{"id":1926,"date":"2020-12-28T18:43:08","date_gmt":"2020-12-28T17:43:08","guid":{"rendered":"http:\/\/blogperso.union31.fr\/?p=1926"},"modified":"2021-01-03T09:42:25","modified_gmt":"2021-01-03T08:42:25","slug":"freeradius-et-active-directory","status":"publish","type":"post","link":"https:\/\/blogperso.union31.fr\/?p=1926","title":{"rendered":"GNS3 : FreeRadius et Active Directory"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Sommaire<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#I_Objectif\" >I Objectif<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#II_Serveur_de_temps\" >II Serveur de temps<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#III_Integrer_le_serveur_Linux_dans_un_domaine_AD\" >III Int\u00e9grer le serveur Linux dans un domaine AD<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#III1_Definir_la_resolution_DNS_sur_le_serveur_Linux\" >III.1 D\u00e9finir la r\u00e9solution DNS sur le serveur Linux<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#III2_Outil_samba_et_kerberos\" >III.2 Outil samba et kerberos<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#III3_Kerberos\" >III.3 Kerberos<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#III4_SAMBA\" >III.4 SAMBA<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#III5_Integrer_le_serveur_Linux_dans_le_domaine\" >III.5 Int\u00e9grer le serveur Linux dans le domaine<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#III6_Interrogation_de_lAD\" >III.6 Interrogation de l&rsquo;AD<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV_Configuration_du_serveur_FreeRadius\" >IV Configuration du serveur FreeRadius<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV1_Preambule\" >IV.1 Pr\u00e9ambule<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV2_Droits_pour_utiliser_winbind_pour_FreeRadius\" >IV.2 Droits pour utiliser winbind pour FreeRadius<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV3_Modification_des_fichiers_de_configuration_des_modules_eap_et_mschap\" >IV.3 Modification des fichiers de configuration des modules eap et mschap<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IIV4_Module_NTLM_AUTH\" >IIV.4 Module NTLM_AUTH<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV5_Configuration_de_%C2%AB_default_%C2%BB_et_%C2%AB_inner_%C2%BB\" >IV.5 Configuration de \u00ab\u00a0default\u00a0\u00bb et \u00ab\u00a0inner\u00a0\u00bb<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV6_Modification_du_module_REALM\" >IV.6 Modification du module REALM :<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV7_Authorisation_des_clients_a_effectuer_des_requetes_NAS\" >IV.7 Authorisation des clients \u00e0 effectuer des requ\u00eates (NAS) :<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV8_Configuration_de_proxyconf\" >IV.8 Configuration de proxy.conf<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV9_Definition_des_users\" >IV.9 D\u00e9finition des users<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV10_Tests\" >IV.10 Tests<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#IV11_Quelques_liens_qui_ont_permis_de_comprendres_les_roles_et_fonctions_de_chaque_fichier_de_configuration\" >IV.11    Quelques liens qui ont permis de comprendres les r\u00f4les et fonctions de chaque fichier de configuration<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#V_Configuration_du_routeur_CISCO\" >V Configuration du routeur CISCO<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#V1_Schema_du_labo_de_test_sous_GNS3\" >V.1 Sch\u00e9ma du labo de test sous GNS3<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#V2_Configuration_du_Routeur_R1\" >V.2 Configuration du Routeur R1<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#VI_Configuration_du_serveur_DHCP\" >VI Configuration du serveur DHCP<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/blogperso.union31.fr\/?p=1926\/#VII_Pour_aller_plus_loin\" >VII Pour aller plus loin<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I_Objectif\"><\/span>I Objectif<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>L&rsquo;objectif est de faire la v\u00e9rification du compte ordinateur et utilisateur Windows via FreeRadius qui lui m\u00eame demandera aupr\u00e8s d&rsquo;un annuaire Active Directory de Microsoft.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II_Serveur_de_temps\"><\/span>II Serveur de temps<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Pour communiquer avec un contr\u00f4leur de domaine et dans le cadre de l&rsquo;authentification KERBEROS il faut une synchronisation horaire parfaite.<\/p>\n\n\n\n<p>Pour cela, le service NTP sera mont\u00e9 sur le serveur windows et le serveur Linux se synchronisera dessus.<\/p>\n\n\n\n<p>Sur Windows en tant que serveur NTP : <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#enable NTP Server\nSet-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\w32time\\TimeProviders\\NtpServer\" -Name \"Enabled\" -Value 1\n#flag 5\nSet-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\services\\W32Time\\Config\" -Name \"AnnounceFlags\" -Value 5 \n#Restart NTP Server \nRestart-Service w32Time<\/code><\/pre>\n\n\n\n<p> Sous Linux en tant que client NTP r\u00e9cup\u00e9rant l&rsquo;heure :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install ntp<\/code><\/pre>\n\n\n\n<p>Modifier le fichier de configuration \/etc\/ntp.conf en ajoutant le serveur 192.168.30.101, adresse IP du serveur AD<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"727\" height=\"261\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/ntp1.png\" alt=\"\" class=\"wp-image-1932\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/ntp1.png 727w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/ntp1-300x108.png 300w\" sizes=\"auto, (max-width: 727px) 100vw, 727px\" \/><\/figure>\n\n\n\n<p>relancer le service<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restat ntp<\/code><\/pre>\n\n\n\n<p>Pour v\u00e9rifier :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>date<\/code><\/pre>\n\n\n\n<p><span style=\"text-decoration: underline;\"><strong>Bref : <\/strong><\/span>se synchroniser sur W32time d&rsquo;un serveur AD ne fonctionne pas &#8230; Sans perdre de temps \u00e0 installer un serveur de temps pour les 2 serveurs, je suis pass\u00e9 par les virtualsbox tool pour effecteur cette synchronisation&#8230;.