[strongSwan] IPSEC vpn(strongswan) + users in AD

Michael Schwartzkopff ms at sys4.de
Fri Feb 26 20:02:17 CET 2021


On 26.02.21 19:39, Gregory Edigarov wrote:
> Good day,
>
> some clues wanted.
>
> strongswan -> freeradius -> AD
>
> conn ikev2-vpn
>     auto=add
>     compress=no
>     type=tunnel
>     keyexchange=ikev2
>     fragmentation=yes
>     forceencaps=yes
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     left=%any
>     leftid=@mailtest.go-lamp.com
>     leftcert=server-cert.pem
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightid=%any
>     rightauth=eap-radius
>     rightsourceip=10.10.10.0/24
>     rightdns=8.8.8.8,8.8.4.4
>     rightsendcert=never
>     eap_identity=%identity
>
> freeradius - I could show config, but I need to do a cleanup first.
>
> AD is out of my control
>
> Radius request is shown below:
> (15) Received Access-Request Id 95 from 127.0.0.1:42093 to
> 127.0.0.1:1812 length 227
> (15)   User-Name = "testuser"
> (15)   NAS-Port-Type = Virtual
> (15)   Service-Type = Framed-User
> (15)   NAS-Port = 10
> (15)   NAS-Port-Id = "ikev2-vpn"
> (15)   NAS-IP-Address = 185.78.235.225
> (15)   Called-Station-Id = "185.78.235.225[4500]"
> (15)   Calling-Station-Id = "82.117.245.149[53824]"
> (15)   EAP-Message =
> 0x020200431a0202003e31e2af5f308985e5021868674940c015e40000000000000000e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d006564696761726f76
> (15)   NAS-Identifier = "strongSwan"
> (15)   State = 0xb601b33cb703a9c425336eef8323aee1
> (15)   Message-Authenticator = 0x39a3a2b21bdd858e031ee2064b307a51
> (15) session-state: No cached attributes
> (15) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (15)   authorize {
> (15)     policy filter_username {
> (15)       if (&User-Name) {
> (15)       if (&User-Name)  -> TRUE
> (15)       if (&User-Name)  {
> (15)         if (&User-Name =~ / /) {
> (15)         if (&User-Name =~ / /)  -> FALSE
> (15)         if (&User-Name =~ /@[^@]*@/ ) {
> (15)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (15)         if (&User-Name =~ /\.\./ ) {
> (15)         if (&User-Name =~ /\.\./ )  -> FALSE
> (15)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (15)         if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))   -> FALSE
> (15)         if (&User-Name =~ /\.$/)  {
> (15)         if (&User-Name =~ /\.$/)   -> FALSE
> (15)         if (&User-Name =~ /@\./)  {
> (15)         if (&User-Name =~ /@\./)   -> FALSE
> (15)       } # if (&User-Name)  = notfound
> (15)     } # policy filter_username = notfound
> (15)     policy filter_password {
> (15)       if (&User-Password &&           (&User-Password !=
> "%{string:User-Password}")) {
> (15)       if (&User-Password &&           (&User-Password !=
> "%{string:User-Password}"))  -> FALSE
> (15)     } # policy filter_password = notfound
> (15)     [preprocess] = ok
> (15)     [mschap] = noop
> (15) eap: Peer sent EAP Response (code 2) ID 2 length 67
> (15) eap: No EAP Start, assuming it's an on-going EAP conversation
> (15)     [eap] = updated
> (15) files: users: Matched entry DEFAULT at line 152
> (15)     [files] = ok
> rlm_ldap (ldap): Reserved connection (16)
> (15) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (15) ldap:    --> (samaccountname=testuser)
> (15) ldap: Performing search in "dc=office,dc=local" with filter
> "(samaccountname=testuser)", scope "sub"
> (15) ldap: Waiting for search result...
> rlm_ldap (ldap): Rebinding to URL
> ldap://ForestDnsZones.office.local/DC=ForestDnsZones,DC=office,DC=local
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL
> ldap://DomainDnsZones.office.local/DC=DomainDnsZones,DC=office,DC=local
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL
> ldap://office.local/CN=Configuration,DC=office,DC=local
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> (15) ldap: User object found at DN "CN=Some Name,OU=Network & Technical
> support,DC=office,DC=local"
> (15) ldap: Processing user attributes
> (15) ldap: WARNING: No "known good" password added. Ensure the admin
> user has permission to read the password attribute
> (15) ldap: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Deleting connection (16) - Was referred to a different
> LDAP server
> (15)     [ldap] = ok
> (15)     [expiration] = noop
> (15)     [logintime] = noop
> (15)   } # authorize = updated
> (15) Found Auth-Type = eap
> (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (15)   authenticate {
> (15) eap: Expiring EAP session with state 0xb601b33cb703a9c4
