Hi all, I am implementing Freeradius 2.0 to be integrated with Microsoft Activedirectory and has encountered problems. All are being run in Virtual Environment (VMware Server 1.07)
RADIUS OS: CentOS5.2 Freeradius Server 2.1.1 PAM radius 1.3.17 Active Directory OS: Windows 2003 Server I refer to a number of URLS: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html http://deployingradius.com/documents/configuration/active_directory.html I have successfully been able to join the RADIUS server to the AD, and is able to have output for "wbinfo -u", and NTLM works well: [EMAIL PROTECTED] tmp]# ntlm_auth --request-nt-key --domain=TEST --username=test password: NT_STATUS_OK: Success (0x0) I used freeradius with it's default settings, but modifying MSCHAP module, enabling ntlm_auth: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Installed pam_radius 1.3.17, and configured sshd for pam to authenticate from pam_radius first: #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so I ran "radiusd -X", and opened another SSH session, using "test" account, that I tried with ntlm_auth previously, and got the following as in the debug output: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71, length=86 User-Name = "test" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "sshd" NAS-Port = 26171 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.0.0.151" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 71 to 127.0.0.1 port 27196 Waking up in 4.9 seconds. Cleaning up request 0 ID 71 with timestamp +13 Ready to process requests. It doesn't seem to be doing ntlm_auth? I am not sure how I am supposed to debug this problem further, as I have tried a number of troubleshooting, but still to no avail. Can someone enlighten me on this problem? If there is more information required, please tell me. I have attached my radius configuration as well: http://www.nabble.com/file/p20355701/radiusd.conf radiusd.conf Thanks in advance! Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20355701.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html