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III_Integrer_le_serveur_Linux_dans_un_domaine_AD\"><\/span>III Int\u00e9grer le serveur Linux dans un domaine AD<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Ceci est n\u00e9cessaire pour que Linux puisse v\u00e9rifier des identifiants Windows.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III1_Definir_la_resolution_DNS_sur_le_serveur_Linux\"><\/span>III.1 D\u00e9finir la r\u00e9solution DNS sur le serveur Linux<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Modifier sur le serveur Linux le fichier \/etc\/resolv.conf. Y renseigner les valeurs suivantes :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>domain domaine.local\nsearch domaine.local\nnameserver 192.168.30.101<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III2_Outil_samba_et_kerberos\"><\/span>III.2 Outil samba et kerberos<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Installer les outils suivants :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install samba winbind samba-common-bin krb5-user -y<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III3_Kerberos\"><\/span>III.3 Kerberos<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Modifier le fichier \/etc\/krb5.conf<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"422\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/krb5.conf_.png\" alt=\"\" class=\"wp-image-1944\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/krb5.conf_.png 601w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/krb5.conf_-300x211.png 300w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/figure>\n\n\n\n<p>Initier un ticket kerberos avec le contr\u00f4leur de domaine :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kinit Administrateur@DOMAINE.LOCAL<\/code><\/pre>\n\n\n\n<p>Renseigner le mot de passe. Si pas de retour, c&rsquo;est que c&rsquo;est bon.<\/p>\n\n\n\n<p>V\u00e9rifier si ticket obtenu :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>klist<\/code><\/pre>\n\n\n\n<p>Exemple de r\u00e9sultat ci-dessous :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"642\" height=\"161\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/kinit.png\" alt=\"\" class=\"wp-image-1946\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/kinit.png 642w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/kinit-300x75.png 300w\" sizes=\"auto, (max-width: 642px) 100vw, 642px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III4_SAMBA\"><\/span>III.4 SAMBA<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Modifier le fichier \/etc\/samba\/smb.conf comme suivant :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"459\" height=\"315\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/samba.conf_-1.png\" alt=\"\" class=\"wp-image-1951\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/samba.conf_-1.png 459w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/samba.conf_-1-300x206.png 300w\" sizes=\"auto, (max-width: 459px) 100vw, 459px\" \/><\/figure>\n\n\n\n<p>red\u00e9marrer le service samba :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart smbd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III5_Integrer_le_serveur_Linux_dans_le_domaine\"><\/span>III.5 Int\u00e9grer le serveur Linux dans le domaine<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Taper la commande suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>net ads join -U Administrateur<\/code><\/pre>\n\n\n\n<p>si dans le r\u00e9sultat la ligne suivante appara\u00eet, alors le PC est bien enregistr\u00e9 dans le domaine :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\nJoined 'DEBIANGNS3' to realm 'domaine.local'\n...<\/code><\/pre>\n\n\n\n<p>C\u00f4t\u00e9 serveur windows :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"586\" height=\"210\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/AD_compte_ordi_linux.png\" alt=\"\" class=\"wp-image-1958\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/AD_compte_ordi_linux.png 586w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/AD_compte_ordi_linux-300x108.png 300w\" sizes=\"auto, (max-width: 586px) 100vw, 586px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III6_Interrogation_de_lAD\"><\/span>III.6 Interrogation de l&rsquo;AD<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Pour v\u00e9rifier si on obtient des informations du contr\u00f4leur AD :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wbinfo -t<\/code><\/pre>\n\n\n\n<p>ce qui donne le r\u00e9sultat suivant :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"587\" height=\"61\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/wbinfo.png\" alt=\"\" class=\"wp-image-1961\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/wbinfo.png 587w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/wbinfo-300x31.png 300w\" sizes=\"auto, (max-width: 587px) 100vw, 587px\" \/><\/figure>\n\n\n\n<p>Exemple pour retrouver les comptes utilisateurs :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wbinfo -u<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"416\" height=\"85\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/wbinfo_u.png\" alt=\"\" class=\"wp-image-1962\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/wbinfo_u.png 416w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/wbinfo_u-300x61.png 300w\" sizes=\"auto, (max-width: 416px) 100vw, 416px\" \/><\/figure>\n\n\n\n<p>Pour tester un identifiant Windows :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wbinfo -a Xavior%motdepasse<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"638\" height=\"103\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/wbinfo_a.png\" alt=\"\" class=\"wp-image-1963\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/wbinfo_a.png 638w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2020\/12\/wbinfo_a-300x48.png 300w\" sizes=\"auto, (max-width: 638px) 100vw, 638px\" \/><\/figure>\n\n\n\n<p>La deuxi\u00e8me ligne indique que l&rsquo;authentification a r\u00e9ussie.