How to configure Windows 10 -> ipsec -> freeradius/ldap -> samba4
-
I've spent a few days messing with this and I've gotten most of the pieces working individually, but not all together. I'm not sure if that's because it simply isn't possible, or because I'm lacking the necessary understanding.
Following the excellent guide (https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2), I was able to setup an ipsec vpn between a windows 10 client and pfsense 2.3.2. If I'm OK with authenticating against plain text passwords stored on the firewall, that's good enough.
I then installed the freeRadius package and got it configured to authenticate against my Samba4 server via LDAP. I am able to validate this using the radtest tool and by adding a new Authentication Server under System/User Manager/Authentication server and testing with the Diagnostics / Authentication tool.
My next step was to change the VPN / IPsec / Mobile Clients / Extended AUthentication (Xauth) section to authenticate against my freeRadius authentication source, and change VPN / IPsec / Mobile Clients / Edit Phase 1 / Authentication Method from "EAP-MSChapv2" to "EAP-RADIUS".
After restarting the IPSec service, I started FreeRADIUS (radiusd -X) from the shell so that I could monitor the auth attempt. I configured my windows 10 client to use Microsoft: Protected EAP (PEAP). For testing purposes, I've disable any certificate / server checking on the windows client.
Having made these changes, my windows client will no longer authenticate. I can see that StrongSwan is talking to the FreeRADIUS server and that none of the auth attempts being made are succeeding.
At this point, I can't figure out if what I'm trying to do is just not possible, or if I need to change IPSec settings, or Radius settings, or Samba4 settings, or Windows client settings, or some combination of the above. Can somebody provide insight into what I need to adjust, or how I can further diagnose things?
Thanks.
FreeRADIUS logs are below.
rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=231, length=140 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x0200000a017065746572 NAS-Identifier = "strongSwan" Message-Authenticator = 0x67b4cf3e2648f4d4310dcc5b7f35a440 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++policy redundant { [ldap] performing user authorization for TestUser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> TestUser [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser) [ldap] expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Item Name: Calling-Station-Id, Value: IP_Removed[5205] rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 231 to 127.0.0.1 port 9312 EAP-Message = 0x0101001604105ae5d4baf16a7c509dab031e5459c66f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb78b47ceb79b0460627db70884014f4 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=232, length=154 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x020100060319 NAS-Identifier = "strongSwan" State = 0xeb78b47ceb79b0460627db70884014f4 Message-Authenticator = 0x722d1fb10f2c9da44fcb479cb0c60bd6 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++policy redundant { [ldap] performing user authorization for TestUser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> TestUser [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser) [ldap] expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Item Name: Calling-Station-Id, Value: IP_Removed[5205] rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 232 to 127.0.0.1 port 9312 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb78b47cea7aad460627db70884014f4 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=233, length=330 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x020200b61980000000ac16030300a7010000a3030357b4dc78407bc5ba6bbc4d071dd2496862c0382a2a98bfd51de17792084c11fe00003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a0040003800320013000500040100003e000500050100000000000a0006000400170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100 NAS-Identifier = "strongSwan" State = 0xeb78b47cea7aad460627db70884014f4 Message-Authenticator = 0x34580bb6d0e426bad60229ec572b92f4 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 2 length 182 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 172 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< Unknown TLS version [length 00a7] [peap] TLS_accept: SSLv3 read client hello A [peap] >>> Unknown TLS version [length 0039] [peap] TLS_accept: SSLv3 