Re: load balancing and if statements
This is the answer. Also, this is much easier than what I was trying to do. Thank you for the pointer, Alan. -Scott On 3/26/12 5:17 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: hi, a quick glance at your question and i'd say you be better off using simple entries in the users file - simple check items (use huntgroups for your NAS addresses) with LDAP groups. match the good stuff, set reply match the bad stuff, set reject. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
I'd be surprised if using Ldap-Group in the user's file resulted in load balancing of the group membership queries to the LDAP servers. Does it? It does, actually. Or at least it appears to. The first time it used ldap2 and the second time it used ldap1. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
Brian Julin wrote: I'd be surprised if using Ldap-Group in the user's file resulted in load balancing of the group membership queries to the LDAP servers. Does it? It doesn't. Alan DeKok. So, now I'm confused again. If this doesn¹t load balance, then how should I really be going about this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
I cannot answer your question about if statements, but this much is clear: the Ldap-Group check attribute will query the ldap module that was instantiated last. If you want to query a specific module, you have to use modulename-Ldap-Group. Similarly for ldap xlats, you have to use the module name. (A sensible wishlist item might be to have load-balance sections in the instantiate section register the same hooks as their submodules, then you'd be able to name the load-balance and use lbr-modulename-Ldap-Group. But that sounds mildly hairy to implement.) Does this mean that what I want to do is not possible? -Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
So, is the documentation at http://wiki.freeradius.org/Load-balancing#Interaction+with+%22if%22+and+%22 else%22 incorrect, or is it only correct for the very latest version? -Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
load balancing and if statements
FR 2.1.10 on Linux
I want to load balance my LDAP servers, but I also want to do some
checking for group membership. Reading the documentation at
http://wiki.freeradius.org/Load-balancing#Interaction+with+%22if%22+and+%22
else%22 makes me think I can use if and elsif statements in a load
balancing block, as long as the rules in the table are followed. However,
when I try to do this, I get the following errors in my log:
/etc/freeradius/sites-enabled/default[173]: load-balance sections cannot
contain a if statement
Here is the configuration I am attempting:
load-balance {
ldap1
if (Ldap-Group == NET Staff) {
if (NAS-IP-Address == 10.52.6.5 || NAS-IP-Address ==
10.52.6.4) {
update reply {
Passport-Access-Priority = 6
}
}
}
# Reject everyone else to the routers
elsif (NAS-IP-Address == 10.52.6.5 || NAS-IP-Address ==
10.52.6.4 || NAS-IP-Address == 10.51.0.1 || NAS-IP-Address ==
10.51.0.2) {
reject
}
ldap2
if (Ldap-Group == NET Staff) {
if (NAS-IP-Address == 10.52.6.5 || NAS-IP-Address ==
10.52.6.4) {
update reply {
Passport-Access-Priority = 6
}
}
}
# Reject everyone else to the routers
elsif (NAS-IP-Address == 10.52.6.5 || NAS-IP-Address ==
10.52.6.4 || NAS-IP-Address == 10.51.0.1 || NAS-IP-Address ==
10.51.0.2) {
reject
}
}
If I can't use if statements in a load balance block, can anyone suggest
another way to go about accomplishing what I want to do here?
Thank you,
Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows 7 clients
Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? On 3/15/12 8:25 AM, Scott McLane Gardner sgar...@uark.edu wrote: Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Okay, it is the INTERMEDIATE CA. Sorry for the noise. On 3/15/12 8:26 AM, Scott McLane Gardner sgar...@uark.edu wrote: Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? On 3/15/12 8:25 AM, Scott McLane Gardner sgar...@uark.edu wrote: Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about certs and Microsoft
In the beginning of the cert documentation, it says: The Microsoft XP Extensions will be automatically included in the server certificate. Without those extensions Windows clients will refuse to authenticate to FreeRADIUS. But I use a certificate authority, so later on in the documentation, it says: If you have an existing certificate authority, and wish to create a certificate signing request for the server certificate, edit server.cnf as above, and type the following command. $ make server.csr You will have to ensure that the certificate contains the XP extensions needed by Microsoft clients. How do I go about ensuring this? Do I have to request them to be added from the CA? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about certs and Microsoft
Excellent, thank you. The default configuration does this. You shouldn't need to do anything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificates not working
Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key rlm_eap: Failed to initialize type tls I checked the permissions of the server.key file and it is the same as all the other stuff in that directory. Can anyone tell me what this error means? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
Just to get the server running, I tried moving all the things out of that directory, then doing the ./bootstrap thing and it still gives that error when trying to start the server. -Scott On 3/14/12 3:44 PM, Scott McLane Gardner sgar...@uark.edu wrote: Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key rlm_eap: Failed to initialize type tls I checked the permissions of the server.key file and it is the same as all the other stuff in that directory. Can anyone tell me what this error means? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
On 3/14/12 4:05 PM, Alan DeKok al...@deployingradius.com wrote: Scott McLane Gardner wrote: Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file The password to the key file is wrong. Alan DeKok. Doesn't it just use server.cnf to set the password for the key and the CSR? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
FreeRADIUS doesn't read OpenSSL configuration files. Alan DeKok. Gosh, I feel like a dummy. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
Try looking at the groupmembership_filter option - work out a
search that works on the command line (with a filter), and then
fit that filter into the ldap config.