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV_Configuration_du_serveur_FreeRadius\"><\/span>IV Configuration du serveur FreeRadius<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV1_Preambule\"><\/span>IV.1 Pr\u00e9ambule<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Un client Windows 10 va envoyer 2 types de requ\u00eates Radius :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>une requ\u00eate de type \u00ab\u00a0Host\u00a0\u00bb pour authentifier le PC : le nom d&rsquo;utilisateur sera de la forme \u00ab\u00a0host\/nom_PC.domaine\u00a0\u00bb. Dans notre cas ce sera \u00ab\u00a0host\/PC1.domaine.local\u00a0\u00bb<\/li><li>une requ\u00eate de type \u00ab\u00a0User\u00a0\u00bb pour authentifier l&rsquo;utilisateur une fois que la session Windows est ouverte : le nom d&rsquo;utilisateur aura la forme \u00ab\u00a0Nom_DOMAINE_NT\/utilisateur\u00a0\u00bb. Dans notre cas ce sera \u00ab\u00a0DOMAINE\/Xavior\u00a0\u00bb<\/li><\/ul>\n\n\n\n<p>Lors de l&rsquo;authentification du PC r\u00e9ussie, le PC sera plac\u00e9 dans le VLAN 20. Dans ce VLAN, l&rsquo;Active Directory est accessible ce qui permettra au PC de v\u00e9rifier le compte de session. Une fois le compte v\u00e9rifi\u00e9 (surtout lors de la premi\u00e8re ouverture de session), une trame radius est envoy\u00e9e. Pas avant.<\/p>\n\n\n\n<p>Et lors de l&rsquo;authentification de l&rsquo;utilisateur, l&rsquo;ordinateur sera plac\u00e9 dans le VLAN 10.<\/p>\n\n\n\n<p>Ce paragraphe ne vas pas traiter la gestion des certificats. En revanche il va \u00eatre \u00e9tudier les 2 types d&rsquo;authentifications.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV2_Droits_pour_utiliser_winbind_pour_FreeRadius\"><\/span>IV.2 Droits pour utiliser winbind pour FreeRadius<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo usermod -a -G winbindd_priv freerad\nsudo chgrp winbindd_priv \/var\/lib\/samba\/winbindd_privileged\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV3_Modification_des_fichiers_de_configuration_des_modules_eap_et_mschap\"><\/span>IV.3 Modification des fichiers de configuration des modules eap et mschap<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Fichier \/etc\/freeradius\/3.0\/mods-enable\/<strong>eap<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>eap {\n        default_eap_type = <strong>mschapv2<\/strong>\n        timer_expire     = 60\n        ignore_unknown_eap_types = no\n        cisco_accounting_username_bug = no\n        max_sessions = ${max_requests}\n\n        md5 {\n        }\n        leap {\n        }\n        gtc {\n                auth_type = PAP\n        }\n\n\n        tls-config tls-common {\n                private_key_password = whatever\n                private_key_file = \/etc\/ssl\/private\/ssl-cert-snakeoil.key\n                certificate_file = \/etc\/ssl\/certs\/ssl-cert-snakeoil.pem\n                ca_file = \/etc\/ssl\/certs\/ca-certificates.crt\n                dh_file = ${certdir}\/dh\n                random_file = \/dev\/urandom\n                ca_path = ${cadir}\n                cipher_list = \"DEFAULT\"\n                cipher_server_preference = no\n                ecdh_curve = \"prime256v1\"\n                cache {\n                       lifetime = 24 # hours\n                }\n\n                verify {\n                }\n                ocsp {\n                        enable = no\n                        override_cert_url = yes\n                        url = \"http:\/\/127.0.0.1\/ocsp\/\"\n                }\n        }\n       tls {\n                tls = tls-common\n        }\n\n        ttls {\n                 tls = tls-common\n                 default_eap_type = <strong>mschapv2<\/strong>\n                 <strong>copy_request_to_tunnel = yes<\/strong>\n                 <strong>use_tunneled_reply = yes<\/strong>\n                 <strong>virtual_server = \"inner-tunnel\"<\/strong>\n        }\n\n        peap {\n \n                tls = tls-common\n                default_eap_type = <strong>mschapv2<\/strong>\n                <strong>copy_request_to_tunnel = yes\n                use_tunneled_reply = yes<\/strong>\n                <strong>virtual_server = \"inner-tunnel\"<\/strong>\n        }\n\n       mschapv2 {\n       }\n\n}<\/code><\/pre>\n\n\n\n<p>Fichier \/etc\/freeradius\/3.0\/mods-enable\/<strong>mschap<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mschap {\n\n        use_mppe = <strong>yes<\/strong>\n        require_encryption = <strong>yes<\/strong>\n        require_strong = <strong>yes<\/strong>\n        <strong>with_ntdomain_hack = yes<\/strong>\n\n        <span class=\"has-inline-color has-vivid-cyan-blue-color\"># en rouge : permet l'authentification des comptes ordinateurs<\/span>\n        <strong>ntlm_auth = \"\/usr\/bin\/ntlm_auth --request-nt-key --DOMAIN=DOMAINE --userr\nname=%{%{Stripped-User-Name}:-%{%{<span class=\"has-inline-color has-vivid-red-color\">mschap:User-Name<\/span>}:-None}} --challenge=%{%{mschh\nap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}\"\n<\/strong>\n        pool {\n                start = ${thread&#91;pool].start_servers}\n                min = ${thread&#91;pool].min_spare_servers}\n                max = ${thread&#91;pool].max_servers}\n                spare = ${thread&#91;pool].max_spare_servers}\n                uses = 0\n                retry_delay = 30\n                lifetime = 86400\n                cleanup_interval = 300\n                idle_timeout = 600\n        }\n\n        passchange {\n        }\n\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IIV4_Module_NTLM_AUTH\"><\/span>IIV.4 Module NTLM_AUTH<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Modifier le fichier suivant : \/etc\/freeradius\/3.0\/<strong>ntlm_auth<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exec ntlm_auth {\n        wait = yes\n        program = \"\/usr\/bin\/ntlm_auth --request-nt-key <strong>--domain=DOMAINE<\/strong> --usernaa\nme=%{mschap:User-Name} --password=%{User-Password}\"\n}\n<\/code><\/pre>\n\n\n\n<p>Pour le domaine il faut indiquer le nom de domaine court de l\u00a0\u00bbAD : ici \u00ab\u00a0DOMAINE\u00a0\u00bb.