[strongSwan] IPSEC vpn(strongswan) + users in AD
Gregory Edigarov
edigarov at qarea.com
Fri Feb 26 19:39:39 CET 2021
Good day,
some clues wanted.
strongswan -> freeradius -> AD
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@mailtest.go-lamp.com
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
freeradius - I could show config, but I need to do a cleanup first.
AD is out of my control
Radius request is shown below:
(15) Received Access-Request Id 95 from 127.0.0.1:42093 to
127.0.0.1:1812 length 227
(15) User-Name = "testuser"
(15) NAS-Port-Type = Virtual
(15) Service-Type = Framed-User
(15) NAS-Port = 10
(15) NAS-Port-Id = "ikev2-vpn"
(15) NAS-IP-Address = 185.78.235.225
(15) Called-Station-Id = "185.78.235.225[4500]"
(15) Calling-Station-Id = "82.117.245.149[53824]"
(15) EAP-Message =
0x020200431a0202003e31e2af5f308985e5021868674940c015e40000000000000000e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d006564696761726f76
(15) NAS-Identifier = "strongSwan"
(15) State = 0xb601b33cb703a9c425336eef8323aee1
(15) Message-Authenticator = 0x39a3a2b21bdd858e031ee2064b307a51
(15) session-state: No cached attributes
(15) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) policy filter_password {
(15) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(15) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(15) } # policy filter_password = notfound
(15) [preprocess] = ok
(15) [mschap] = noop
(15) eap: Peer sent EAP Response (code 2) ID 2 length 67
(15) eap: No EAP Start, assuming it's an on-going EAP conversation
(15) [eap] = updated
(15) files: users: Matched entry DEFAULT at line 152
(15) [files] = ok
rlm_ldap (ldap): Reserved connection (16)
(15) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(15) ldap: --> (samaccountname=testuser)
(15) ldap: Performing search in "dc=office,dc=local" with filter
"(samaccountname=testuser)", scope "sub"
(15) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.office.local/DC=ForestDnsZones,DC=office,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.office.local/DC=DomainDnsZones,DC=office,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://office.local/CN=Configuration,DC=office,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(15) ldap: User object found at DN "CN=Some Name,OU=Network & Technical
support,DC=office,DC=local"
(15) ldap: Processing user attributes
(15) ldap: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(15) ldap: WARNING: PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (16) - Was referred to a different
LDAP server
(15) [ldap] = ok
(15) [expiration] = noop
(15) [logintime] = noop
(15) } # authorize = updated
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15) authenticate {
(15) eap: Expiring EAP session with state 0xb601b33cb703a9c4
(15) eap: Finished EAP session with state 0xb601b33cb703a9c4
(15) eap: Previous EAP request found for state 0xb601b33cb703a9c4,
released from the list
(15) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(15) eap: Calling submodule eap_mschapv2 to process data
(15) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(15) eap_mschapv2: authenticate {
(15) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(15) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(15) mschap: Creating challenge hash with username: testuser
(15) mschap: Client is using MS-CHAPv2
(15) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
authentication
(15) mschap: ERROR: MS-CHAP2-Response is incorrect
(15) [mschap] = reject
(15) } # authenticate = reject
(15) eap: Sending EAP Failure (code 4) ID 2 length 4
(15) eap: Freeing handler
(15) [eap] = reject
(15) } # authenticate = reject
(15) Failed to authenticate the user
(15) Using Post-Auth-Type Reject
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15) Post-Auth-Type REJECT {
(15) attr_filter.access_reject: EXPAND %{User-Name}
(15) attr_filter.access_reject: --> testuser
(15) attr_filter.access_reject: Matched entry DEFAULT at line 11
(15) [attr_filter.access_reject] = updated
(15) [eap] = noop
(15) policy remove_reply_message_if_eap {
(15) if (&reply:EAP-Message && &reply:Reply-Message) {
(15) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(15) else {
(15) [noop] = noop
(15) } # else = noop
(15) } # policy remove_reply_message_if_eap = noop
(15) } # Post-Auth-Type REJECT = updated
(15) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(15) Sending delayed response
(15) Sent Access-Reject Id 95 from 127.0.0.1:1812 to 127.0.0.1:42093
length 127
(15) MS-CHAP-Error = "\002E=691 R=1 C=f1dca12a8e7a6dfcd01c9a175d9d76b6
V=3 M=Authentication rejected"
(15) EAP-Message = 0x04020004
(15) Message-Authenticator = 0x00000000000000000000000000000000
and decode of radius packets:
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0x5f (95)
Length: 227
Authenticator: 225d0fc553112567046e4297cffe8b3c
Attribute Value Pairs
AVP: t=User-Name(1) l=10 val=testuser
Type: 1
Length: 10
User-Name: testuser
AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
Type: 61
Length: 6
NAS-Port-Type: Virtual (5)
AVP: t=Service-Type(6) l=6 val=Framed(2)
Type: 6
Length: 6
Service-Type: Framed (2)
AVP: t=NAS-Port(5) l=6 val=10
Type: 5
Length: 6
NAS-Port: 10
AVP: t=NAS-Port-Id(87) l=11 val=ikev2-vpn
Type: 87
Length: 11
NAS-Port-Id: ikev2-vpn
AVP: t=NAS-IP-Address(4) l=6 val=185.78.235.225
Type: 4
Length: 6
NAS-IP-Address: 185.78.235.225
AVP: t=Called-Station-Id(30) l=22 val=185.78.235.225[4500]
Type: 30
Length: 22
Called-Station-Id: 185.78.235.225[4500]
AVP: t=Calling-Station-Id(31) l=23 val=82.117.245.149[53824]
Type: 31
Length: 23
Calling-Station-Id: 82.117.245.149[53824]
AVP: t=EAP-Message(79) l=69 Last Segment[1]
Type: 79
Length: 69
EAP fragment:
020200431a0202003e31e2af5f308985e5021868674940c015e40000000000000000e22b?
