Hi, I want to configure my freeradius to authorize my user with an sql database or if the user isn't present it would check in AD.
Here is my conf for now. authorize { preprocess sql if (notfound) { ntlm_auth } eap expiration logintime } authenticate { ntlm_auth Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } And here is my radiusd.conf modules { exec ntlm_auth { wait = no program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-intranet} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } $INCLUDE eap.conf mschap { with_ntdomain_hack = yes } } And here the log with radiusd -X if I try an user who's in AD. rlm_sql (sql): sql_set_user escaped user --> 'gchartra' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra' ORDER BY id rlm_sql (sql): Released sql socket id: 1 rlm_sql (sql): User gchartra not found ++[sql] returns notfound ++? if (notfound) ? Evaluating "notfound" -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) expand: --username=%{mschap:User-Name:-None} -> --username=gchartra rlm_mschap: No NT-Domain was found in the User-Name. expand: --domain=%{mschap:NT-Domain:-intranet} -> --domain=intranet rlm_mschap: No MS-CHAP-Challenge in the request. expand: --challenge=%{mschap:Challenge:-00} -> --challenge=00 rlm_mschap: No MS-CHAP-Response or MS-CHAP2-Response was found in the request. expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=00 +++[ntlm_auth] returns ok ++- if (notfound) returns ok rlm_eap: EAP packet type response id 7 length 90 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to gchartra +- entering group authorize ++[preprocess] returns ok expand: %{User-Name} -> gchartra rlm_sql (sql): sql_set_user escaped user --> 'gchartra' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'gchartra' ORDER BY id rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): User gchartra not found ++[sql] returns notfound ++? if (notfound) ? Evaluating "notfound" -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) expand: --username=%{mschap:User-Name:-None} -> --username=gchartra rlm_mschap: No NT-Domain was found in the User-Name. expand: --domain=%{mschap:NT-Domain:-intranet} -> --domain=intranet rlm_mschap: No MS-CHAP-Challenge in the request. expand: --challenge=%{mschap:Challenge:-00} -> --challenge=00 rlm_mschap: No MS-CHAP-Response or MS-CHAP2-Response was found in the request. expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=00 +++[ntlm_auth] returns ok ++- if (notfound) returns ok rlm_eap: EAP packet type response id 7 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for gchartra with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE So the last part if I understand is when the authentification section is call, he try to authentification with my module ntlm_auth but it fail and I don't know why. If in the radius.conf mschap section module I insert the same ntlm_auth line of the exec. The sql don't work but AD work. If I put nothing in mschap section. The SQL works but not AD. So what I did make wrong Thank ---------------------------- Guillaume Chartrand
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html