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV5_Configuration_de_%C2%AB_default_%C2%BB_et_%C2%AB_inner_%C2%BB\"><\/span>IV.5 Configuration de \u00ab\u00a0default\u00a0\u00bb et \u00ab\u00a0inner\u00a0\u00bb<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Modifier le fichier \/etc\/freeradius\/3.0\/sites-enabled\/<strong>default<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server default {\n\nlisten {\n        type = auth\n        ipaddr = *\n        port = 0\n        limit {\n              max_connections = 16\n              lifetime = 0\n              idle_timeout = 30\n        }\n\nlisten {\n        ipaddr = *\n        port = 0\n        type = acct\n        limit {\n        }\n}\nlisten {\n        type = auth\n        ipv6addr = ::   # any.  ::1 == localhost\n        port = 0\n        limit {\n              max_connections = 16\n              lifetime = 0\n              idle_timeout = 30\n        }\n}\n listen {\n        ipv6addr = ::\n        port = 0\n        type = acct\n        limit {\n        }\n}\n\n          \nauthorize {\n\n        <strong><span class=\"has-inline-color has-vivid-cyan-blue-color\"># NE SURTOUT PAS METTRE NTLM_AUTH ICI !!!<\/span><\/strong>\n        #ntlm_auth\n        filter_username\n        mschap\n        digest\n\n        <span class=\"has-inline-color has-vivid-cyan-blue-color\"># Utilisation multiple de type de realms : modifier le fichier realm et mettre la directive \"ignore_null = yes\"<\/span>\n        <strong>ntdomain<\/strong>   <span class=\"has-inline-color has-vivid-cyan-blue-color\"># compte de type  DOMAINE\/Xavior<\/span>\n        <strong>suffix<\/strong>     <span class=\"has-inline-color has-vivid-cyan-blue-color\"># compte de type xavior@domaine.local<\/span>\n\n        eap {\n        #       ok = return\n#               updated = return\n        }\n\n        files\n        -sql\n        -ldap\n\n        expiration\n        logintime\n        pap\n}\n\nauthenticate {\n\n        <strong>ntlm_auth<\/strong>\n\n        Auth-Type PAP {\n                pap\n        }\n\n        Auth-Type CHAP {\n                chap\n        }\n\n        Auth-Type MS-CHAP {\n                mschap\n        }\n        mschap\n        eap\n}\n\npreacct {\n        preprocess\n\n        suffix\n#       ntdomain\n        files\n}\n\naccounting {\n\n        detail\n        unix\n        -sql\n        exec\n        attr_filter.accounting_response\n}\n\nsession {\n}\npost-auth {\n        update {\n                &amp;reply: += &amp;session-state:\n        }\n        -sql\n        exec\n        remove_reply_message_if_eap\n        Post-Auth-Type REJECT {\n\n                -sql\n                attr_filter.access_reject\n                eap\n                remove_reply_message_if_eap\n        }\n        Post-Auth-Type Challenge {\n        }\n}\n\npre-proxy {\n}\n\npost-proxy {\n        eap\n}\n\n}\n<\/code><\/pre>\n\n\n\n<p>Modifier le fichier \/etc\/freeradius\/3.0\/sites-enabled\/<strong>inner-tunnel<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server inner-tunnel {\n\nlisten {\n       ipaddr = 127.0.0.1\n       port = 18120\n       type = auth\n}\n\nauthorize {\n\n        filter_username\n        chap\n        mschap\n        \n        <span class=\"has-inline-color has-vivid-cyan-blue-color\"># Utilisation multiple de type de realms : modifier le fichier realm et mettre la directive \"ignore_null = yes\"<\/span>\n<strong>        ntdomain\n        suffix<\/strong>\n        update control {\n                &amp;Proxy-To-Realm := LOCAL\n        }\n        eap {\n                ok = return\n        }\n        files\n        -sql\n        -ldap\n        expiration\n        logintime\n        pap\n}\n\nauthenticate {\n\n        <strong>ntlm_auth<\/strong>\n\n        Auth-Type PAP {\n                pap\n        }\n        Auth-Type CHAP {\n                chap\n        }\n        Auth-Type MS-CHAP {\n                mschap\n        }\n        mschap\n        eap\n}\n\nsession {\n        radutmp\n}\n\npost-auth {\n\n        -sql\n\n        if (0) {\n\n                update reply {\n                        User-Name !* ANY\n                        Message-Authenticator !* ANY\n                        EAP-Message !* ANY\n                        Proxy-State !* ANY\n                        MS-MPPE-Encryption-Types !* ANY\n                        MS-MPPE-Encryption-Policy !* ANY\n                        MS-MPPE-Send-Key !* ANY\n                        MS-MPPE-Recv-Key !* ANY\n                }\n                update {\n                        &amp;outer.session-state: += &amp;reply:\n                }\n        }\n        Post-Auth-Type REJECT {\n\n                -sql\n                attr_filter.access_rejet\n                update outer.session-state {\n                        &amp;Module-Failure-Message := &amp;request:Module-Failure-Messaa\nge\n                }\n        }\n}\n\npre-proxy {\n}\n\npost-proxy {\n        eap\n}\n\n\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV6_Modification_du_module_REALM\"><\/span>IV.6 Modification du module REALM :<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Modifier le le fichier \/etc\/freeradius\/3.0\/mods-enabled\/<strong>realm<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>realm IPASS {\n        format = prefix\n        delimiter = \"\/\"\n        ignore_null=yes\n}\n\nrealm suffix {\n        format = suffix\n        delimiter = \"@\"\n}\n\nrealm realmpercent {\n        format = suffix\n        delimiter = \"%\"\n}\n\nrealm ntdomain {\n        format = prefix\n        delimiter = \"\\\\\"\n        <strong>ignore_null = yes<\/strong>\n}\n\n<\/code><\/pre>\n\n\n\n<p>remarque : on peut mettre aussi ignore_null=yes dans le realm suffix<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV7_Authorisation_des_clients_a_effectuer_des_requetes_NAS\"><\/span>IV.7 Authorisation des clients \u00e0 effectuer des requ\u00eates (NAS) : <span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Modifier le fichier \/etc\/freeradius\/3.0\/<strong>clients.conf <\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"has-inline-color has-vivid-cyan-blue-color\"># Requ\u00eates venant du Routeur CISCO<\/span>\n<strong>client 192.168.30.254 {\n        secret = test\n        nastype = cisco\n        shortname = routeur3\n}<\/strong>\n\n<span class=\"has-inline-color has-vivid-cyan-blue-color\"># Requ\u00eates effectu\u00e9es ennnn local <\/span>\n\nclient localhost {\n        ipaddr = 127.0.0.1\n        proto = *\n        secret = <strong>testing123<\/strong>\n        require_message_authenticator = no\n        nas_type         = other        # localhost isn't usually a NAS...