J'ai essayé de faire fonctionner RADIUS avec Zentyal sans succès, j'ai essayé de me connecter avec un téléphone Android et un PC Windows 10 mais rien ne fonctionne. Rejoindre le domaine en utilisant le réseau local fonctionne bien, utiliser radtest sans mschap fonctionne bien aussi, le problème ici semble être mschap, j'ai cherché sur le web pendant des heures mais rien n'a fonctionné pour moi.
Lorsque j'ai essayé de me connecter en utilisant mon téléphone ou mon PC, j'ai utilisé un point d'accès Ubiquiti qui semble être configuré correctement, les demandes sont traitées par FreeRADIUS. Le point d'accès n'est pas le problème puisque radtest ne fonctionne pas non plus mais de toute façon voici comment je me connecte en utilisant mon téléphone.
EAP Method: PEAP
Phase 2 Authentication: None
CA Certificate: Don't convalidate
Identity: Elia
Password: stackoverflow
Radtest fonctionne bien quand on n'utilise pas mschap
root@zenelia:~# radtest -x Elia stackoverflow localhost 0 secret
Sending Access-Request of id 211 to 127.0.0.1 port 1812
User-Name = "Elia"
User-Password = "stackoverflow"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=211, length=20
freeradius -X sortie de la commande précédente
rad_recv: Access-Request packet from host 127.0.0.1 port 52877, id=91,
length=74
User-Name = "Elia"
User-Password = "stackoverflow"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x0cca55945b14f3caf1f8f1ab3374df4c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
[ldap] performing user authorization for Elia
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> Elia
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=Elia)
[ldap] expand: DC=zentyal-domain,DC=lan -> DC=zentyal-domain,DC=lan
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap://127.0.0.1, authentication 0
[ldap] bind as CN=zentyal-radius-zenelia,CN=Users,DC=zentyal-domain,DC=lan/ELEwgGNcoFmjQ@Yj5oJS to ldap://127.0.0.1
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in DC=zentyal-domain,DC=lan, with filter (sAMAccountName=Elia)
[ldap] rebind to URL ldap://zentyal-domain.lan/CN=Configuration,DC=zentyal-domain,DC=lan
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group LDAP {
[ldap] login attempt by "Elia" with password "stackoverflow"
[ldap] user DN: CN=Elia Perantoni,CN=Users,DC=zentyal-domain,DC=lan
[ldap] (re)connect to ldap://127.0.0.1, authentication 1
[ldap] bind as CN=Elia Perantoni,CN=Users,DC=zentyal-domain,DC=lan/stackoverflow to ldap://127.0.0.1
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user Elia authenticated succesfully
++[ldap] = ok
+} # group LDAP = ok
Login OK: [Elia] (from client 127.0.0.1/32 port 0)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 91 to 127.0.0.1 port 52877
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 91 with timestamp +8
Ready to process requests.
Ceci ne fonctionne pas, notez que j'utilise mschap ici.