> (15) eap: Finished EAP session with state 0xb601b33cb703a9c4
> (15) eap: Previous EAP request found for state 0xb601b33cb703a9c4,
> released from the list
> (15) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (15) eap: Calling submodule eap_mschapv2 to process data
> (15) eap_mschapv2: # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> (15) eap_mschapv2:   authenticate {
> (15) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password
> (15) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> LM-Password
> (15) mschap: Creating challenge hash with username: testuser
> (15) mschap: Client is using MS-CHAPv2
> (15) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
> authentication
> (15) mschap: ERROR: MS-CHAP2-Response is incorrect
> (15)     [mschap] = reject
> (15)   } # authenticate = reject
> (15) eap: Sending EAP Failure (code 4) ID 2 length 4
> (15) eap: Freeing handler
> (15)     [eap] = reject
> (15)   } # authenticate = reject
> (15) Failed to authenticate the user
> (15) Using Post-Auth-Type Reject
> (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (15)   Post-Auth-Type REJECT {
> (15) attr_filter.access_reject: EXPAND %{User-Name}
> (15) attr_filter.access_reject:    --> testuser
> (15) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (15)     [attr_filter.access_reject] = updated
> (15)     [eap] = noop
> (15)     policy remove_reply_message_if_eap {
> (15)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (15)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (15)       else {
> (15)         [noop] = noop
> (15)       } # else = noop
> (15)     } # policy remove_reply_message_if_eap = noop
> (15)   } # Post-Auth-Type REJECT = updated
> (15) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (15) Sending delayed response
> (15) Sent Access-Reject Id 95 from 127.0.0.1:1812 to 127.0.0.1:42093
> length 127
> (15)   MS-CHAP-Error = "\002E=691 R=1 C=f1dca12a8e7a6dfcd01c9a175d9d76b6
> V=3 M=Authentication rejected"
> (15)   EAP-Message = 0x04020004
> (15)   Message-Authenticator = 0x00000000000000000000000000000000
>
> and decode of radius packets:
>
>  RADIUS Protocol
>     Code: Access-Request (1)
>     Packet identifier: 0x5f (95)
>     Length: 227
>     Authenticator: 225d0fc553112567046e4297cffe8b3c
>     Attribute Value Pairs
>         AVP: t=User-Name(1) l=10 val=testuser
>             Type: 1
>             Length: 10
>             User-Name: testuser
>         AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
>             Type: 61
>             Length: 6
>             NAS-Port-Type: Virtual (5)
>         AVP: t=Service-Type(6) l=6 val=Framed(2)
>             Type: 6
>             Length: 6
>             Service-Type: Framed (2)
>         AVP: t=NAS-Port(5) l=6 val=10
>             Type: 5
>             Length: 6
>             NAS-Port: 10
>         AVP: t=NAS-Port-Id(87) l=11 val=ikev2-vpn
>             Type: 87
>             Length: 11
>             NAS-Port-Id: ikev2-vpn
>         AVP: t=NAS-IP-Address(4) l=6 val=185.78.235.225
>             Type: 4
>             Length: 6
>             NAS-IP-Address: 185.78.235.225
>         AVP: t=Called-Station-Id(30) l=22 val=185.78.235.225[4500]
>             Type: 30
>             Length: 22
>             Called-Station-Id: 185.78.235.225[4500]
>         AVP: t=Calling-Station-Id(31) l=23 val=82.117.245.149[53824]
>             Type: 31
>             Length: 23
>             Calling-Station-Id: 82.117.245.149[53824]
>         AVP: t=EAP-Message(79) l=69 Last Segment[1]
>             Type: 79
>             Length: 69
>             EAP fragment:
> 020200431a0202003e31e2af5f308985e5021868674940c015e40000000000000000e22b?
>             Extensible Authentication Protocol
>                 Code: Response (2)
>                 Id: 2
>                 Length: 67
>                 Type: MS-Authentication EAP (EAP-MS-AUTH) (26)
>                 EAP-MS-CHAP-v2 OpCode: Response (2)
>                 EAP-MS-CHAP-v2 Id: 2
>                 EAP-MS-CHAP-v2 Length: 62
>                 EAP-MS-CHAP-v2 Value-Size: 49
>                 EAP-MS-CHAP-v2 Peer-Challenge:
> e2af5f308985e5021868674940c015e4
>                 EAP-MS-CHAP-v2 Reserved: 0000000000000000
>                 EAP-MS-CHAP-v2 NT-Response:
> e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d
>                 EAP-MS-CHAP-v2 Flags: 0x00
>                 EAP-MS-CHAP-v2 Name: testuser
>         AVP: t=NAS-Identifier(32) l=12 val=strongSwan
>             Type: 32
>             Length: 12