It should probably something like (untested)
groupname_attribute = cn
groupmembership_filter = ((objectClass=group)(member=%{Ldap-UserDn}))
groupmembership_attribute = memberOf
Run in debug, look at what it's actually searching, match to the
config file, tweak, rinse repeat.
Matthew
Thank you! This was the pointer I needed to get this working. I'm sure
I'll have lots more questions about other aspects soon.
-Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to reject users who don't match unlang
I have the following in my sites-available/default:
authorize {
...
# Allow only NET Staff members to log into BAND and HAPF
if (Ldap-Group == NET Staff (NAS-IP-Address == 192.168.6.5
|| NAS-IP-Address == 192.168.6.4)) {
update reply {
Passport-Access-Priority = 6
}
}
# Reject everyone else
elsif (NAS-IP-Address == 192.168.6.5 || NAS-IP-Address ==
192.168.6.4) {
reject = 1
}
...
What I want is to only allow NET Staff members to log in and reject
everyone else who tries to log into these resources. I'm getting the
following in my log:
Tue Mar 13 12:55:32 2012 : Info: ++? elsif (NAS-IP-Address ==
192.168.6.5 || NAS-IP-Address == 192.168.6.4) - TRUE
Tue Mar 13 12:55:32 2012 : Info: ++- entering elsif (NAS-IP-Address ==
192.168.6.5 || NAS-IP-Address == 192.168.6.4) {...}
Tue Mar 13 12:55:32 2012 : Info: +++- elsif (NAS-IP-Address ==
192.168.6.5 || NAS-IP-Address == 192.168.6.4) returns notfound
Tue Mar 13 12:55:32 2012 : Info: ++- group authorize returns notfound
What is the correct syntax to reject this way?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reject users who don't match unlang
And of course I figured it out 2 minutes after writing this message. For
posterity, the syntax was close. It's actually like this:
elsif (NAS-IP-Address == 192.168.6.5 || NAS-IP-Address ==
192.168.6.4) {
reject = 1
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reject users who don't match unlang
On 3/13/12 1:24 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: hi, i must be tiredi cant see how that is different to your first email! ;-) alan No, you're right, I didn't edit it. It's like you said, reject without the = 1 after it. I must be the one who is tired. Thank you for your reply. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
Okay, I am a couple steps closer, but still having trouble. My radius
server is saying my test user is not in the group I'm filtering for,
however I know that it is. My sites-available/default config looks like:
authorize
...
ldap
if (Ldap-Group == PWHC Secure Wireless) {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 456
}
}
...
And my modules/ldap config looks like:
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = adserver.example.com
identity = cn=admin,ou=users,dc=example,dc=com
password = adminpass
basedn = ou=users,dc=example,dc=com
filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
...
And I'm receiving the following log messages:
[ldap] performing user authorization for username
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - username
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(sAMAccountName=username)
[ldap] expand: ou=users,dc=example,dc=com - ou=users,dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to adserver.uark.edu:389, authentication 0
[ldap] bind as cn=netoc,ou=users,dc=example,dc=com/password to
adserver.uark.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=users,dc=example,dc=com, with filter
(sAMAccountName=username)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user username authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (Ldap-Group == PWHC Secure Wireless)
[ldap] Entering ldap_groupcmp()
expand: ou=usersusers,dc=example,dc=com - ou=users,dc=example,dc=com
expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn}))) -
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(
uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=users,dc=example,dc=com, with filter
((memberOf=PWHC Secure
Wireless)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniq
ueNames)(uniquemember=
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group PWHC Secure Wireless not found or user is
not a member.
? Evaluating (Ldap-Group == PWHC Secure Wireless) - FALSE
++? if (Ldap-Group == PWHC Secure Wireless) - FALSE
It looks to me like it's binding and searching and deciding that I'm not a
member of that group, however I know that I am because if I do a
command-line ldapsearch it shows that I'm a member of that group.
# ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D
cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf
# extended LDIF
#
# LDAPv3
# base ou=users,dc=example,dc=com with scope subtree
# filter: cn=username
# requesting: memberOf
#
# username, Users, example.com
dn: CN=username,OU=users,dc=example,dc=com
memberOf: CN=PWHC Secure Wireless,OU=PWHC,dc=example,dc=com
memberOf: CN=UA: SecondaryAccount,OU=ManagedGroups,OU=Special
Accounts,dc=example
,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Can anyone tell me what I'm doing wrong?