\n\n        limit {\n                max_connections = 16\n                lifetime = 0\n                idle_timeout = 30\n        }\n}\n\nclient localhost_ipv6 {\n        ipv6addr        = ::1\n        secret          = testing123\n}\n\n\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV8_Configuration_de_proxyconf\"><\/span>IV.8 Configuration de proxy.conf<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Modifier le fichier \/etc\/freeradius\/3.0\/<strong>proxy.conf<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>proxy server {\n        default_fallback = no\n}\n\n\nhome_server localhost {\n        type = auth\n        ipaddr = 127.0.0.1\n        port = 1812\n        secret = testing123\n        response_window = 20\n        zombie_period = 40\n        revive_interval = 120\n        status_check = status-server\n        check_interval = 30\n        check_timeout = 4\n        num_answers_to_alive = 3\n        max_outstanding = 65536\n        coa {\n                irt = 2\n                mrt = 16\n                mrc = 5\n                mrd = 30\n        }\n        limit {\n              max_connections = 16\n              max_requests = 0\n              lifetime = 0\n              idle_timeout = 0\n        }\n}\n\nhome_server_pool my_auth_failover {\n        type = fail-over\n        home_server = localhost\n}\n\n<span class=\"has-inline-color has-vivid-cyan-blue-color\"># D\u00e9finition du royaume \"DOMAINE\" : si rencontr\u00e9 l'authentification se fait en local\n<\/span><strong>realm DOMAINE {\n        authhost = LOCAL\n        accthost = LOCAL\n        #nostrip\n}<\/strong>\n\n<span class=\"has-inline-color has-vivid-cyan-blue-color\"># D\u00e9finition du royaume \"DOMAINE\" : si rencontr\u00e9 l'authentification se fait en local<\/span>\n<strong>realm domaine.local {\n        authhost = LOCAL\n        accthost = LOCAL\n}<\/strong>\n\n<span class=\"has-inline-color has-vivid-cyan-blue-color\"># Par d\u00e9faut : l'authentification se fait en local<\/span>\n<strong>realm DEFAULT {\n\n        type = radius\n        authhost = LOCAL\n        accthost = LOCAL\n        secret = testing123\n        nostrip\n}<\/strong>\n\nrealm LOCAL {\n        #  If we do not specify a server pool, the realm is LOCAL, and\n        #  requests are not proxied to it.\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV9_Definition_des_users\"><\/span>IV.9 D\u00e9finition des users<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Modifier le fichier \/etc\/freeradius\/3.0\/<strong>users<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span class=\"has-inline-color has-vivid-cyan-blue-color\"># Compte de test<\/span>\n<strong>test    Cleartext-password :=\"test\"\n        Service-Type = NAS-Prompt-User,\n        cisco-avpair = \"shell:priv-lvl=15\"<\/strong>\n\n<span class=\"has-inline-color has-vivid-cyan-blue-color\"># Pour les comptes utilisateurs. On prend comme filtre le royaume DOMAINE<\/span>\n<strong>DEFAULT Realm == DOMAINE\n        Auth-Type = ntlm_auth,\n        Tunnel-Type  = 13,\n        Tunnel-Medium-type=6,\n        Tunnel-private-Group-Id = <span class=\"has-inline-color has-vivid-purple-color\">10<\/span><\/strong>\n\n<span class=\"has-inline-color has-vivid-cyan-blue-color\"># Pour les autres comptes (va prendre les autres comptes dont principalement les comptes ordinateurs)<\/span>\n<strong>DEFAULT Auth-Type = ntlm_auth\n        Tunnel-Type = 13,\n        Tunnel-Medium-type=6,\n        Tunnel-private-Group-Id = <span class=\"has-inline-color has-vivid-purple-color\">20<\/span><\/strong>\n\nDEFAULT Framed-Protocol == PPP\n        Framed-Protocol = PPP,\n        Framed-Compression = Van-Jacobson-TCP-IP\n\nDEFAULT Hint == \"CSLIP\"\n        Framed-Protocol = SLIP,\n        Framed-Compression = Van-Jacobson-TCP-IP\n\nDEFAULT Hint == \"SLIP\"\n        Framed-Protocol = SLIP\n<\/code><\/pre>\n\n\n\n<p>C&rsquo;est ici que nous d\u00e9finnissons la politique d&rsquo;attribution des VLAN en fonction :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>des comptes utilisateurs : VLAN 10<\/li><li>des comptes ordinateurs : VLAN 20<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV10_Tests\"><\/span>IV.10 Tests<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Pour tester le fonctionnement g\u00e9n\u00e9ral il faut utiliser l&rsquo;outil radtest.<\/p>\n\n\n\n<p>Exemple pour un compte avec interrogation MSCHAP<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@debianGNS3:\/etc\/freeradius\/3.0# <strong>radtest -t mschap DOMAINE\\\\xavior bonmotdepasse 127.0.0.1 0 testing123<\/strong>\nSent Access-Request Id 93 from 0.0.0.0:52425 to 127.0.0.1:1812 length 140\n\tUser-Name = \"DOMAINE\\\\xavior\"\n\tMS-CHAP-Password = \"Quentin94#!\"\n\tNAS-IP-Address = 127.0.1.1\n\tNAS-Port = 0\n\tMessage-Authenticator = 0x00\n\tCleartext-Password = \"Quentin94#!