RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
= $dir crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE= $dir/.rand name_opt= ca_default cert_opt= ca_default default_days= 365 default_crl_days= 30 default_md = sha1 preserve= no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] prompt = no distinguished_name = client default_bits= 2048 input_password = INPUT_PW output_password = OUTPUT_PW [client] countryName = UK stateOrProvinceName = United Kingdom localityName= West of ENgland organizationName= UWE emailAddress= email_addr...@uwe.ac.uk commonName = "UWE, Bristol" P.S. Let me know if it would help to include other files. -Original Message- From: freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 17 October 2011 09:21 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Hi, > Thanks for that. > I had left some previous versions of files in the modules directory not > knowing that they are still active. > Moving them to another location progressed me to the following error: yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem) > This was fixed by issuing this command: > > 'chgrp radiusd /var/lib/samba/winbindd_privileged' yep > The next problem I got was > > "EAP-MSCHAPV2: Received success > EAP-MSCHAPV2: Invalid authenticator response in success request" > > Googling this suggests there is a bug in the version of Samba I'm using and > that I need to install version 3.0.30. the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Hi, > Thanks for that. > I had left some previous versions of files in the modules directory not > knowing that they are still active. > Moving them to another location progressed me to the following error: yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem) > This was fixed by issuing this command: > > 'chgrp radiusd /var/lib/samba/winbindd_privileged' yep > The next problem I got was > > "EAP-MSCHAPV2: Received success > EAP-MSCHAPV2: Invalid authenticator response in success request" > > Googling this suggests there is a bug in the version of Samba I'm using and > that I need to install version 3.0.30. the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Thanks for that. I had left some previous versions of files in the modules directory not knowing that they are still active. Moving them to another location progressed me to the following error: "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly." This was fixed by issuing this command: 'chgrp radiusd /var/lib/samba/winbindd_privileged' The next problem I got was "EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request" Googling this suggests there is a bug in the version of Samba I'm using and that I need to install version 3.0.30. A job for tomorrow morning ... Thanks for everyone's help so far. Martin. -Original Message- From: freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org] On Behalf Of James J J Hooper Sent: 14 October 2011 18:29 To: freeradius-users@lists.freeradius.org Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP On 14/10/2011 16:13, Martin Ubank wrote: > Here’s the full output from ‘radiusd –X’: The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
On 14/10/2011 16:13, Martin Ubank wrote: Here’s the full output from ‘radiusd –X’: The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
>
> I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP
> correctly:
>
>
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
>
>
You just snipped away the useful information in the log... Please include the
full debug log for the EAP round where this message is produced.
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I've been following the FreeRadius Deployment guide
http://deployingradius.com/documents/configuration/active_directory.html
The following software is installed on a Centos 6 VM:
-Samba 3.5.4, Freeradius 2.1.9, wpa_supplicant-0.7.3, gcc v4.4.4-13,
openssl, winbind.
I successfully performed basic configuration tests with the 'eapol_test'
command for:
- PAP, EAP, EAP-TLS, EAP-TTLS, EAP-MD5 & EAP-MSCHAPv5.
I've created production certificates & successfully tested for the above
protocols.
Installed Kerberos 1.8.2 & tested that successfully.
I started to configure FreeRadius with AD and successfully tested it to use
ntlm_auth.
I've got to the final stage "Configuring FreeRADIUS to use ntlm_auth for
MS-CHAP" in the deployment process.
This stage says:
1) "... delete the testing entry used above from the users file, ...", which
I've done.
2) "... fine (sic) the mschap module in raddb/modules/mschap file, and look for
the line containing ntlm_auth = . It ... should be uncommented, ...", which
I've done.
3) "Start the server ..."
I ran 'radiusd -X'.
4) "... and use a test client to send an MS-CHAP authentication request."
I've used the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s
testing123'.
