Radius Anmeldung schlägt mit AD Konto fehl

srohde · July 22, 2020, 9:33am

Hallo,
wir haben bei uns einen UCS Server mit Radius in unsere AD Domäne integriert.

Ein neuerstelltes LDAP UCS Konto kann sich im WLAN per Radius anmelden.
Ein vorhandenes AD Konto leider nicht.

Log aus freeradius -X

(155) eap: Peer sent packet with method EAP PEAP (25)
(155) eap: Calling submodule eap_peap to process data
(155) eap_peap: Continuing EAP-TLS
(155) eap_peap: [eaptls verify] = ok
(155) eap_peap: Done initial handshake
(155) eap_peap: [eaptls process] = ok
(155) eap_peap: Session established. Decoding tunneled attributes
(155) eap_peap: PEAP state send tlv failure
(155) eap_peap: Received EAP-TLV response
(155) eap_peap: The users session was previously rejected: returning reject (again.)
(155) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(155) eap_peap: to find out the reason why the user was rejected
(155) eap_peap: Look for “reject” or “fail”. Those earlier messages will tell you
(155) eap_peap: what went wrong, and how to fix the problem
(155) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(155) eap: Sending EAP Failure (code 4) ID 10 length 4
(155) eap: Failed in EAP select
(155) [eap] = invalid
(155) } # authenticate = invalid
(155) Failed to authenticate the user

root@testrad01:/usr/bin# univention-radius-check-access --username=testuser
DEBUG: [user=testuser; mac=None] Given username: “testuser”
DEBUG: [user=testuser; mac=None] Given stationId: “None”
DEBUG: [user=testuser; mac=None] UCS@school RADIUS support is not installed
DEBUG: [user=testuser; mac=None] Checking LDAP settings for user
DEBUG: [user=testuser; mac=None] ALLOW ‘uid=testuser,ou=Nutzer,dc=my,dc=domain,dc=de’
INFO: [user=testuser; mac=None] Login attempt permitted by LDAP settings
DEBUG: [user=testuser; mac=None] MAC filtering is disabled by radius/mac/whitelisting.
INFO: [user=testuser; mac=None] User is allowed to use RADIUS
DEBUG: [user=testuser; mac=None] No valid NT-password-hash found. Check the “sambaNTPassword” attribute of the user.
DEBUG: [user=testuser; mac=None] — Thus access is DENIED.

Kann mir jemand helfen ?

Gruß Steffen

WSchanz · July 22, 2020, 1:32pm

Hilft eventuell das weiter? https://www.univention.de/blog-de/2020/06/passwort-hashes-zwischen-ms-active-directory-und-ucs-domaene-abgleichen/

srohde · July 27, 2020, 7:42am

In der Nextcloud können sich die vorhandenen AD Konto erfolgreich anmelden.

Der AD Connector läuft scheinbar nicht.