\"\n\tMS-CHAP-Challenge = 0x4175b072178baf54\n\tMS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000009b55cc859f0cf687300661bf0015db33c94dbca3182fb078\nReceived <strong>Access-Accept<\/strong> Id 93 from 127.0.0.1:1812 to 127.0.0.1:52425 length 100\n\t<span class=\"has-inline-color has-vivid-purple-color\">Tunnel-Type:0 = VLAN\n\tTunnel-Medium-Type:0 = IEEE-802\n\tTunnel-Private-Group-Id:0 = \"10\"<\/span>\n\tMS-CHAP-MPPE-Keys = 0x00000000000000000e6c59acb5726f152ecc9e23a180b550\n\tMS-MPPE-Encryption-Policy = Encryption-Required\n\tMS-MPPE-Encryption-Types = 4\nroot@debianGNS3:\/etc\/freeradius\/3.0# <\/code><\/pre>\n\n\n\n<p>Autre exemple lorsque les idientifiants sont incorrects :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@debianGNS3:\/etc\/freeradius\/3.0# <strong>radtest -t mschap DOMAINE\\\\xavior mauvaismdp 127.0.0.1 0 testing123<\/strong>\nSent Access-Request Id 141 from 0.0.0.0:38652 to 127.0.0.1:1812 length 140\n\tUser-Name = \"DOMAINE\\\\xavior\"\n\tMS-CHAP-Password = \"Quentin94#\"\n\tNAS-IP-Address = 127.0.1.1\n\tNAS-Port = 0\n\tMessage-Authenticator = 0x00\n\tCleartext-Password = \"Quentin94#\"\n\tMS-CHAP-Challenge = 0xf1560c7caad5892d\n\tMS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000334175190830b74ee71fb9f6e135534d6fe15d52b447b790\nReceived <strong>Access-Reject<\/strong> Id 141 from 127.0.0.1:1812 to 127.0.0.1:38652 length 61\n\tMS-CHAP-Error = \"\\000E=691 R=1 C=b75d0ff87c645e4d V=2\"\n(0) -: Expected Access-Accept got Access-Reject\n<\/code><\/pre>\n\n\n\n<p>Pour voir le d\u00e9tail des erreurs, il faut lancer le serveur radius en mode debug :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl stop freeradius\nfreeradius -X<\/code><\/pre>\n\n\n\n<p>Extrait :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>(0) Received Access-Request Id 221 from 127.0.0.1:49684 to 127.0.0.1:1812 length 140\n(0)   User-Name = \"DOMAINE\\\\Xavior\"\n(0)   NAS-IP-Address = 127.0.1.1\n(0)   NAS-Port = 0\n(0)   Message-Authenticator = 0xe0a9a7c295d3c830d3d064eee1461e78\n(0)   MS-CHAP-Challenge = 0xf6748267f1c3811d\n(0)   MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000688b47f11888782c4af798e104f740b90ea770e0fc6d1b28\n(0) # Executing section authorize from file \/etc\/freeradius\/3.0\/sites-enabled\/default\n(0)   authorize {\n(0)     policy filter_username {\n(0)       if (&amp;User-Name) {\n(0)       if (&amp;User-Name)  -> TRUE\n(0)       if (&amp;User-Name)  {\n(0)         if (&amp;User-Name =~ \/ \/) {\n(0)         if (&amp;User-Name =~ \/ \/)  -> FALSE\n(0)         if (&amp;User-Name =~ \/@&#91;^@]*@\/ ) {\n(0)         if (&amp;User-Name =~ \/@&#91;^@]*@\/ )  -> FALSE\n(0)         if (&amp;User-Name =~ \/\\.\\.\/ ) {\n(0)         if (&amp;User-Name =~ \/\\.\\.\/ )  -> FALSE\n(0)         if ((&amp;User-Name =~ \/@\/) &amp;&amp; (&amp;User-Name !~ \/@(.+)\\.(.+)$\/))  {\n(0)         if ((&amp;User-Name =~ \/@\/) &amp;&amp; (&amp;User-Name !~ \/@(.+)\\.(.+)$\/))   -> FALSE\n(0)         if (&amp;User-Name =~ \/\\.$\/)  {\n(0)         if (&amp;User-Name =~ \/\\.$\/)   -> FALSE\n(0)         if (&amp;User-Name =~ \/@\\.\/)  {\n(0)         if (&amp;User-Name =~ \/@\\.\/)   -> FALSE\n(0)       } # if (&amp;User-Name)  = notfound\n(0)     } # policy filter_username = notfound\n(0)     &#91;preprocess] = ok\n(0)     &#91;chap] = noop\n(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'\n(0)     &#91;mschap] = ok\n(0)     &#91;digest] = noop\n(0) ntdomain: Checking for prefix before \"\\\"\n(0) ntdomain: Looking up realm \"DOMAINE\" for User-Name = \"DOMAINE\\Xavior\"\n(0) ntdomain: Found realm \"DOMAINE\"\n(0) ntdomain: Adding Stripped-User-Name = \"Xavior\"\n(0) ntdomain: Adding Realm = \"DOMAINE\"\n(0) ntdomain: Authentication realm is LOCAL\n(0)     &#91;ntdomain] = ok\n(0) suffix: Request already has destination realm set.  Ignoring\n(0)     &#91;suffix] = noop\n(0) eap: No EAP-Message, not doing EAP\n(0)     &#91;eap] = noop\n(0) files: users: Matched entry DEFAULT at line 90\n(0)     &#91;files] = ok\n(0)     &#91;expiration] = noop\n(0)     &#91;logintime] = noop\n(0) pap: WARNING: No \"known good\" password found for the user.  Not setting Auth-Type\n(0) pap: WARNING: Authentication will fail unless a \"known good\" password is available\n(0)     &#91;pap] = noop\n(0)   } # authorize = ok\n(0) Found Auth-Type = mschap\n(0) # Executing group from file \/etc\/freeradius\/3.0\/sites-enabled\/default\n(0)   authenticate {\n(0) mschap: Client is using MS-CHAPv1 with NT-Password\n(0) mschap: Executing: \/usr\/bin\/ntlm_auth --request-nt-key --DOMAIN=DOMAINE --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:\n(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}}\n(0) mschap:    --> --username=Xavior\n(0) mschap: mschap1: f6\n(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}\n(0) mschap:    --> --challenge=f6748267f1c3811d\n(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}\n(0) mschap:    --> --nt-response=688b47f11888782c4af798e104f740b90ea770e0fc6d1b28\n<span class=\"has-inline-color has-vivid-purple-color\">(0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'<\/span>\n<span class=\"has-inline-color has-vivid-purple-color\">(0) mschap: External script failed\n(0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication <\/span>information. (0xc000006d)\n<span class=\"has-inline-color has-vivid-purple-color\">(0) mschap: ERROR: MS-CHAP2-Response is incorrect<\/span>\n<span class=\"has-inline-color has-vivid-purple-color\">(0)     &#91;mschap] = reject\n(0)   } # authenticate = reject\n(0) Failed to authenticate the user<\/span>\n(0) Using Post-Auth-Type Reject\n(0) # Executing group from file \/etc\/freeradius\/3.0\/sites-enabled\/default\n(0)   Post-Auth-Type REJECT {\n(0) attr_filter.access_reject: EXPAND %{User-Name}\n(0) attr_filter.access_reject:    --> DOMAINE\\\\Xavior\n(0) attr_filter.access_reject: Matched entry DEFAULT at line 11\n(0)     &#91;attr_filter.access_reject] = updated\n(0)     &#91;eap] = noop\n(0)     policy remove_reply_message_if_eap {\n(0)       if (&amp;reply:EAP-Message &amp;&amp; &amp;reply:Reply-Message) {\n(0)       if (&amp;reply:EAP-Message &amp;&amp; &amp;reply:Reply-Message)  -> FALSE\n(0)       else {\n(0)         &#91;noop] = noop\n(0)       } # else = noop\n(0)     } # policy remove_reply_message_if_eap = noop\n(0)   } # Post-Auth-Type REJECT = updated\n<span class=\"has-inline-color has-vivid-purple-color\">(0) Login incorrect (mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'): &#91;DOMAINE\\Xavior\/&lt;via Auth-Type = mschap>] (from client localhost port 0)<\/span>\n(0) Delaying response for 1.000000 seconds\nWaking up in 0.1 seconds.\nWaking up in 0.8 seconds.