write server hello A [peap] >>> Unknown TLS version [length 08d0] [peap] TLS_accept: SSLv3 write certificate A [peap] >>> Unknown TLS version [length 014d] [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> Unknown TLS version [length 0004] [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 233 to 127.0.0.1 port 9312 EAP-Message = 0x0103040019c000000a6e16030300390200003503036e5a1647e67ef56ee625453cd826f06f970abe4b13c21fd20f49f57dae77d11200c03000000dff01000100000b00040300010216030308d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966 EAP-Message = 0x696361746520417574686f72697479301e170d3136303831323232353131325a170d3137303831323232353131325a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c971618489ecbdc46a213ab89d709a9dfdc5be11f1965816430cde9d70ac2117d1aa5118cfd5ea36d2d613a0670dde EAP-Message = 0x72a22aebfbb869d0342d621520d0dd39d5b5fb27389d3c68ae8a7ab32b14b3c167d4d37b987a0af9c743a77079f66c4df42f21e72b88be5c74262b0306630f3168d9761b6e7b4aa943c34813547f19009283c2f6abd7c514e1f7e5cd3d12798ca8542a3c451af43bde7a3b0cfa99f455c73bfb0e64d11a1596c1d809ea54ec93be93813c0c2471f9d31f99e4a52d2a8f384b91c41ab42ee13d69cb20e7b0112311bee5aeb734351187c521b25ffe5a6168f19556446de072e4e8034defb266a559dd1e1e6a1bbd87e0ba95f5b08aa5497f0203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba0 EAP-Message = 0x29a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100303e3eb4de9a6f0c492db62dfab6e18a675dc7704328e96ae538da7c3eed3c3f9781055dcb81ffdd3260a249e345a7f7f7e2eaa463aced976f51f6052a87a1db994b44d0707e71290e2748dbe502ed9db68e18fdf249c97d9647b86cab3e7646970f3b17e5c5e4512c4c62b173859238b0a1808b7f52183d701c43403efb0d8484c6e5a6f081996ac31b28fd8862c97c8beedbcf3241140c1ab03cdfe90f4ddbb8186f258dea0808c1dc1035035452c093981f2bb271d0188cf0d565c2f693 EAP-Message = 0xe0a3e05f8b413f52ce9ffba2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb78b47ce97bad460627db70884014f4 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=234, length=154 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x020300061900 NAS-Identifier = "strongSwan" State = 0xeb78b47ce97bad460627db70884014f4 Message-Authenticator = 0x7be72d92ae0aebeab57a4e51a66d7705 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 234 to 127.0.0.1 port 9312 EAP-Message = 0x010403fc1940a03cb8b4b47f05602d8181f4b64ef50f87fb7e9965f7f5d3d5e637c7ec2f5ef6ade033f4e72cfa3cd4fb440979bd32dda6140653850004e5308204e1308203c9a003020102020900baffaa390de57455300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e EAP-Message = 0x170d3136303831323232353131325a170d3137303831323232353131325a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100be3bb728409915dbd51039e0f3db0b8f733a97ab215977671b95e113475b77a909e579946abcb214 EAP-Message = 0x9261885323b697347225b2e61e055e6ad1e67b72422f3ca8b66ec8d83108297044e639655999dbf0a25a6a521db9b2fd475e46924cfe19b50118613170b9fc9f94f46637969e8f52436088c2bde69bfceea116975a48fd265f15f4e6a51aff332770e9a64296b2f1dbeef3628d0cfe3737f3155380a65fbcad3afc5d406338c3581924d0d4ddac126baa6e81756e09bf9ee8ea2d97d1962d7fecd08d0752a3a5f82fc6cf42e18e0c91a1b46ab2f2a810ec1ac254597bfc9c24a6d960edf68d1f9f8949bff7f226817234f34c1f51bab84a0fd4631ef2bbb70203010001a382013430820130301d0603551d0e041604147743252dbe117026c25ccb85d6 EAP-Message = 0x386d7114cfe0893081c80603551d230481c03081bd80147743252dbe117026c25ccb85d6386d7114cfe089a18199a48196308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479820900baffaa390de57455300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f777777 EAP-Message = 0x2e6578616d706c65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb78b47ce87cad460627db70884014f4 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=235, length=154 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x020400061900 NAS-Identifier = "strongSwan" State = 0xeb78b47ce87cad460627db70884014f4 Message-Authenticator = 0x8898dca0e4c57984409c6552f4df211c # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 235 to 127.0.0.1 port 9312 EAP-Message = 0x0105028819002e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100b9fba2ddae79919edc86cfd1f7464421b4563bb851098b29a6382676d6195db3f3a93e53dfe558e54cfc3eba56ea625752c300ffa2c4573b7277c2676a2c7a8a136eccab50eba408e174bef608b48034aba0ffca52074097418ff271ea5cb5c66afe4a1d3e60e8910f47895e95783891cad3a3656bba1c891877866bb548ce79c4cea486227eb7af32422fbb76087f74ee98d6b171d7c54fcaf386a8035db6bbebe91b4115416f04245a07f3165c2b300c0146cb532ad12d7e5c4707e04d60aae3cba9ebce56df3bf67b48fa72445c8c EAP-Message = 