Closed groupe-accelis closed 1 year ago
groupe-accelis
commented
1 year ago and in the /var/log/freeradius/radius.log - i see :
Tue Mar 28 14:08:08 2023 : Auth: (19) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [test@xxx.fr/
jimdigriz
commented
1 year ago Nothing in your debug shows you are using the oauth2 module, it looks like you are possibly using the 'files' module for your authentication.
As described in the support section of this project, you need to supply the output (not truncated!) so I can see what is going on, otherwise it is all guesswork for me.
Your later message (eg peap and NT-Password) tells me you are using PEAP/MSCHAPv2 which the documentation clearly states "will not work", you need to use TTLS/PAP.
Please go through the documentation again top to bottom. Confirm in the debug you see messages such as (describe in the readme in the literal 'troubleshooting' section) 'oauth2 worker'.
Hello,
Configured Free Radius and the oauth2 authentication - everything is working fine.
When i do :
root@VM-AUTH:/etc/freeradius/sites-available# radtest test@xxx.fr Og@2023! 20.19.x.y 0 *** Sent Access-Request Id 143 from 0.0.0.0:42117 to 20.19.x.y:1812 length 85 User-Name = "test@xxx.fr" User-Password = "xxxx!" NAS-IP-Address = 10.0.0.4 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "xxxx" Received Access-Accept Id 143 from 20.19.x.y:1812 to 10.0.0.4:42117 length 20 root@VM-AUTH:/etc/freeradius/sites-available#
It works.
Knowing that 20.19.x.y is my freeradius server IP address.
....
Now, when i do the test from my Access Point
It gives me this message :
Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]@/ ) { (0) if (&User-Name =~ /@[^@]@/ ) -> FALSE (0) if (&User-Name =~ /../ ) { (0) if (&User-Name =~ /../ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE (0) if (&User-Name =~ /.$/) { (0) if (&User-Name =~ /.$/) -> FALSE (0) if (&User-Name =~ /@./) { (0) if (&User-Name =~ /@./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "accelis.fr" for User-Name = "test@xxx.fr" (0) suffix: Found realm "xxx.fr" (0) suffix: Adding Stripped-User-Name = "test" (0) suffix: Adding Realm = "xxx.fr" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: Peer sent EAP Response (code 2) ID 1 length 20 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x45814ee245834a5c (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 46 from 10.0.0.4:1812 to 62.129.14.123:53671 length 80 (0) EAP-Message = 0x010200160410a42e880bb89199f1678efbb23b0052f1 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x45814ee245834a5c20cd516ecc6512c1 (0) Finished request
In my default file i noticed i have this :
I think freeradius is skipping the oauth authentication with my Azure AD once it sees that its an EAP.
Any idea how i can fix this ?