-----Original Message----- > From: freeradius-users- > bounces+scott=renshawauto....@lists.freeradius.org [mailto:freeradius- > users-bounces+scott=renshawauto....@lists.freeradius.org] On Behalf Of > Commonn Systems > Sent: Friday, September 09, 2011 4:54 PM > To: freeradius-users@lists.freeradius.org > Subject: Re: Windows Pre-Login Auth > > Once you have Samba and AD talking via winbind, it is pretty straightforward. > You can configure all the machines via Group Policy I have used this post, > pretty much to the T: > http://lists.cistron.nl/pipermail/freeradius-users/2009- > March/msg00231.html > > Good luck >
I am running into an issue attempting to make FreeRadius authenticate via AD. I am using FreeRadius version: 2.1.7, for host x86_64-redhat-linux-gnu and I am using the following version for Samba/Winbind: 3.5.4-0.70.el5_6.1 I can join the domain and get a list of users, and complete the ntlm_auth step successfully. However, when I attempt to use a real AD username and password I get an Access-Reject. ---------------------------------------------------------------------------- ------------------------------------ Here is the command I am sending to the FreeRadius server: radtest scott kjsdfh7823 localhost 0 testing123 ---------------------------------------------------------------------------- --------------------------------------- Here is what the Radius -X output shows: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 49689, id=38, length=57 User-Name = "scott" User-Password = "kjsdfh7823" NAS-IP-Address = 10.119.189.35 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "scott", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 206 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No MS-CHAP-Challenge in the request ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> scott attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 38 to 127.0.0.1 port 49689 Waking up in 4.9 seconds. Cleaning up request 0 ID 38 with timestamp +17 Ready to process requests. ---------------------------------------------------------------------------- -------------- I think the line above (in the radius -X output) that reads, "[mschap] No MS-CHAP-Challenge in the request" may be causing the issue (i.e. - not testing it properly for MS-Chap - sending a cleartext username and password instead of what the MS-Chap module expects?). Any assistance would be greatly appreciated. I have and am continuing to scour the internet for anything that might fix this issue. Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html