
    Failed to authenticate the user.
            expand:  ->
    Login incorrect: [TestUser] (from client localhost port 0 via TLS tunnel)
    Using Post-Auth-Type Reject
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group REJECT {
    [attr_filter.access_reject]     expand: %{User-Name} -> TestUser
    attr_filter: Matched entry DEFAULT at line 11
    ++[attr_filter.access_reject] = updated
    +} # group REJECT = updated
    } # server
    [peap] Got tunneled reply code 3
            MS-CHAP-Error = "\010E=691 R=1"
            EAP-Message = 0x04080004
            Message-Authenticator = 0x00000000000000000000000000000000
    [peap] Got tunneled reply RADIUS code Access-Reject
            MS-CHAP-Error = "\010E=691 R=1"
            EAP-Message = 0x04080004
            Message-Authenticator = 0x00000000000000000000000000000000
    [peap] Tunneled authentication was rejected.
    [peap] FAILURE
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 239 to 127.0.0.1 port 9312
            EAP-Message = 0x0109002e19001703030023f12ba754bee30bfce9558a911d7a5fbf47648263b888d4c15cee4b10f4edc8a51a663d
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xeb78b47ce371ad460627db70884014f4
    Finished request 9.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=240, length=194
            User-Name = "TestUser"
            NAS-Port-Type = Virtual
            Service-Type = Framed-User
            NAS-Port = 1
            NAS-Port-Id = "con1"
            NAS-IP-Address = IP_Removed
            Called-Station-Id = "IP_Removed[4500]"
            Calling-Station-Id = "IP_Removed[5205]"
            EAP-Message = 0x0209002e1900170303002300000000000000039ee432499c84b8d278d9f29d933901b9dcd619c954063066e712d7
            NAS-Identifier = "strongSwan"
            State = 0xeb78b47ce371ad460627db70884014f4
            Message-Authenticator = 0x0cbb459bcd38df959afc8e237c088a5c
    # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 9 length 46
    [eap] Continuing tunnel setup.
    ++[eap] = ok
    +} # group authorize = ok
    Found Auth-Type = EAP
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] eaptls_verify returned 7
    [peap] Done initial handshake
    [peap] eaptls_process returned 7
    [peap] EAPTLS_OK
    [peap] Session established.  Decoding tunneled attributes.
    [peap] Peap state send tlv failure
    [peap] Received EAP-TLV response.
    [peap]  The users session was previously rejected: returning reject (again.)
    [peap]  *** This means you need to read the PREVIOUS messages in the debug output
    [peap]  *** to find out the reason why the user was rejected.
    [peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
    [peap]  *** what went wrong, and how to fix the problem.
    [eap] Handler failed in EAP/peap
    [eap] Failed in EAP select
    ++[eap] = invalid
    +} # group authenticate = invalid
    Failed to authenticate the user.
            expand:  ->
    Login incorrect: [TestUser] (from client localhost port 1 cli IP_Removed[5205])
    Using Post-Auth-Type Reject
    # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    +group REJECT {
    [attr_filter.access_reject]     expand: %{User-Name} -> TestUser
    attr_filter: Matched entry DEFAULT at line 11
    ++[attr_filter.access_reject] = updated
    +} # group REJECT = updated
    Delaying reject of request 10 for 1 seconds
    Going to the next request
    Waking up in 0.9 seconds.
    Sending delayed reject for request 10
    Sending Access-Reject of id 240 to 127.0.0.1 port 9312
            EAP-Message = 0x04090004
            Message-Authenticator = 0x00000000000000000000000000000000
    Waking up in 3.9 seconds.
    Cleaning up request 1 ID 231 with timestamp +508
    Cleaning up request 2 ID 232 with timestamp +508
    Cleaning up request 3 ID 233 with timestamp +508
    Cleaning up request 4 ID 234 with timestamp +508
    Cleaning up request 5 ID 235 with timestamp +508
    Cleaning up request 6 ID 236 with timestamp +508
    Cleaning up request 7 ID 237 with timestamp +508
    Cleaning up request 8 ID 238 with timestamp +508
    Cleaning up request 9 ID 239 with timestamp +508
    Waking up in 1.0 seconds.
    Cleaning up request 10 ID 240 with timestamp +508
    Ready to process requests.
    
    

  • Rebel Alliance Developer Netgate

    You're unlikely to find an answer here for that. It's a failure of EAP between FreeRADIUS+LADP<->Samba and nothing to do with pfSense.

    You'd have better luck asking on a FreeRADIUS or Samba board. It may not be possible.



  • Thanks for pointing me in the right direction Jim.  I've gotten it working.  This makes is possible to have a windows PC authenticate over the VPN through pfSense to a Samba4 / AD controller before login using the native windows VPN client.

