--- On Thu, 10/2/08, Vieri <[EMAIL PROTECTED]> wrote: > I'm running freeradius-2.0.5 on Linux. > > My setup is as follows: > > Windows Vista native client - Linksys AP - FreeRadius Linux > server (PEAP/mschapv2) - Active Directory Windows server > > Everything works smoothly with the following ntlm_auth > parameters in the mschap module: > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > However, user authentication is rejected when I add the > --domain parameter: > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=%{mschap:NT-D > omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > (from the Windows Vista client I obviously set the DOMAIN > filed; besides, if I run the freeradius daemon with debug > enabled I see that it "correclty" reeives > 'DOMAIN\username') > > For starters, I don't understand why authentication > fails if I add --domain. How can I find out why? > > Then, adding --require-membership-of with or without > --domain also fails. > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=%{mschap:NT-D > omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} > --require-membership-of='DOMAIN\\WIFI' > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > Finally, running ntlm_auth from the command line yields: > > # ntlm_auth --request-nt-key --domain=DOMAIN > --username=myuser > --require-membership-of='DOMAIN\\WIFI' > password: > NT_STATUS_OK: Success (0x0)
I found this in the radiusd debug log: [2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237) Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID! so I removed the '' in the ntlm_auth string like this: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN --require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" and now it works. So this leads me to ask how I can specify group names with spaces such as 'WIFI 1'. Also, I had to specify the domain explicitly either via --domain=DOMAIN or --domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication succeeds only if the client does NOT specify a domain in the domain or user field. So I'm attaching some debug outputs with the hope that someone can shed some light on this aspect which I obviously don't grasp. Thanks, Vieri
radiusd.log.tar.gz
Description: GNU Zip compressed data
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html