Thanks,
Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conditional attributes with AD
I've successfully gotten AD auth working, and now I'd like to be able to assign VLAN's based on group membership, but I'm having a hard time figuring out where and how to do that. Where do I put the if statements to check group membership? Does AD auth even work like this, or do I need to be using LDAP auth? Thank you, -Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
I found this thread which seems to do what I am asking, but I just don't know where to put this statement. http://lists.freeradius.org/pipermail/freeradius-users/2012-January/058458. html Any insight would be appreciated. -Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
You can configure AD as an LDAP server, and then do LDAP group checks. See the LDAP documentation for examples. Alan DeKok. I think the documentation is saying that LDAP can't be used with EAP. Is that what it's really saying? It's a little unclear since it says The solution is to use the default configuration, which does work. # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force Auth-Type = LDAP, and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
I found this thread which seems to do what I am asking, but I just don't know where to put this statement. http://lists.freeradius.org/pipermail/freeradius-users/2012-January/058458 . html Any insight would be appreciated. Okay, I figured out where to put the if statement (in sites-enabled/default, for anyone stumped like I was), but it doesn't work. I'm assuming this is because I'm using Samba instead of LDAP. Is there another way to get conditional replies based on group membership while still using EAP? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang regex matching
I'm having trouble getting unlang to match a string inside a larger
string. I have a script that outputs a string of domain groups, like this:
DOMN\Domain Users 2 DOMN\Wireless Users 2 DOMN\STUsers 2 DOMN\WOCL
Wireless DOMN\WOCL Staff
I have a unlang conditional written like this which I think should match,
but is not matching:
If (`/bin/sh /path/to/script` =~ /WOCL\sWireless/) {
Do things
}
Else {
Do other things
}
Can anyone tell me why my regex is not matching?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang regex matching
I'm having trouble getting unlang to match a string inside a larger string. I have a script that outputs a string of domain groups, like this: the debug output (radiusd -X) should show you all the values as things happen - and thus show you the comparison and how ita failing Alan Turns out that those spaces between the 2 and the domain were actually newline characters. Removing those made the match work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
If anyone cares, I got this working by calling a script that contained the
following:
#!/bin/sh
for T in $(wbinfo --user-domgroups `wbinfo -n $1`) ; do wbinfo -s $T |
perl -ne 'chomp and print'; done
Which outputs a string containing all the groups the username is a member
of. I called the script from sites-available/default under post-auth like
so:
if (`/bin/sh /etc/freeradius/get_group.sh %{User-Name}` =~
/String.To.Match/) {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 456
}
}
This was frustrating to figure out, but a good learning experience.
--Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
On 3/6/12 3:55 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner sgar...@uark.edu wrote: If anyone cares, I got this working by calling a script that contained the following: That's odd. Did you properly setup the AD as LDAP server in raddb/modules/ldap (or whatever file name you use)? No, I didn't set it up as an LDAP server since you apparently can't use LDAP and EAP at the same time. (Unless I'm reading the documentation wrong.) -Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
On 3/6/12 3:59 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Mar 7, 2012 at 4:57 AM, Scott McLane Gardner sgar...@uark.edu wrote: On 3/6/12 3:55 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner sgar...@uark.edu wrote: If anyone cares, I got this working by calling a script that contained the following: That's odd. Did you properly setup the AD as LDAP server in raddb/modules/ldap (or whatever file name you use)? No, I didn't set it up as an LDAP server since you apparently can't use LDAP and EAP at the same time. (Unless I'm reading the documentation wrong.) Yes, you can :) You CAN'T use some EAP types (e.g. EAP-PEAP-MSCHAPv2) when authenticating using LDAP bind (i.e. set Auth-Type to LDAP). You CAN use LDAP as a plain database no matter what authentication method you use (in this case you're simply using it for group check, not for authentication). -- Fajar Can you expand on how this is done? I am a freeradius newbie and don't really understand how all the pieces fit together. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth works but not radtest