    The process is as follows.

    You should already have Samba4 and FreeRadius installed on the same machine.  Samba4 should already be joined to a domain and / or configured as an AD controller.

    Validate Samba4 and give radius access

    After joining the domain, test the connection using wbinfo.

    wbinfo -a <username>% <password>A successful response should show something like the following:

    plaintext password authentication failed
        Could not authenticate user <username>% <password>with plaintext password
        challenge/response password authentication succeeded

    The critical part is the "challenge/response password authentication succeeded".
    The plaintext password authentication error is expected as no plain-text passwords are stored in Active Directory.

    Now attempt an NTLM authentication:

    ntlm_auth –request-nt-key --domain= <netbios domain="" name="">--username= <username>You are prompted for a password, and on successful authentication, you should see this output:

    NT_STATUS_OK: Success (0x0)

    The radiusd user needs access to the winbindd_privileged directory.
    This directory is typically found at /var/lib/samba/winbindd_privileged/.
    Check to see if any group besides root has access to the directory.

    ls -lh /var/lib/samba/

    If root is the group as well as the owner, create a new group. If a group already exists, make note of the group name and skip the next two steps.

    groupadd wbpriv

    Grant access for the group to the winbindd_privileged directory.

    chown :wbpriv /var/lib/samba/winbindd_privileged

    Add the radiusd user to the group that has read access on the winbindd_privileged directory. 
    usermod -a -G wbpriv radiusd

    Configuring FreeRadius

    Edit the freeradius modules/mschap file. It can typically be found at /etc/freeradius/modules/mschap or /etc/raddb/modules/mschap depending on your distribution.

    Make sure the following lines are uncommented.
    require_encryption = yes
    require_strong = yes
    ntlm_auth = "/path/to/ntlm_auth …"
    with_ntdomain_hack = yes

    Modify the ntlm_auth line to point to the location of the ntlm_auth program you used earlier to test NTLM authentication.
    ntlm_auth is often found at /usr/bin/ntlm_auth.

    Add "–domain=%{%{mschap:NT-Domain}:-MYDOMAIN}" to the ntlm_auth line (replace MYDOMAIN with the correct domain) so that if finally looks something like:

    ntlm_auth = "/usr/bin/ntlm_auth –request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

    Save the file.

    In the freeradius sites-available/default and sites-available/inner-tunnel, ensure mschap is enabled in the authentication section.
    Disable the files module in each of these files if you do not use any of the information in the users file, and if necessary, comment out any uncommented test users in the users.conf file.

    In the freeradius eap.conf, change default_eap_type to peap .
    Change the "ttls" section as follows to use EAP-TTLS with EAP-MSCHAPv2 as the inner method.

    default_eap_type = mschapv2
    copy_request_to_tunnel = yes
    use_tunneled_reply = no

    Create a new entry in freeradius clients.conf to allow access from pfSense.

    client pfSense_IP_HERE {
    secret = REPLACE_THIS_WITH_A_SHARED_SECRET_KEY_THAT_WILL_BE_KNOWN_BY_PFSENSE
    shortname = pfsense_firewall
    nastype = other
    }

    Change the default secret for the localhost client in clients.conf file.

    Save the file and restart the FreeRadius service.

    Validate authenticating via FreeRadius

    radtest -t mschap TestUser@domain.com Users_Password localhost 0 SecretKeyForLocalHost

    Should return
    rad_recv: Access-Accept

    Setup a new Authentication Server in pfSense.
    System > User Manager > Authentication Servers
    Click "Add"
    Give the server a name - "test-domain-radius-mschapv2"
    Type = "RADIUS"
    Hostname = ipaddress of the radius server.
    Shared Secret = THE_SHARED_SECRET_KEY_CREATED_IN_THE_FREERADIUS_CLIENTS.CONF_FILE
    Services offered = Authentication

    Click Save

    Follow the instructions found at https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 with the following exceptions.

    Under Mobile Clients, Set User Authentication to the newly created radius authentication method.
    Under Phase 1, set the Authentication Method to EAP-MSChapv2
    Don't create any Client Pre-Shared keys

    You should now be able to connect to the pfSense VPN using windows native VPN client and Samba4 / AD credentials.

    Credit for various pieces of this to the following sites:
    http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
    https://www.eduroam.us/node/89
    https://blog.practichem.com/configuring-freeradius-for-wpa2-enterprise-with-active-directory-integration-on-ubuntu-1404/
    http://deployingradius.com/documents/configuration/active_directory.html
    http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source</username></netbios></password></username></password></username>


Log in to reply