針對 ActiveDirectory 和使用者文件的半徑授權

我的 freeradius 伺服器配置有問題。我希望能夠針對 Windows ActiveDirectory (2008 R2) 和使用者文件對使用者進行身份驗證，因為我的一些同事未在 AD 中列出。

我們使用 freeradius 伺服器對 WLAN 使用者進行身份驗證。(PEAP/MSCHAPv2)

AD 身份驗證效果很好，但 /etc/freeradius/users 文件仍然存在問題

當我執行 freeradius -X -x 時，我得到以下資訊：

Mon Jul  2 09:15:58 2012 : Info: ++++[chap] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++++[mschap] returns noop
Mon Jul  2 09:15:58 2012 : Info: [suffix] No '@' in User-Name = "testtest", looking up realm NULL
Mon Jul  2 09:15:58 2012 : Info: [suffix] Found realm "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Stripped-User-Name = "testtest"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Realm = "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Authentication realm is LOCAL.
Mon Jul  2 09:15:58 2012 : Info: ++++[suffix] returns ok
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP packet type response id 1 length 13
Mon Jul  2 09:15:58 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Jul  2 09:15:58 2012 : Info: ++++[eap] returns updated
Mon Jul  2 09:15:58 2012 : Info: [files] users: Matched entry testtest at line 1
Mon Jul  2 09:15:58 2012 : Info: ++++[files] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++++[expiration] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++++[logintime] returns noop
Mon Jul  2 09:15:58 2012 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
Mon Jul  2 09:15:58 2012 : Info: ++++[pap] returns noop
Mon Jul  2 09:15:58 2012 : Info: +++- else else returns updated
Mon Jul  2 09:15:58 2012 : Info: ++- else else returns updated
Mon Jul  2 09:15:58 2012 : Info: Found Auth-Type = EAP
Mon Jul  2 09:15:58 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Jul  2 09:15:58 2012 : Info: +- entering group authenticate {...}
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP Identity
Mon Jul  2 09:15:58 2012 : Info: [eap] processing type tls
Mon Jul  2 09:15:58 2012 : Info: [tls] Initiate
Mon Jul  2 09:15:58 2012 : Info: [tls] Start returned 1
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 199 to 192.168.61.11 port 3072
   EAP-Message = 0x010200061920
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x85469e2a854487589fb1196910cb8ae3
Mon Jul  2 09:15:58 2012 : Info: Finished request 125.
Mon Jul  2 09:15:58 2012 : Debug: Going to the next request
Mon Jul  2 09:15:58 2012 : Debug: Waking up in 2.4 seconds.

之後，它重複登錄嘗試，並在某些時候嘗試使用 ntlm 對 ActiveDirectory 進行身份驗證，這不起作用，因為使用者只存在於使用者文件中。

有人可以幫我嗎？

謝謝。

PS：希望這會有所幫助，freeradius 試圖針對 AD 進行身份驗證：

Mon Jul  2 09:15:58 2012 : Info: ++[chap] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++[mschap] returns noop
Mon Jul  2 09:15:58 2012 : Info: [suffix] No '@' in User-Name = "testtest", looking up realm NULL
Mon Jul  2 09:15:58 2012 : Info: [suffix] Found realm "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Stripped-User-Name = "testtest"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Realm = "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Authentication realm is LOCAL.
Mon Jul  2 09:15:58 2012 : Info: ++[suffix] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++[control] returns ok
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP packet type response id 7 length 67
Mon Jul  2 09:15:58 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns updated
Mon Jul  2 09:15:58 2012 : Info: [files] users: Matched entry testtest at line 1
Mon Jul  2 09:15:58 2012 : Info: ++[files] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++[smbpasswd] returns notfound
Mon Jul  2 09:15:58 2012 : Info: ++[expiration] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++[logintime] returns noop
Mon Jul  2 09:15:58 2012 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
Mon Jul  2 09:15:58 2012 : Info: ++[pap] returns noop
Mon Jul  2 09:15:58 2012 : Info: Found Auth-Type = EAP
Mon Jul  2 09:15:58 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Mon Jul  2 09:15:58 2012 : Info: +- entering group authenticate {...}
Mon Jul  2 09:15:58 2012 : Info: [eap] Request found, released from the list
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP/mschapv2
Mon Jul  2 09:15:58 2012 : Info: [eap] processing type mschapv2
Mon Jul  2 09:15:58 2012 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Mon Jul  2 09:15:58 2012 : Info: [mschapv2] +- entering group MS-CHAP {...}
Mon Jul  2 09:15:58 2012 : Info: [mschap] Creating challenge hash with username: testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap] Told to do MS-CHAPv2 for testtest with NT-Password
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --username=%{mschap:User-Name:-None} -> --username=testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap] No NT-Domain was found in the User-Name.
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: %{mschap:NT-Domain} -> 
Mon Jul  2 09:15:58 2012 : Info: [mschap]   ... expanding second conditional
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --domain=%{%{mschap:NT-Domain}:-DC.COMP.COM} -> --domain=DC.COMP.COM
Mon Jul  2 09:15:58 2012 : Info: [mschap]  mschap2: 82
Mon Jul  2 09:15:58 2012 : Info: [mschap] Creating challenge hash with username: testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --challenge=%{mschap:Challenge:-00} -> --challenge=dd441972f987d68b
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=7e6c537cd5c26093789cf7831715d378e16ea3e6c5b1f579
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program output: Logon failure (0xc000006d) 
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program: returned: 1
Mon Jul  2 09:15:58 2012 : Info: [mschap] External script failed.
Mon Jul  2 09:15:58 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Mon Jul  2 09:15:58 2012 : Info: ++[mschap] returns reject
Mon Jul  2 09:15:58 2012 : Info: [eap] Freeing handler
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns reject
Mon Jul  2 09:15:58 2012 : Info: Failed to authenticate the user.
Mon Jul  2 09:15:58 2012 : Auth: Login incorrect (mschap: External script says Logon failure (0xc000006d)): [testtest] (from client techap01 port 0 via TLS tunnel)

PPS：也許問題出在此處：在 /etc/freeradius/modules/ntlm_auth 我已將 ntlm 設置為：

program = "/usr/bin/ntlm_auth --request-nt-key --domain=DC.COMP.COM --username=%{mschap:User-Name} --password=%{User-Password}"

我需要這個，這樣使用者就可以在不將@DC.COMP.COM 添加到他們的使用者名的情況下登錄。但是我怎樣才能告訴 freeradius 嘗試兩個登錄名 testtest@DC.COMP.COM （應該失敗） testtest （針對使用者文件 - 應該工作）

沒關係，我找到了解決問題的方法。

在 /etc/freeradius/users 我改變了使用者

test01 Cleartext-Password := "1231231"

到

test01 Cleartext-Password := "1231231", MS-CHAP-Use-NTLM-Auth := No

現在一切正常！

引用自：https://serverfault.com/questions/404000