\n(0) Sending delayed response\n<span class=\"has-inline-color has-vivid-purple-color\">(0) Sent Access-Reject Id 221 from 127.0.0.1:1812 to 127.0.0.1:49684 length 61\n(0)   MS-CHAP-Error = \"\\000E=691 R=1 C=a60b650e4b95b559 V=2\"<\/span>\nWaking up in 3.9 seconds.\n(0) Cleaning up request packet ID 221 with timestamp +61\nReady to process requests\n<\/code><\/pre>\n\n\n\n<p>Pour tester avec le protocole mschapV2, ce n&rsquo;est pas possible avec l&rsquo;outil \u00ab\u00a0radtest\u00a0\u00bb. Cependant si cela fonctionne en mschap cela devrait fonctionner avec mschapv2. Ne pas oublier de mettre la directive \u00ab\u00a0<strong>with_ntdomain_hack=yes<\/strong>\u00a0\u00bb dans le ficher \/etc\/freeradius\/3.0\/mods-enable\/<strong>mschap<\/strong>.<\/p>\n\n\n\n<p>Enfin ci dessous les traces de log observ\u00e9es dans le fichier \/var\/log\/freeradius\/<strong>radius.log<\/strong>  pour 4 connexions :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>Sat Jan  2 17:50:12 2021 : Auth: (14)   Login OK: &#91;host\/PC1.domaine.local\/&lt;via Auth-Type = eap&gt;] (from client routeur3 port 3 cli 08-00-27-91-55-40 via TLS tunnel)\nSat Jan  2 17:50:12 2021 : Auth: (15) Login OK: &#91;host\/PC1.domaine.local\/&lt;via Auth-Type = eap&gt;] (from client routeur3 port 3 cli 08-00-27-91-55-40)<\/strong>\nSat Jan  2 17:50:44 2021 : Auth: (24)   Login OK: &#91;DOMAINE\\xavior\/&lt;via Auth-Type = eap&gt;] (from client routeur3 port 3 cli 08-00-27-91-55-40 via TLS tunnel)\nSat Jan  2 17:50:44 2021 : Auth: (25) Login OK: &#91;DOMAINE\\xavior\/&lt;via Auth-Type = eap&gt;] (from client routeur3 port 3 cli 08-00-27-91-55-40)\n<strong>Sat Jan  2 17:51:06 2021 : Auth: (34)   Login OK: &#91;host\/PC1.domaine.local\/&lt;via Auth-Type = eap&gt;] (from client routeur3 port 3 cli 08-00-27-91-55-40 via TLS tunnel)\nSat Jan  2 17:51:06 2021 : Auth: (35) Login OK: &#91;host\/PC1.domaine.local\/&lt;via Auth-Type = eap&gt;] (from client routeur3 port 3 cli 08-00-27-91-55-40)<\/strong>\nSat Jan  2 17:51:38 2021 : ERROR: (43) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'\nSat Jan  2 17:51:38 2021 : Auth: (43)   Login incorrect (mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'): &#91;Xavior\/&lt;via Auth-Type = eap&gt;] (from client routeur3 port 3 cli 08-00-27-91-55-40 via TLS tunnel)\nSat Jan  2 17:51:38 2021 : Info: (44) eap_peap:   This means you need to read the PREVIOUS messages in the debug output\nSat Jan  2 17:51:38 2021 : Info: (44) eap_peap:   to find out the reason why the user was rejected\nSat Jan  2 17:51:38 2021 : Info: (44) eap_peap:   Look for \"reject\" or \"fail\".  Those earlier messages will tell you\nSat Jan  2 17:51:38 2021 : Info: (44) eap_peap:   what went wrong, and how to fix the problem\nSat Jan  2 17:51:38 2021 : Auth: (44) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): &#91;Xavior\/&lt;via Auth-Type = eap&gt;] (from client routeur3 port 3 cli 08-00-27-91-55-40)\n<\/code><\/pre>\n\n\n\n<p>Ici pour les  4 connexions on s&rsquo;apercoit que :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>la premi\u00e8re  correspond \u00e0 l&rsquo;authentification du compte d&rsquo;ordinateur ;<\/li><li>la deuxi\u00e8me \u00e0 l&rsquo;authentification d&rsquo;une compte de domaine suite \u00e0 une ouverture de session ;<\/li><li>la troisi\u00e8me est l&rsquo;authentification du compte d&rsquo;ordinateur suite \u00e0 la fermeture de la session utilisateur ;<\/li><li>la quatri\u00e8me est l&rsquo;authentification (non r\u00e9ussie) d&rsquo;un compte utilisateur local au PC.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV11_Quelques_liens_qui_ont_permis_de_comprendres_les_roles_et_fonctions_de_chaque_fichier_de_configuration\"><\/span>IV.11    Quelques liens qui ont permis de comprendres les r\u00f4les et fonctions de chaque fichier de configuration<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><a rel=\"noreferrer noopener\" href=\"https:\/\/blog.stevedong.com\/post\/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10\/\" target=\"_blank\">https:\/\/blog.stevedong.com\/post\/how-to-install-and-configure-freeradius-with-active-directory-allow-allow-specific-group-of-users-to-authenticate-in-debian-10\/<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/www.dangtrinh.com\/2017\/03\/wpa2-enterprise-with-freeradius-and-ad.html\" target=\"_blank\">https:\/\/www.dangtrinh.com\/2017\/03\/wpa2-enterprise-with-freeradius-and-ad.html<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/keep.tylenn.fr\/2018\/03\/14\/guide-freeradius-vlan-active-directory\/\" target=\"_blank\">https:\/\/keep.tylenn.fr\/2018\/03\/14\/guide-freeradius-vlan-active-directory\/<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/blog.fenrir.fr\/2013\/09\/07\/freeradius-activedirectory\/\" target=\"_blank\">https:\/\/blog.fenrir.fr\/2013\/09\/07\/freeradius-activedirectory\/<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"http:\/\/deployingradius.com\/documents\/configuration\/active_directory.html\" target=\"_blank\">http:\/\/deployingradius.com\/documents\/configuration\/active_directory.html<\/a><\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/cric.grenoble.cnrs.fr\/Administrateurs\/Documentations\/SiteWebAuthentification\/InstallationFreeRadius.php\" target=\"_blank\">https:\/\/cric.grenoble.cnrs.fr\/Administrateurs\/Documentations\/SiteWebAuthentification\/InstallationFreeRadius.php<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V_Configuration_du_routeur_CISCO\"><\/span>V Configuration du routeur CISCO<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V1_Schema_du_labo_de_test_sous_GNS3\"><\/span>V.1 Sch\u00e9ma du labo de test sous GNS3<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"397\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/01\/Labo-1024x397.png\" alt=\"\" class=\"wp-image-2026\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/01\/Labo-1024x397.png 1024w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/01\/Labo-300x116.