tnt-4 wrote: > >>Currently, there are some questions that are going on in my head... >>:confused: >>1. Must the ntlm_auth be placed in modules or in radiusd.conf? >>If the configuration exec ntlm_auth is to be placed in modules, which >>modules? >> > > Modules. > >>2. In the URL, that indicated that I must input ntlm_auth into the >>authenticate routine in freeradius 1.x, but freeradius 2.x is all separated, >>any idea which is the one that I should placed into? > > This has been pointed out to you twice: > >>>>> That's one of the steps. Just add ntlm_auth to authenticate in both >>>>> virtual servers (default and inner-tunnel). >>> >>> Is this the step you are struggling with? >>> > > >> >>I will do some trial and error on my end though... >>And I think that after being successful on this, I will need help from you >>guys to get this documented, > > It is documented, but *you* have decided to skip steps as *you* felt that > they are not appropriate for 2.x. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > >
Guess I was "too smart" to skip steps... Thank you for pointing out Ivan! ;-) I have retraced my steps again, and have done the following... 1. Added "user Auth-Type := ntlm_auth" to users file in /usr/local/etc/raddb 2. Added "ntlm_auth" into authenticate of default and inner-tunnel of sites-enabled directory authenticate { ntlm_auth Auth-Type PAP { pap } . . . } 3. Added into exec file in modules directory: "exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}" }" where domain is TEST 4. I did not enable ntlm for mschap yet 5. Ran radiusd -X and has no errors, and I extracted some information: server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } 6. I tried to do a SSH authentication with pam-radius and it was not successful... rad_recv: Access-Request packet from host 127.0.0.1 port 26805, id=72, length=86 User-Name = "test" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "sshd" NAS-Port = 25780 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.0.0.151" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 72 to 127.0.0.1 port 26805 Waking up in 4.9 seconds. Seems like it didn't touch ntlm_auth. Previously, I tried according the manual on freeradius 1.17, and was successful when I do the testing, but failed when I enabled ntlm_auth on MSCHAP, and tested the same way as I was doing now Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20433178.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html