0x40b0f8f8a5e7ccb24cf83b328b7b3e8ab27aa651e2fa4234cde8b28e719de9c63a2bf50a476ddd9b2b39a79797634d75160303014d0c00014903001741048681d854807695e849e2dd640f520876bd03b7eb15997d74778ddcac91ba7746b1a82f7f40c2c1303ad840a6579a9e8b9788478fd702ec571900c7d18b873ca20401010029be1d728c241f5668f9b5fcd3d4d10e1da37290ab3b9efbfe7fabda698df1c8f45254cb57e914a4305acbb831649185883610bdb4fae6a5ddeeb5240616d97591b18167a21a6228133b2c207399b0c57fa1d93bbfc5209121780f2b187c17df52e620fdd8eb680ebeea87864ff6c55db45239deabadfec51ec76f EAP-Message = 0x56b2b2fdca71dc3f4c6bd4bd089e64fb355e9020de05a8b426be2428c4be148813ae9139bc2d54077c1d3e6b778a866a945a9bb77db30dd8ce201459dc5c61a0b1b26a40cea4f169609e8949fc53e43ffebbdbf0206581cc80165ccff36be9756dc1f7aa20caaa1906221eb3f79155afc1635b29c10093d22af50fa8db71b15f6ddd4ac7b416030300040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb78b47cef7dad460627db70884014f4 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=236, length=284 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x0205008819800000007e16030300461000004241047757fb960bf7f99812200263aa2780883aca69ac5fcb73d9f376ef076b2c9e0a8466e42a44ef655b6a73a05d4e375972bd3f6804eb7e2df30a697fb91d6d6ad814030300010116030300280000000000000000964c30df5cecb1bb27ca583b050b22fbd67ffb96e65441fac7b6f60b256c6cde NAS-Identifier = "strongSwan" State = 0xeb78b47cef7dad460627db70884014f4 Message-Authenticator = 0x58484ef7b4767608c12b685c356dbeb5 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 5 length 136 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 126 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< Unknown TLS version [length 0046] [peap] TLS_accept: SSLv3 read client key exchange A [peap] TLS_accept: SSLv3 read certificate verify A [peap] <<< Unknown TLS version [length 0001] [peap] <<< Unknown TLS version [length 0010] [peap] TLS_accept: SSLv3 read finished A [peap] >>> Unknown TLS version [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> Unknown TLS version [length 0010] [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 236 to 127.0.0.1 port 9312 EAP-Message = 0x0106003919001403030001011603030028f12ba754bee30bf915504ae770ed305d665f01e6bda106b85b2dcd097f9d8040dbc28d65d81c2497 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb78b47cee7ead460627db70884014f4 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=237, length=154 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x020600061900 NAS-Identifier = "strongSwan" State = 0xeb78b47cee7ead460627db70884014f4 Message-Authenticator = 0xc8534ef2496dc0beb58be833fadf1174 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 237 to 127.0.0.1 port 9312 EAP-Message = 0x010700281900170303001df12ba754bee30bfabf55d82bb2ae79562f72483a8dc8a6b3482f8a0a9c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb78b47ced7fad460627db70884014f4 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=238, length=189 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x020700291900170303001e0000000000000001721f0bd90cbbacf904adb63a4d88f60f44774966589e NAS-Identifier = "strongSwan" State = 0xeb78b47ced7fad460627db70884014f4 Message-Authenticator = 0xf0c383b0797787a613991fd552aae4b2 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 7 length 41 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - TestUser [peap] Got inner identity 'TestUser' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000a017065746572 server { [peap] Setting User-Name to TestUser Sending tunneled request EAP-Message = 0x0207000a017065746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TestUser" server { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 7 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++policy redundant { [ldap] performing user authorization for TestUser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> TestUser [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser) [ldap] expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server [peap] Got tunneled reply code 11 EAP-Message = 0x0108001f1a0108001a10bfc631df6dee265fb599c42474e4f6157065746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2d20f6832d28ec24c59800e3c9a23387 [peap] Got tunneled reply RADIUS code Access-Challenge EAP-Message = 0x0108001f1a0108001a10bfc631df6dee265fb599c42474e4f6157065746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2d20f6832d28ec24c59800e3c9a23387 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 238 to 127.0.0.1 port 9312 EAP-Message = 