Please forgive me as I'm a newbie to Radius. I've been reading FAQs and archived mail list for three days and haven't seen a problem similar to mine. ntlm_auth works as expected on the command line, however it does not work in radius. In radius it ALWAYS returns a status ok and authenticates the user, even the the password is incorrect. Below are log snippets from issuing radiusd -X I'm using the latest version, FreeRadius 2.1.1, compiled from source. Very specifically, I followed the (out of date) guide by Alan DeKok called "Deploying Radius"
http://deployingradius.com/documents/configuration/active_directory.html Everything works ok in the guide up to the point of the first radtest command. I can put ANY password for the user in the radtest command and it works. Again issuing ntml_auth from the command line gives predictable results. Here's the real work example demonstrating that I have ntlm_auth properly working. These are the expected results. Is there a better way to debug the exec module to see what is really happening when exec called ntlm_auth from within freeradius? [EMAIL PROTECTED] ~]# ntlm_auth --domain=GTDEV --request-nt-key --username=ntlmtest --password=radpw NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] ~]# ntlm_auth --domain=GTDEV --request-nt-key --username=ntlmtest --password=radpwnogood NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Radtest is issued from the command line and this is the debug output from radiusd -X [EMAIL PROTECTED] ~]# radtest ntlmtest radpw localhost 0 testing123 Sending Access-Request of id 103 to 127.0.0.1 port 1812 User-Name = "ntlmtest" User-Password = "radpw" NAS-IP-Address = 10.10.3.5 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=103, length=20 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60006, id=103, length=60 User-Name = "ntlmtest" User-Password = "radpw" NAS-IP-Address = 10.10.3.5 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ntlmtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry ntlmtest at line 96 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=ntlmtest [ntlm_auth] expand: --password=%{User-Password} -> --password=radpw ++[ntlm_auth] returns ok Login OK: [ntlmtest/radpw] (from client localhost port 0) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 103 to 127.0.0.1 port 60006 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 103 with timestamp +3 Ready to process requests. OK now here's the same radtest with a bad password. It works but it shouldnt! Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 58940, id=87, length=60 User-Name = "ntlmtest" User-Password = "radpwnogood" NAS-IP-Address = 10.10.3.5 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ntlmtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry ntlmtest at line 96 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=ntlmtest [ntlm_auth] expand: --password=%{User-Password} -> --password=radpwnogood ++[ntlm_auth] returns ok Login OK: [ntlmtest/radpwnogood] (from client localhost port 0) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 87 to 127.0.0.1 port 58940 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 87 with timestamp +7 Ready to process requests. And for those of you who must see the ntlm_auth config portion, here it is: (it's the same as the deployment guide) $INCLUDE ${confdir}/modules/ # # put exec ntlm_auth AFTER the exec module is defined # exec ntlm_auth { wait = no program = "/usr/bin/ntlm_auth --request-nt-key --domain=GTDEV --username=%{mschap:User-Name} --password=%{User-Password}" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html