Freeradius + LDAP + CISCO + AD

[enemy100]

ola,

estou a meses tentando resolver e fazer graannnnddeee projeto que é seguinte:

Um lab com um AD ( dominio TIMLIG.COM );
freeradius com todos os modulos e rodando 100% para testes locais;
alguns Swithes e roteadores cisco para teste;
implementar certificacao digital em cima da autenticacao LDAP;

a ideia é: um usuario entra com as credenciais no equipamento cisco e o radius consulta a base de dados do Active directory da empresa e libera o acesso.

a consulta do radius ao AD feita, ele consegue ''logar-se'' no servidor, mas na hora de autenticar o usuario ele falha, e nao consigo colocar o TLS nem gerar o certificado.

ja consultei quase todo tipo de HOWTO, tutorial, wiki e coisa do tipo, mas nenhum me ajuda nessa situacao..

a configuracao nos cisco estao ok, pois ja consegui autenticar com base de dados Mysql, tenho documentado, quem quizer so falar..

me ajudem!!

saida do radius:

rad_recv: Access-Request packet from host 127.0.0.1:44178, id=44, length=58
User-Name = "rgomes"
User-Password = "Intelig23"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "rgomes", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 217
modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for rgomes
radius_xlat: '(uid=rgomes)'
radius_xlat: 'dc=timlig,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=timlig,dc=com, with filter (uid=rgomes)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 4
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns ok) for request 4
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 4
rlm_ldap: - authenticate
rlm_ldap: login attempt by "rgomes" with password "Intelig23"
radius_xlat: '(uid=rgomes)'
radius_xlat: 'dc=timlig,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=timlig,dc=com, with filter (uid=rgomes)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound for request 4
modcall: leaving group LDAP (returns notfound) for request 4
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request



no radiusd.conf

la no modules......

ldap {
server = "lab-timlig.timlig.com"
identity = "cn=Administrator,cn=Users,dc=timlig,dc=com"
password = Intelig23
# port = 636
basedn = "dc=timlig,dc=com"
# basedn = "o=timlig.com"
#filter = "(mail=%u)"
base_filter = "(objectclass=person)"
#filter = "(&(samaccountname=%{user-name}))"
# filter = "(cn=%U)"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

}

authorize {
preprocess
# auth_log

# attr_filter
chap
mschap
# digest
# IPASS
suffix
# ntdomain
eap
files
# sql
# etc_smbpasswd
ldap
# daily
# checkval
pap
}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

# digest
# pam

unix

Auth-Type LDAP {
ldap
}

eap
}


no users


DEFAULT Auth-Type := LDAP


nos equipamentos cisco:


aaa authentication banner # Roteador XXXXX #
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero

radius-server host 10.3.6.167 auth-port 1812 acct-port 1813 Router(config)# radius-server key cisco

Radius-server host é o ip do servidor radius, no caso 10.3.6.167, NAS autenticando nas portas 1812 e 1813 e key cisco, a senha configurada no clients.conf

[enemy100]

fiz uns ajustes, e agora o erro é outro, e um tal variavel chamada ''dialupAccess''

rad_recv: Access-Request packet from host 127.0.0.1:37391, id=193, length=58
User-Name = "rgomes"
User-Password = "Intelig23"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "rgomes", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 217
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for rgomes
radius_xlat: '(&(samaccountname=rgomes))'
radius_xlat: 'dc=timlig,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to lab-timlig.timlig.com:389, authentication 0
rlm_ldap: bind as cn=Administrator,cn=Users,dc=timlig,dc=com/Intelig23 to lab-timlig.timlig.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=timlig,dc=com, with filter (&(samaccountname=rgomes))
rlm_ldap: no dialupAccess attribute - access denied by default
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns userlock for request 0
modcall: leaving group authorize (returns userlock) for request 0
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request


no radiusd.conf

ldap {
server = "lab-timlig.timlig.com"
identity = "cn=Administrator,cn=Users,dc=timlig,dc=com"
password = Intelig23
# port = 636
basedn = "dc=timlig,dc=com"
# basedn = "o=timlig.com"
#filter = "(mail=%u)"
base_filter = "(objectclass=person)"
filter = "(&(samaccountname=%{user-name}))"
# filter = "(cn=%U)"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

}

com ldapsearch:

radius# ldapsearch -x -h 10.3.7.32 -D cn=Administrator,cn=users,dc=timlig,dc=com -W -b "cn=users,dc=timlig,dc=com" '(sAMAccountName=*)'


# robson.gomes, Users, timlig.com
dn: CN=robson.gomes,CN=Users,DC=timlig,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: robson.gomes
sn: gomes
givenName: robson
distinguishedName: CN=robson.gomes,CN=Users,DC=timlig,DC=com
instanceType: 4
whenCreated: 20090325132612.0Z
whenChanged: 20090513144231.0Z
displayName: robson gomes
uSNCreated: 16441
uSNChanged: 32836
name: robson.gomes
objectGUID:: ieVqRdmi/0O0vgz5nE2kkw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 128836671848186624
pwdLastSet: 128866137220897632
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAhxFZNFZwRBBVAHTAUwQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: rgomes
sAMAccountType: 805306368
userPrincipalName: rgomes@timlig.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=timlig,DC= com
dSCorePropagationData: 20090513144231.0Z
dSCorePropagationData: 20090513144231.0Z
dSCorePropagationData: 20090513144231.0Z
dSCorePropagationData: 16010108151056.0Z

[Big Head]

fiz uns ajustes, e agora o erro é outro, e um tal variavel chamada ''dialupAccess''

enemy100,

Faz muito tempo que eu não mexo com o FreeRadius, mas pelo que eu me lembro é possível configurar para que o FreeRadius cheque ou não este parâmetro. Dando uma googlada achei que o atributo access_attr no radiusd.conf, é que faz o FreeRadius checar este parâmetro. Para desabilitar, basta comentá-lo:

Código:

modules { ...
	
	ldap {
# access_attr = "dialupAccess"

Agora uma pergunta:

Até onde eu sei, o RADIUS não faz a autorização e o accouting dos comandos dados num router. Por que você não usa TACACS?? Acabei de ver que o tac_plus tem integração com o LDAP através do pam_ldap.

[]'s
BH