0x0108003e19001703030033f12ba754bee30bfbc6ad2bd0df630792fe01306fce5a37dc89e18ba89e1ee7eb53590300f868541d09311e9792638b464abcb5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb78b47cec70ad460627db70884014f4 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=239, length=243 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x0208005f190017030300540000000000000002da9adb4d99a9ac37134c734a1837dc50969996f4694839b6633032bb83f6403843de4854af075ccfe2869e8d6f9f419067b3783d624601c4062f79f2aea1dc20d0251ad40164c33374575e3e NAS-Identifier = "strongSwan" State = 0xeb78b47cec70ad460627db70884014f4 Message-Authenticator = 0xc69ab484d3649ccef3a1d705adec6d6e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 8 length 95 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800401a0208003b31fd1afe750dbd255cd4207670f4789029000000000000000058ab4a3f8aa93e65a81d9d826e223aef2e29cf987ca0c640007065746572 server { [peap] Setting User-Name to TestUser Sending tunneled request EAP-Message = 0x020800401a0208003b31fd1afe750dbd255cd4207670f4789029000000000000000058ab4a3f8aa93e65a81d9d826e223aef2e29cf987ca0c640007065746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TestUser" State = 0x2d20f6832d28ec24c59800e3c9a23387 server { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 8 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++policy redundant { [ldap] performing user authorization for TestUser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> TestUser [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=TestUser) [ldap] expand: cn=users,dc=TestDomain,dc=net -> cn=users,dc=TestDomain,dc=net [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=users,dc=TestDomain,dc=net, with filter (sAMAccountName=TestUser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 +++[ldap] = ok ++} # policy redundant = ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[forever] = noop rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/default [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: TestUser [mschap] Client is using MS-CHAPv2 for TestUser, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. expand: -> Login incorrect: [TestUser] (from client localhost port 0 via TLS tunnel) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> TestUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 239 to 127.0.0.1 port 9312 EAP-Message = 0x0109002e19001703030023f12ba754bee30bfce9558a911d7a5fbf47648263b888d4c15cee4b10f4edc8a51a663d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb78b47ce371ad460627db70884014f4 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 9312, id=240, length=194 User-Name = "TestUser" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "con1" NAS-IP-Address = IP_Removed Called-Station-Id = "IP_Removed[4500]" Calling-Station-Id = "IP_Removed[5205]" EAP-Message = 0x0209002e1900170303002300000000000000039ee432499c84b8d278d9f29d933901b9dcd619c954063066e712d7 NAS-Identifier = "strongSwan" State = 0xeb78b47ce371ad460627db70884014f4 Message-Authenticator = 0x0cbb459bcd38df959afc8e237c088a5c # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "TestUser", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "TestUser", skipping NULL due to config. ++[ntdomain] = noop [eap] EAP packet type response id 9 length 46 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. expand: -> Login incorrect: [TestUser] (from client localhost port 1 cli IP_Removed[5205]) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> TestUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 240 to 127.0.0.1 port 9312 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 1 ID 231 with timestamp +508 Cleaning up request 2 ID 232 with timestamp +508 Cleaning up request 3 ID 233 with timestamp +508 Cleaning up request 4 ID 234 with timestamp +508 Cleaning up request 5 ID 235 with timestamp +508 Cleaning up request 6 ID 236 with timestamp +508 Cleaning up request 7 ID 237 with timestamp +508 Cleaning up request 8 ID 238 with timestamp +508 Cleaning up request 9 ID 239 with timestamp +508 Waking up in 1.0 seconds. Cleaning up request 10 ID 240 with timestamp +508 Ready to process requests.
-
You're unlikely to find an answer here for that. It's a failure of EAP between FreeRADIUS+LADP<->Samba and nothing to do with pfSense.
You'd have better luck asking on a FreeRADIUS or Samba board. It may not be possible.
-
Thanks for pointing me in the right direction Jim. I've gotten it working. This makes is possible to have a windows PC authenticate over the VPN through pfSense to a Samba4 / AD controller before login using the native windows VPN client.