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 67
Type: MS-Authentication EAP (EAP-MS-AUTH) (26)
EAP-MS-CHAP-v2 OpCode: Response (2)
EAP-MS-CHAP-v2 Id: 2
EAP-MS-CHAP-v2 Length: 62
EAP-MS-CHAP-v2 Value-Size: 49
EAP-MS-CHAP-v2 Peer-Challenge:
e2af5f308985e5021868674940c015e4
EAP-MS-CHAP-v2 Reserved: 0000000000000000
EAP-MS-CHAP-v2 NT-Response:
e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d
EAP-MS-CHAP-v2 Flags: 0x00
EAP-MS-CHAP-v2 Name: testuser
AVP: t=NAS-Identifier(32) l=12 val=strongSwan
Type: 32
Length: 12
NAS-Identifier: strongSwan
AVP: t=State(24) l=18 val=b601b33cb703a9c425336eef8323aee1
Type: 24
Length: 18
State: b601b33cb703a9c425336eef8323aee1
AVP: t=Message-Authenticator(80) l=18
val=39a3a2b21bdd858e031ee2064b307a51
Type: 80
Length: 18
Message-Authenticator: 39a3a2b21bdd858e031ee2064b307a51
Frame 6: 169 bytes on wire (1352 bits), 169 bytes captured (1352 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Feb 26, 2021 19:14:27.735656000 EET
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1614359667.735656000 seconds
[Time delta from previous captured frame: 1.009118000 seconds]
[Time delta from previous displayed frame: 1.009118000 seconds]
[Time since reference or first frame: 1.180435000 seconds]
Frame Number: 6
Frame Length: 169 bytes (1352 bits)
Capture Length: 169 bytes (1352 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:radius:eap]
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst:
00:00:00_00:00:00 (00:00:00:00:00:00)
Destination: 00:00:00_00:00:00 (00:00:00:00:00:00)
Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)
Total Length: 155
Identification: 0x03fa (1018)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment Offset: 0
Time to Live: 64
Protocol: UDP (17)
Header Checksum: 0x7856 [validation disabled]
[Header checksum status: Unverified]
Source Address: 127.0.0.1
Destination Address: 127.0.0.1
User Datagram Protocol, Src Port: 1812, Dst Port: 42093
Source Port: 1812
Destination Port: 42093
Length: 135
Checksum: 0xfe9a [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
[Time since first frame: 1.180435000 seconds]
[Time since previous frame: 1.009118000 seconds]
UDP payload (127 bytes)
RADIUS Protocol
Code: Access-Reject (3)
Packet identifier: 0x5f (95)
Length: 127
Authenticator: fba7f59205741e06c97c52780e362156
[This is a response to a request in frame 5]
[Time from request: 1.009118000 seconds]
Attribute Value Pairs
AVP: t=Vendor-Specific(26) l=83 vnd=Microsoft(311)
Type: 26
Length: 83
Vendor ID: Microsoft (311)
VSA: t=MS-CHAP-Error(2) l=77 val=\002E=691 R=1
C=f1dca12a8e7a6dfcd01c9a175d9d76b6 V=3 M=Authentication rejected
Type: 2
Length: 77
MS-CHAP-Error: \002E=691 R=1
C=f1dca12a8e7a6dfcd01c9a175d9d76b6 V=3 M=Authentication rejected
AVP: t=EAP-Message(79) l=6 Last Segment[1]
Type: 79
Length: 6
EAP fragment: 04020004
Extensible Authentication Protocol
Code: Failure (4)
Id: 2
Length: 4
AVP: t=Message-Authenticator(80) l=18
val=8782cf4dc7ff13a44d3795a5d6399339
Type: 80
Length: 18
Message-Authenticator: 8782cf4dc7ff13a44d3795a5d6399339
--
With best regards,
Gregory Edigarov
More information about the Users
mailing list