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/01\/Labo-768x298.png 768w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/01\/Labo.png 1251w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V2_Configuration_du_Routeur_R1\"><\/span>V.2 Configuration du Routeur R1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Les ports et le changement de Vlan ne sont ouverts que pour des ordinateurs ou utilisateurs authentifi\u00e9s. Pour les autres pas de communications possibles.<\/p>\n\n\n\n<p>Ci dessous :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>en bleu les configurations importantes concerant le RADIUS<\/li><li>en violet les configurations importantes concerant le DHCP<\/li><\/ul>\n\n\n\n<p>Extrait du running config :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>R1#show running-config \nBuilding configuration...\n\nCurrent configuration : 2150 bytes\n!\nversion 12.4\nservice timestamps debug datetime msec\nservice timestamps log datetime msec\nno service password-encryption\n!\nhostname R1\n!\nboot-start-marker\nboot-end-marker\n!\n!\naaa new-model\n!\n!\n<strong><span class=\"has-inline-color has-vivid-cyan-blue-color\">aaa authentication dot1x default group radius\naaa authorization network default group radius <\/span><\/strong>\n!\n!\naaa session-id common\nmemory-size iomem 5\nno ip icmp rate-limit unreachable\n!\n!\nip cef\nno ip domain lookup\n!\n!\nmultilink bundle-name authenticated\n!\n!\n...\n!\n!\n<strong><span class=\"has-inline-color has-vivid-cyan-blue-color\">dot1x system-auth-control<\/span><\/strong>\narchive   \n log config\n  hidekeys\n! \n!\n!\n!\nip tcp synwait-time 5\n!\n!\n!\n!\ninterface FastEthernet0\/0\n no ip address\n shutdown\n duplex auto\n speed auto\n!\ninterface FastEthernet0\/1\n no ip address\n shutdown\n duplex auto\n speed auto\n!         \ninterface FastEthernet1\/0\n!\ninterface FastEthernet1\/1\n switchport access vlan 10\n!\ninterface FastEthernet1\/2\n switchport access vlan 20\n!\n<strong><span class=\"has-inline-color has-vivid-cyan-blue-color\">interface FastEthernet1\/3\n dot1x pae authenticator\n dot1x port-control auto<\/span><\/strong>\n!\ninterface FastEthernet1\/4\n!\ninterface FastEthernet1\/5\n!\ninterface FastEthernet1\/6\n!\ninterface FastEthernet1\/7\n!\ninterface FastEthernet1\/8\n!\ninterface FastEthernet1\/9\n!\ninterface FastEthernet1\/10\n!\ninterface FastEthernet1\/11\n!\ninterface FastEthernet1\/12\n!\ninterface FastEthernet1\/13\n!\ninterface FastEthernet1\/14\n switchport access vlan 30\n!\ninterface FastEthernet1\/15\n switchport access vlan 30\n!\ninterface Vlan1\n no ip address\n!\ninterface Vlan10\n<span class=\"has-inline-color has-vivid-purple-color\"> ip address 192.168.10.254 255.255.255.0\n ip helper-address 192.168.30.101<\/span>\n!\ninterface Vlan20\n <span class=\"has-inline-color has-vivid-purple-color\">ip address 192.168.20.254 255.255.255.0\n ip helper-address 192.168.30.101<\/span>\n!\ninterface Vlan30\n ip address 192.168.30.254 255.255.255.0\n!\n!\nno ip http server\nno ip http secure-server\nip forward-protocol nd\n!\n!\n!\nno cdp log mismatch duplex\n!\n!\n!\n<strong><span class=\"has-inline-color has-vivid-cyan-blue-color\">radius-server host 192.168.30.100 auth-port 1812 acct-port 1813\nradius-server key test<\/span><\/strong>\n!\ncontrol-plane\n!\n...\n!\n!\nline con 0\n exec-timeout 0 0\n privilege level 15\n logging synchronous\nline aux 0\n exec-timeout 0 0\n privilege level 15\n logging synchronous\nline vty 0 4\n!\n!\nend\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"VI_Configuration_du_serveur_DHCP\"><\/span>VI Configuration du serveur DHCP<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Le serveur DHCP est support\u00e9 par le contr\u00f4leur de domaine Windows. Suivant le VLAN 10 ou 20, les adresses ip seront soit 192.168.10.0\/24 ou 192.168.20.0\/24. <\/p>\n\n\n\n<p>Sans entrer dans le d\u00e9tail de la configuration, ci-dessous un extrait du serveur DHCP configur\u00e9 :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"899\" height=\"347\" src=\"http:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/01\/dhcp.png\" alt=\"\" class=\"wp-image-2029\" srcset=\"https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/01\/dhcp.png 899w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/01\/dhcp-300x116.png 300w, https:\/\/blogperso.union31.fr\/wp-content\/uploads\/2021\/01\/dhcp-768x296.png 768w\" sizes=\"auto, (max-width: 899px) 100vw, 899px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"VII_Pour_aller_plus_loin\"><\/span>VII Pour aller plus loin<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>L&rsquo;objectif de n&rsquo;ouvrir que les ports et de basculer les VLAN en  fonction des comptes Utilisateurs ou Ordinateurs fonctionne.<\/p>\n\n\n\n<p>Pour aller plus loin et obtenir plus de s\u00e9curit\u00e9  il faut :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>d\u00e9finir des ACL sur le VLAN n&rsquo;authorisant que l&rsquo;acc\u00e8s au controleur de domaine (et pas le reste des ressources res\u00e9aux) ;<\/li><li>ajouter un contr\u00f4leur de domaine en lecteure seule (RODC) et renvoyer les requ\u00eates RADIUS dessus (du moins lors de l&rsquo;authentification des comptes d&rsquo;ordinateurs) ;<\/li><li>impl\u00e9menter les certificats lors des communications PEAP ;<\/li><li>forcer la mise \u00e0 jour des adresses IP des postes Windows apr\u00e8s ouverture de session &#8211; voir comment faire \u00e0 la fermeture de session.<\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I Objectif L&rsquo;objectif est de faire la v\u00e9rification du compte ordinateur et utilisateur Windows via FreeRadius qui lui m\u00eame demandera aupr\u00e8s d&rsquo;un annuaire Active Directory de Microsoft. II Serveur de temps Pour communiquer avec un contr\u00f4leur de domaine et dans<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1926","post","type-post","status-publish","format-standard","hentry","category-_systeme"],"_links":{"self":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1926"}],"version-history":[{"count":76,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1926\/revisions"}],"predecessor-version":[{"id":2042,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1926\/revisions\/2042"}],"wp:attachment":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}