I'm attempting to follow the guide at http://deployingradius.com/ Things
were going very well until I tried to set up Active Directory
authentication. Testing with ntlm_auth, I get a success:
$ ntlm_auth --request-nt-key --domain=MYDOMAIN --username=myuname
--password=mypass
NT_STATUS_OK: Success (0x0)
But when I test with radtest it fails. I'm not sure I understand all of
the debug output, but I thnk maybe it has to do with it thinking the realm
is NULL. I have set it up in both smb.conf and krb5.conf as well as in the
mschap module of freeradius. I am using freeradius version 2.1.10 on
Ubuntu 11.10. Here's the output from the command line as well as the debug
output:
$ radtest -t mschap myuname mypass localhost 0 testing123
Sending Access-Request of id 99 to 127.0.0.1 port 1812
User-Name = myuname
NAS-IP-Address = mynasip
NAS-Port = 0
MS-CHAP-Challenge = 0xb89b59d41385c67c
MS-CHAP-Response =
0x00013edd0cff110926a15d402
f5204078f2d78d908e773c3a9c6
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=99,
length=20
rad_recv: Access-Request packet from host 127.0.0.1 port 42379, id=209,
length=115
User-Name = myuname
NAS-IP-Address = mynasip
NAS-Port = 0
MS-CHAP-Challenge = 0x09d5dfb63fba5357
MS-CHAP-Response =
0x00010704b6897326b27adb243
658c300fcd922f008014ee7e25b
Mon Mar 5 14:45:54 2012 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Mon Mar 5 14:45:54 2012 : Info: +- entering group authorize {...}
Mon Mar 5 14:45:54 2012 : Info: ++[preprocess] returns ok
Mon Mar 5 14:45:54 2012 : Info: ++[chap] returns noop
Mon Mar 5 14:45:54 2012 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type = mschap'
Mon Mar 5 14:45:54 2012 : Info: ++[mschap] returns ok
Mon Mar 5 14:45:54 2012 : Info: ++[digest] returns noop
Mon Mar 5 14:45:54 2012 : Info: [suffix] No '@' in User-Name = myuname,
looking up realm NULL
Mon Mar 5 14:45:54 2012 : Info: [suffix] No such realm NULL
Mon Mar 5 14:45:54 2012 : Info: ++[suffix] returns noop
Mon Mar 5 14:45:54 2012 : Info: [eap] No EAP-Message, not doing EAP
Mon Mar 5 14:45:54 2012 : Info: ++[eap] returns noop
Mon Mar 5 14:45:54 2012 : Info: ++[files] returns noop
Mon Mar 5 14:45:54 2012 : Info: ++[expiration] returns noop
Mon Mar 5 14:45:54 2012 : Info: ++[logintime] returns noop
Mon Mar 5 14:45:54 2012 : Info: [pap] WARNING! No known good password
found for the user. Authentication may fail because of this.
Mon Mar 5 14:45:54 2012 : Info: ++[pap] returns noop
Mon Mar 5 14:45:54 2012 : Info: Found Auth-Type = MSCHAP
Mon Mar 5 14:45:54 2012 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Mon Mar 5 14:45:54 2012 : Info: +- entering group MS-CHAP {...}
Mon Mar 5 14:45:54 2012 : Info: [mschap] Told to do MS-CHAPv1 with
NT-Password
Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: %{Stripped-User-Name}
-
Mon Mar 5 14:45:54 2012 : Info: [mschap] ... expanding second conditional
Mon Mar 5 14:45:54 2012 : Info: [mschap] WARNING: Deprecated conditional
expansion :-. See man unlang for details
Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: %{User-Name:-None} -
myuname
Mon Mar 5 14:45:54 2012 : Info: [mschap] expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=myuname
Mon Mar 5 14:45:54 2012 : Info: [mschap] No NT-Domain was found in the
User-Name.
Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: %{mschap:NT-DOMAIN} -
Mon Mar 5 14:45:54 2012 : Info: [mschap] ... expanding second conditional
Mon Mar 5 14:45:54 2012 : Info: [mschap] expand:
--domain=%{%{mschap:NT-DOMAIN}:-MYDOMAIN} - --domain=MYDOMAIN
Mon Mar 5 14:45:54 2012 : Info: [mschap] mschap1: 09
Mon Mar 5 14:45:54 2012 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} - --challenge=09d5dfb63fba5357
Mon Mar 5 14:45:54 2012 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} -
--nt-response=0704b6897326b27adb243658c300fcd922f008014ee7e25b
Mon Mar 5 14:45:55 2012 : Debug: Exec-Program output: winbind client not
authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/run/samba/winbindd_privileged are set correctly. (0xc022)
Mon Mar 5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/run/samba/winbindd_privileged are set correctly. (0xc022)
Mon Mar 5 14:45:55 2012 : Debug: Exec-Program: returned: 1
Mon Mar 5 14:45:55 2012 : Info: [mschap] External script failed.
Mon Mar 5 14:45:55 2012 : Info: [mschap] MS-CHAP-Response is incorrect.
Mon Mar 5 14:45:55 2012 : Info: ++[mschap] returns reject
Mon Mar 5 14:45:55 2012 : Info: Failed to authenticate the user.
Mon Mar 5 14:45:55 2012 : Info: Using Post-Auth-Type Reject
Mon Mar 5
Re: ntlm_auth works but not radtest
Mon Mar 5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set correctly. (0xc022) Did you spot this? This was definitely it. Thank you so much. -Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