I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP
correctly:
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
The 'eapol_test' output reflects this:
EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26
EAP-MSCHAPV2: RX identifier 8 mschapv2_id 8
EAP-MSCHAPV2: Received challenge
EAP-MSCHAPV2: Authentication Servername - hexdump_ascii(len=11):
65 64 75 72 6f 61 6d 74 65 73 74 USERNAME
EAP-MSCHAPV2: Generating Challenge Response
MSCHAPV2: Identity - hexdump_ascii(len=11):
65 64 75 72 6f 61 6d 74 65 73 74 USERNAME
MSCHAPV2: Username - hexdump_ascii(len=11):
65 64 75 72 6f 61 6d 74 65 73 74 USERNAME
MSCHAPV2: auth_challenge - hexdump(len=16): a5 e6 9e fa 6e 1f ec 2f 0b b6 a3 96
ef 45 15 32
MSCHAPV2: peer_challenge - hexdump(len=16): 44 31 43 ff 2f 12 5b 25 b5 eb fb 59
6f 8d 2a a9
MSCHAPV2: username - hexdump_ascii(len=11):
65 64 75 72 6f 61 6d 74 65 73 74 USERNAME
MSCHAPV2: password - hexdump_ascii(len=20):
77 6f 72 6b 6d 61 6e 20 74 6f 64 61 79 20 61 72 PASSWORD
6e 69 63 61
MSCHAPV2: NT Response - hexdump(len=24): 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c
db 8b 51 77 ad 3e bc 96 26 7c 7a
MSCHAPV2: Auth Response - hexdump(len=20): f0 95 4d 86 ee 82 8f c0 12 84 cc a7
d0 72 fb e6 95 b3 ef d1
MSCHAPV2: Master Key - hexdump(len=16): 31 8d ae c0 3d e1 42 0f ae 05 bc f0 72
da 98 72
EAP-MSCHAPV2: TX identifier 8 mschapv2_id 8 (response)
EAP-PEAP: Encrypting Phase 2 data - hexdump(len=70): 02 08 00 46 1a 02 08 00 41
31 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 00 00 00 00 00 00 00 00 66
67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a 00 65 64
75 72 6f 61 6d 74 65 73 74
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=9 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAPOL: EAP key not available
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0 mismatch: 1
FAILURE
The peap-mschapv2-cert-ntlm_auth.conf file contains:
#
# eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123
#
eapol_version=1
fast_reauth=0
network={
key_mgmt=WPA-EAP
eap=PEAP
identity="USERNAME"
#anonymous_identity="anonymous"
password="PASSWORD"
phase2="auth=MSCHAPV2"
priority=10
#
# Uncomment the following to perform server certificate validation.
ca_cert="/etc/raddb/certs/ca.der"
}
The file /etc/raddb/modules/mschap contains:
# -*- text -*-
#
# $Id$
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#ntlm_auth = "/
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > Already search in here but the two info pages I find are broken: > http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm > http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOW > TO.html > > How can I do this ? Read http://freeradius.org/doc/ This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > But Windows XP and Vista Supplicant can't authenticate, always have "Sending > Access-Challenge" > > What is the best Samba version to communicate with Win2008 server Standard > R2 (Active Directory) ? http://deployingradius.com Follow the HOWTOs on the main page for getting EAP to work. They include instructions on how to debug common problems, how to find out exactly what's going wrong, and how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I see that the file xpextensions is already in /raddb/certs dir and is included when create certificates using bootstrap : "openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1" But Windows XP and Vista Supplicant can't authenticate, always have "Sending Access-Challenge" What is the best Samba version to communicate with Win2008 server Standard R2 (Active Directory) ? Cumprimentos Pedro Alves -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: sexta-feira, 30 de Abril de 2010 8:58 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > Using JRadiusSimulator to test and receive "Sending Access-Accept" :) > > But when i use a client AP Cisco Aironet 1121, only users from "files" can > connect, users on AD dont. ... > Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 > EAP-Message = > 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 > 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a > Message-Authenticator = 0x > State = 0xac9d3931ab8120751e3f7dd68458a60f > Finished request 149. > Going to the next request > Waking up in 4.7 seconds. See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I think the problem is the Windows Supplicant because i use a "Intel PROSet Wireless" to connect with success. Need to add [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 to the PKCS#7 keybag attributes holding the client's private key. Already search in here but the two info pages I find are broken: http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOW TO.html How can I do this ? Thanks -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: sexta-feira, 30 de Abril de 2010 8:58 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > Using JRadiusSimulator to test and receive "Sending Access-Accept" :) > > But when i use a client AP Cisco Aironet 1121, only users from "files" can > connect, users on AD dont. ... > Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 > EAP-Message = > 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 > 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a > Message-Authenticator = 0x > State = 0xac9d3931ab8120751e3f7dd68458a60f > Finished request 149. > Going to the next request > Waking up in 4.7 seconds. See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I'm using Samba v3.4.0, freeradius v2.1.8, on unbuntu desktop v9.10. Active Directory is a Win2008 server Standard R2. Do you think can be a samba bug ? -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: sexta-feira, 30 de Abril de 2010 8:58 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > Using JRadiusSimulator to test and receive "Sending Access-Accept" :) > > But when i use a client AP Cisco Aironet 1121, only users from "files" can > connect, users on AD dont. ... > Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 > EAP-Message = > 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 > 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a > Message-Authenticator = 0x > State = 0xac9d3931ab8120751e3f7dd68458a60f > Finished request 149. > Going to the next request > Waking up in 4.7 seconds. See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > Using JRadiusSimulator to test and receive "Sending Access-Accept" :) > > But when i use a client AP Cisco Aironet 1121, only users from "files" can > connect, users on AD dont. ... > Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 > EAP-Message = > 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 > 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a > Message-Authenticator = 0x > State = 0xac9d3931ab8120751e3f7dd68458a60f > Finished request 149. > Going to the next request > Waking up in 4.7 seconds. See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
3
State = 0xac9d3931aa8620751e3f7dd68458a60f
NAS-IP-Address = 10.1.3.17
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 27 length 88
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x021b00411a021b003c31cd2f712e07f9dfe9f598c4709e20991f3e5f3c
c91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c4900726164697573
server {
PEAP: Setting User-Name to radius
Sending tunneled request
EAP-Message =
0x021b00411a021b003c31cd2f712e07f9dfe9f598c4709e20991f3e5f3c
c91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c4900726164697573
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "radius"
State = 0xf2895040f2924a11970822f6475488c4
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 27 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for radius with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} ->
--username=radius
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} ->
[mschap]... expanding second conditional
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-domain} ->
--domain=domain
[mschap] mschap2: 10
[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=f8ee793b104b9514
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=3e5f3cc91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c49
Exec-Program output: NT_KEY: 46AA6F75892B0C742D6F219B7DE53841
Exec-Program-Wait: plaintext: NT_KEY: 46AA6F75892B0C742D6F219B7DE53841
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x011c00331a031b002e533d3537343234373641383630373337373030443645313134443939
3143374137323538434136333633
Message-Authenticator = 0x
State = 0xf2895040f3954a11970822f6475488c4
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x011c00331a031b002e533d3537343234373641383630373337373030443645313134443939
3143374137323538434136333633
Message-Authenticator = 0x
State = 0xf2895040f3954a11970822f6475488c4
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 110 to 10.1.3.17 port 1645
EAP-Message =
0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372
6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a
Message-Authenticator = 0x
State = 0xac9d3931ab8120751e3f7dd68458a60f
Finished request 149.