>             NAS-Identifier: strongSwan
>         AVP: t=State(24) l=18 val=b601b33cb703a9c425336eef8323aee1
>             Type: 24
>             Length: 18
>             State: b601b33cb703a9c425336eef8323aee1
>         AVP: t=Message-Authenticator(80) l=18
> val=39a3a2b21bdd858e031ee2064b307a51
>             Type: 80
>             Length: 18
>             Message-Authenticator: 39a3a2b21bdd858e031ee2064b307a51
>
> Frame 6: 169 bytes on wire (1352 bits), 169 bytes captured (1352 bits)
>     Encapsulation type: Ethernet (1)
>     Arrival Time: Feb 26, 2021 19:14:27.735656000 EET
>     [Time shift for this packet: 0.000000000 seconds]
>     Epoch Time: 1614359667.735656000 seconds
>     [Time delta from previous captured frame: 1.009118000 seconds]
>     [Time delta from previous displayed frame: 1.009118000 seconds]
>     [Time since reference or first frame: 1.180435000 seconds]
>     Frame Number: 6
>     Frame Length: 169 bytes (1352 bits)
>     Capture Length: 169 bytes (1352 bits)
>     [Frame is marked: False]
>     [Frame is ignored: False]
>     [Protocols in frame: eth:ethertype:ip:udp:radius:eap]
> Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst:
> 00:00:00_00:00:00 (00:00:00:00:00:00)
>     Destination: 00:00:00_00:00:00 (00:00:00:00:00:00)
>         Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
>         .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>     Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
>         Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
>         .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>     Type: IPv4 (0x0800)
> Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
>     0100 .... = Version: 4
>     .... 0101 = Header Length: 20 bytes (5)
>     Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
>         0000 00.. = Differentiated Services Codepoint: Default (0)
>         .... ..00 = Explicit Congestion Notification: Not ECN-Capable
> Transport (0)
>     Total Length: 155
>     Identification: 0x03fa (1018)
>     Flags: 0x00
>         0... .... = Reserved bit: Not set
>         .0.. .... = Don't fragment: Not set
>         ..0. .... = More fragments: Not set
>     Fragment Offset: 0
>     Time to Live: 64
>     Protocol: UDP (17)
>     Header Checksum: 0x7856 [validation disabled]
>     [Header checksum status: Unverified]
>     Source Address: 127.0.0.1
>     Destination Address: 127.0.0.1
> User Datagram Protocol, Src Port: 1812, Dst Port: 42093
>     Source Port: 1812
>     Destination Port: 42093
>     Length: 135
>     Checksum: 0xfe9a [unverified]
>     [Checksum Status: Unverified]
>     [Stream index: 0]
>     [Timestamps]
>         [Time since first frame: 1.180435000 seconds]
>         [Time since previous frame: 1.009118000 seconds]
>     UDP payload (127 bytes)
> RADIUS Protocol
>     Code: Access-Reject (3)
>     Packet identifier: 0x5f (95)
>     Length: 127
>     Authenticator: fba7f59205741e06c97c52780e362156
>     [This is a response to a request in frame 5]
>     [Time from request: 1.009118000 seconds]
>     Attribute Value Pairs
>         AVP: t=Vendor-Specific(26) l=83 vnd=Microsoft(311)
>             Type: 26
>             Length: 83
>             Vendor ID: Microsoft (311)
>             VSA: t=MS-CHAP-Error(2) l=77 val=\002E=691 R=1
> C=f1dca12a8e7a6dfcd01c9a175d9d76b6 V=3 M=Authentication rejected
>                 Type: 2
>                 Length: 77
>                 MS-CHAP-Error: \002E=691 R=1
> C=f1dca12a8e7a6dfcd01c9a175d9d76b6 V=3 M=Authentication rejected
>         AVP: t=EAP-Message(79) l=6 Last Segment[1]
>             Type: 79
>             Length: 6
>             EAP fragment: 04020004
>             Extensible Authentication Protocol
>                 Code: Failure (4)
>                 Id: 2
>                 Length: 4
>         AVP: t=Message-Authenticator(80) l=18
> val=8782cf4dc7ff13a44d3795a5d6399339
>             Type: 80
>             Length: 18
>             Message-Authenticator: 8782cf4dc7ff13a44d3795a5d6399339
>
> --
> With best regards,
>       Gregory Edigarov
>

hi,


you cannot use the LDAP server of AD to authenticate. This is just not
possible.


You can use the LDAP server of AD to authorize. To authenticate
freeradius against an AD backend you have to use the NTLM auth from
samba. See:
https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO


This works.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210226/13ec9ac5/attachment.sig>


More information about the Users mailing list