In any case, since you're doing cleartext authentication in this case, you could use LDAP authentication against the AD domain and avoid having to spawn an external program.
--Mike On Jul 3, 2006, at 3:38 AM, [EMAIL PROTECTED] wrote:
Dear all,For AAA-Authenticating on a Cisco Catalyst Switch 3750, i try to use use the ntlm_auth to authenticate users against our Active Directory (domain-name: SOUTH). Users telnet the switch, therefore a clear-text password will be sent.according to an earlier posting http://lists.freeradius.org/mailman/ htdig/freeradius-users/2005-July/045377.htmli did this:What you need to do is to configure a *different* ntlm_auth, only for clear-text passwords. The simplest way to do this is to use the "exec" module: modules { ... exec win_domain { wait = yes input_pairs = request output_pairs = replyprogram = "ntlm_auth --username=\"%{User-Name}\" --password= \"%{User-Password}\" --domain=usmisgne"} ... } Now list "win_domain" in the "authenticate" section, and add the following entry to the "users" file: DEFAULT Auth-Type = win_domainBut the authentication still fails. My ntlm_auth shell-command works:~# /usr/bin/ntlm_auth --username="john.smith" -- password='smith1000' --domain=SOUTHNT_STATUS_OK: Success (0x0) ....but authentication via freeradius fails. Here are my config files and the complete freeradius -X output: my radiusd.conf file: ----------------------------- prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yesntlm_auth = "/usr/bin/ntlm_auth --request-nt-key -- domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} -- challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}"} ldap { server = "10.187.64.3"identity = "CN=Hans Dampf,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de"password = Gerti1000 basedn = "DC=winlab,DC=rsnhm,DC=t-com,DC=de" filter = "sAMAccountname=%{User-Name}" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail {detailfile = ${radacctdir}/%{Client-IP-Address}/ detail-%Y%m%ddetailperm = 0600 } detail auth_log {detailfile = ${radacctdir}/%{Client-IP-Address}/ auth-detail-%Y%m%ddetailperm = 0600 } acct_unique {key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"} $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"} sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"} always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } exec win_domain { wait = yes input_pairs = request output_pairs = replyprogram = "/usr/bin/ntlm_auth --username=\"%{User-Name}\" --password=\'%{User-Password}\' --domain=SOUTH"} ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap files ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap Auth-Type win_domain{ win_domain } } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } here is my users file ---------------------------- hugo User-Password == "hugo01" Service-Type = Login, Cisco-AVPair = "shell:priv-lvl=1" DEFAULT Auth-Type = win_domain freeradius -X --------------------- freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/freeradius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP"mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=% {mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=% {mschap:Challenge} --nt-response=%{mschap:NT-Response}"Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "10.187.64.3" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3ldap: identity = "CN=Hans Dampf,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de"ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "Gerti1000" ldap: basedn = "DC=winlab,DC=rsnhm,DC=t-com,DC=de" ldap: filter = "sAMAccountname=%{User-Name}" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn"ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames) (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))"ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = no ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldaprlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ ldap.attrmaprlm_ldap: LDAP uid mapped to RADIUS $GENERIC$ conns: 0x81215a8 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem" tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem" tls: CA_file = "/etc/freeradius/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/etc/freeradius/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = yes peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) exec: wait = yesexec: program = "/usr/bin/ntlm_auth --username="%{User-Name}" -- password='%{User-Password}' --domain=SOUTH"exec: input_pairs = "request" exec: output_pairs = "reply" exec: packet_type = "(null)" Module: Instantiated exec (win_domain) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Idacct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"Module: Instantiated acct_unique (acct_unique) Module: Loaded detaildetail: detailfile = "/var/log/freeradius/radacct/%{Client-IP- Address}/detail-%Y%m%d"detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.rad_recv: Access-Request packet from host 127.0.0.1:35261, id=176, length=64User-Name = "john.smith" User-Password = "smith1000" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0rlm_realm: No '@' in User-Name = "john.smith", looking up realm NULLrlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 99 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for john.smith radius_xlat: 'sAMAccountname=john.smith' radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.187.64.3:389, authentication 0rlm_ldap: bind as CN=Hans Dampf,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successfulrlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter sAMAccountname=john.smithrlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user john.smith authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type win_domain auth: type "win_domain" Processing the authenticate section of radiusd.conf modcall: entering group win_domain for request 0radius_xlat: '/usr/bin/ntlm_auth --username="john.smith" -- password='smith1000' --domain=SOUTH' Exec-Program: /usr/bin/ntlm_auth --username="john.smith" -- password='smith1000' --domain=SOUTHExec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)Exec-Program: returned: 1 rlm_exec (win_domain): External script failedmodcall[authenticate]: module "win_domain" returns fail for request 0modcall: leaving group win_domain (returns fail) for request 0 auth: Failed to validate the user.Login incorrect: [john.smith/smith1000] (from client localhost port 1645)Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 176 to 127.0.0.1 port 35261 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 176 with timestamp 44a4e1a4 Nothing to do. Sleeping until we see a request.Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel- Sparer,nur 44,85 € inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
smime.p7s
Description: S/MIME cryptographic signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html