Going to the next request
Waking up in 4.7 seconds.
-Original Message-
From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org
] On Behalf Of Alan DeKok
Sent: quarta-feira, 28 de Abril de 2010 20:59
To: FreeRadius users mailing list
Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote:
> This is the test with AD user:
>
> AP#test aaa group radius userad userpass new-code
> Trying to authenticate with Servergroup radius
> User rejected
>
> rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175,
length=52
> User-Password = "userpass"
> User-Name = "userad"
> NAS-IP-Address = xx.xx.xx.xx
So... you're not doing MS-CHAP.
Why is this message useful?
Again... the Active Directory howto you were pointed to *documents*
this. Go read it and follow the steps. If you don't follow the
documentation, you probably won't be able to solve the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Correct. Just use JRadiusSimulator to make MS-CHAP and work fine. Thanks -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 20:59 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > This is the test with AD user: > > AP#test aaa group radius userad userpass new-code > Trying to authenticate with Servergroup radius > User rejected > > rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 > User-Password = "userpass" > User-Name = "userad" > NAS-IP-Address = xx.xx.xx.xx So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > This is the test with AD user: > > AP#test aaa group radius userad userpass new-code > Trying to authenticate with Servergroup radius > User rejected > > rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, > length=52 > User-Password = "userpass" > User-Name = "userad" > NAS-IP-Address = xx.xx.xx.xx So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Hello Again.
This is the test with local user:
AP#test aaa group radius userlocal localpass new-code
Trying to authenticate with Servergroup radius
User successfully authenticated
rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=174,
length=53
User-Password = " localpass "
User-Name = " userlocal "
NAS-IP-Address = xx.xx.xx.xx
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "local01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry local01 at line 79
[files] expand: Ola, %{User-Name} -> Ola, local01
++[files] returns ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 174 to 10.1.3.17 port 1645
Reply-Message = "Ola, local01"
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 5 ID 174 with timestamp +416
Ready to process requests.
This is the test with AD user:
AP#test aaa group radius userad userpass new-code
Trying to authenticate with Servergroup radius
User rejected
rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175,
length=52
User-Password = "userpass"
User-Name = "userad"
NAS-IP-Address = xx.xx.xx.xx
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> radius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 175 to 10.1.3.17 port 1645
Waking up in 4.9 seconds.
Cleaning up request 6 ID 175 with timestamp +531
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: quarta-feira, 28 de Abril de 2010 16:40
To: FreeRadius users mailing list
Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote:
> User define in user “files” work fine, but user on AD don’t.
>
> In freeradius using the test bellow, I can access users on AD.
Have you followed the "Active Directory" howto on
http://deployingradius.com?
> r...@mhvrad01:/usr/local/etc/raddb# radiusd -X
...
> Ready to process requests.
... and the server doesn't receive any packets.
We can't help you debug an issue if you don't show us what's happening.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > User define in user “files” work fine, but user on AD don’t. > > In freeradius using the test bellow, I can access users on AD. Have you followed the "Active Directory" howto on http://deployingradius.com? > r...@mhvrad01:/usr/local/etc/raddb# radiusd -X ... > Ready to process requests. ... and the server doesn't receive any packets. We can't help you debug an issue if you don't show us what's happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
> Why is not working ntlm_auth for ms-chap ? It would be easier to answer your question if you included the debug output for a rejected request as opposed to just the startup messages.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
After edit mschap file module by uncommented line containing ntlm_auth =, i
used a AP Cisco client from freeradius to test with "test aaa group radius
user userpass new-code"
User define in user "files" work fine, but user on AD don't.
In freeradius using the test bellow, I can access users on AD.
r...@m:~# ntlm_auth --request-nt-key --domain=XXX --username=
password:
NT_STATUS_OK: Success (0x0)
Why is not working ntlm_auth for ms-chap ?
thanks
r...@mhvrad01:/usr/local/etc/raddb# radiusd -X
FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Apr 28 2010
at 12:00:46
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 102