The process is as follows.
You should already have Samba4 and FreeRadius installed on the same machine. Samba4 should already be joined to a domain and / or configured as an AD controller.
Validate Samba4 and give radius access
After joining the domain, test the connection using wbinfo.
wbinfo -a <username>% <password>A successful response should show something like the following:
plaintext password authentication failed
Could not authenticate user <username>% <password>with plaintext password
challenge/response password authentication succeededThe critical part is the "challenge/response password authentication succeeded".
The plaintext password authentication error is expected as no plain-text passwords are stored in Active Directory.Now attempt an NTLM authentication:
ntlm_auth –request-nt-key --domain= <netbios domain="" name="">--username= <username>You are prompted for a password, and on successful authentication, you should see this output:
NT_STATUS_OK: Success (0x0)
The radiusd user needs access to the winbindd_privileged directory.
This directory is typically found at /var/lib/samba/winbindd_privileged/.
Check to see if any group besides root has access to the directory.ls -lh /var/lib/samba/
If root is the group as well as the owner, create a new group. If a group already exists, make note of the group name and skip the next two steps.
groupadd wbpriv
Grant access for the group to the winbindd_privileged directory.
chown :wbpriv /var/lib/samba/winbindd_privileged
Add the radiusd user to the group that has read access on the winbindd_privileged directory.
usermod -a -G wbpriv radiusdConfiguring FreeRadius
Edit the freeradius modules/mschap file. It can typically be found at /etc/freeradius/modules/mschap or /etc/raddb/modules/mschap depending on your distribution.
Make sure the following lines are uncommented.
require_encryption = yes
require_strong = yes
ntlm_auth = "/path/to/ntlm_auth …"
with_ntdomain_hack = yesModify the ntlm_auth line to point to the location of the ntlm_auth program you used earlier to test NTLM authentication.
ntlm_auth is often found at /usr/bin/ntlm_auth.Add "–domain=%{%{mschap:NT-Domain}:-MYDOMAIN}" to the ntlm_auth line (replace MYDOMAIN with the correct domain) so that if finally looks something like:
ntlm_auth = "/usr/bin/ntlm_auth –request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Save the file.
In the freeradius sites-available/default and sites-available/inner-tunnel, ensure mschap is enabled in the authentication section.
Disable the files module in each of these files if you do not use any of the information in the users file, and if necessary, comment out any uncommented test users in the users.conf file.In the freeradius eap.conf, change default_eap_type to peap .
Change the "ttls" section as follows to use EAP-TTLS with EAP-MSCHAPv2 as the inner method.default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = noCreate a new entry in freeradius clients.conf to allow access from pfSense.
client pfSense_IP_HERE {
secret = REPLACE_THIS_WITH_A_SHARED_SECRET_KEY_THAT_WILL_BE_KNOWN_BY_PFSENSE
shortname = pfsense_firewall
nastype = other
}Change the default secret for the localhost client in clients.conf file.
Save the file and restart the FreeRadius service.
Validate authenticating via FreeRadius
radtest -t mschap TestUser@domain.com Users_Password localhost 0 SecretKeyForLocalHost
Should return
rad_recv: Access-AcceptSetup a new Authentication Server in pfSense.
System > User Manager > Authentication Servers
Click "Add"
Give the server a name - "test-domain-radius-mschapv2"
Type = "RADIUS"
Hostname = ipaddress of the radius server.
Shared Secret = THE_SHARED_SECRET_KEY_CREATED_IN_THE_FREERADIUS_CLIENTS.CONF_FILE
Services offered = AuthenticationClick Save
Follow the instructions found at https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 with the following exceptions.
Under Mobile Clients, Set User Authentication to the newly created radius authentication method.
Under Phase 1, set the Authentication Method to EAP-MSChapv2
Don't create any Client Pre-Shared keysYou should now be able to connect to the pfSense VPN using windows native VPN client and Samba4 / AD credentials.
Credit for various pieces of this to the following sites:
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
https://www.eduroam.us/node/89
https://blog.practichem.com/configuring-freeradius-for-wpa2-enterprise-with-active-directory-integration-on-ubuntu-1404/
http://deployingradius.com/documents/configuration/active_directory.html
http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source</username></netbios></password></username></password></username>