root@zenelia:~# radtest -x -t mschap Elia stackoverflow localhost 0 secret
Sending Access-Request of id 183 to 127.0.0.1 port 1812
User-Name = "Elia"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0xf7a1a65b013d5d6b
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000f024d5b89a20308d6a54dffacb2c4bb6ca20a6deedaebf71
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=183, length=38
MS-CHAP-Error = "\000E=691 R=1"
Sortie de freeradius -X lors de l'exécution de la commande précédente
rad_recv: Access-Request packet from host 127.0.0.1 port 59549, id=63,
length=130
User-Name = "Elia"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0xb28350b23c97bdfc9d9bac99504dcd4a
MS-CHAP-Challenge = 0xadac5f0fddda582f
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000b4a9b44b238efc1cc4fbaf934c8e8b47fc72ebf43104a100
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
[ldap] performing user authorization for Elia
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> Elia
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=Elia)
[ldap] expand: DC=zentyal-domain,DC=lan -> DC=zentyal-domain,DC=lan
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap://127.0.0.1, authentication 0
[ldap] bind as CN=zentyal-radius-zenelia,CN=Users,DC=zentyal-domain,DC=lan/ELEwgGNcoFmjQ@Yj5oJS to ldap://127.0.0.1
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in DC=zentyal-domain,DC=lan, with filter (sAMAccountName=Elia)
[ldap] rebind to URL ldap://zentyal-domain.lan/CN=Configuration,DC=zentyal-domain,DC=lan
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group MS-CHAP {
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{User-Name} -> Elia
[mschap] expand: %{%{User-Name}:-None} -> Elia
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=Elia
[mschap] mschap1: ad
[mschap] expand: %{mschap:Challenge} -> adac5f0fddda582f
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=adac5f0fddda582f
[mschap] expand: %{mschap:NT-Response} -> b4a9b44b238efc1cc4fbaf934c8e8b47fc72ebf43104a100
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=b4a9b44b238efc1cc4fbaf934c8e8b47fc72ebf43104a100
Exec output: Logon failure (0xc000006d)
Exec plaintext: Logon failure (0xc000006d)
[mschap] Exec: program returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] = reject
+} # group MS-CHAP = reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Logon failure (0xc000006d)): [Elia] (from client 127.0.0.1/32 port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> Elia
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 63 to 127.0.0.1 port 59549
MS-CHAP-Error = "\000E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 63 with timestamp +9
Ready to process requests.
/var/log/freeradius/radius.log
Fri Jun 9 16:11:52 2017 : Auth: Login OK: [Elia] (from client 127.0.0.1/32 port 1812)
Fri Jun 9 16:11:58 2017 : Auth: Login incorrect (mschap: External script says Logon failure (0xc000006d)): [Elia] (from client 127.0.0.1/32 port 1812)
NTLM semble fonctionner
root@zenelia:~# ntlm_auth --username=Elia --password=stackoverflow
NT_STATUS_OK: Success (0x0)
En faisant des recherches en ligne, j'ai découvert qu'un problème courant entraînant la même erreur MS-CHAP-Error = "\000E=691 R=1"
ne donne pas à l'utilisateur freerad un accès en lecture à /var/lib/samba/winbindd_privileged mais cela ne semble pas être mon cas.
root@zenelia:/var/lib/samba# ls -l
total 1404
-rw------- 1 root root 421888 mag 31 17:03 account_policy.tdb
-rw------- 1 root root 696 mag 31 17:03 group_mapping.tdb
drwxr-x--- 2 root ntp 4096 giu 9 15:21 ntp_signd
drwxr-xr-x 10 root root 4096 mag 31 17:02 printers
drwxr-xr-x 8 root root 4096 giu 9 16:26 private
-rw------- 1 root root 528384 mag 31 17:03 registry.tdb
-rw------- 1 root root 421888 mag 31 17:03 share_info.tdb
drwxrwx---+ 3 root adm 4096 mag 31 17:07 sysvol
drwxrwx--T 2 root sambashare 4096 mag 31 17:03 usershares
-rw------- 1 root root 32768 giu 9 16:24 winbindd_cache.tdb
drwxr-x--- 2 root winbindd_priv 4096 giu 9 15:21 winbindd_privileged
root@zenelia:/var/lib/samba# grep '^winbindd_priv:' /etc/group
winbindd_priv:x:118:freerad
winbindd_privileged appartient au groupe winbindd_priv dont fait partie freerad.
Certains utilisateurs en ligne suggèrent d'ajouter les utilisateurs manuellement dans /etc/freeradius/users
Elia Cleartext-Password := "stackoverflow", MS-CHAP-Use-NTLM-Auth := No
qui fonctionne, mais pas le suivant.
Elia Cleartext-Password := "stackoverflow"
Maintenant, je ne peux pas me permettre d'ajouter chaque utilisateur manuellement, j'ai besoin de FreeRADIUS pour rassembler les utilisateurs du domaine mais je pensais signaler que la désactivation de NTLM fonctionne, même si je ne sais pas comment le désactiver pour chaque utilisateur.
Y a-t-il un moyen de faire fonctionner FreeRADIUS avec Zentyal sans avoir à ajouter des utilisateurs manuellement ?