RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
= $dir crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE= $dir/.rand name_opt= ca_default cert_opt= ca_default default_days= 365 default_crl_days= 30 default_md = sha1 preserve= no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] prompt = no distinguished_name = client default_bits= 2048 input_password = INPUT_PW output_password = OUTPUT_PW [client] countryName = UK stateOrProvinceName = United Kingdom localityName= West of ENgland organizationName= UWE emailAddress= email_addr...@uwe.ac.uk commonName = "UWE, Bristol" P.S. Let me know if it would help to include other files. -Original Message- From: freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 17 October 2011 09:21 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Hi, > Thanks for that. > I had left some previous versions of files in the modules directory not > knowing that they are still active. > Moving them to another location progressed me to the following error: yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem) > This was fixed by issuing this command: > > 'chgrp radiusd /var/lib/samba/winbindd_privileged' yep > The next problem I got was > > "EAP-MSCHAPV2: Received success > EAP-MSCHAPV2: Invalid authenticator response in success request" > > Googling this suggests there is a bug in the version of Samba I'm using and > that I need to install version 3.0.30. the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Hi, > Thanks for that. > I had left some previous versions of files in the modules directory not > knowing that they are still active. > Moving them to another location progressed me to the following error: yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem) > This was fixed by issuing this command: > > 'chgrp radiusd /var/lib/samba/winbindd_privileged' yep > The next problem I got was > > "EAP-MSCHAPV2: Received success > EAP-MSCHAPV2: Invalid authenticator response in success request" > > Googling this suggests there is a bug in the version of Samba I'm using and > that I need to install version 3.0.30. the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Thanks for that. I had left some previous versions of files in the modules directory not knowing that they are still active. Moving them to another location progressed me to the following error: "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly." This was fixed by issuing this command: 'chgrp radiusd /var/lib/samba/winbindd_privileged' The next problem I got was "EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request" Googling this suggests there is a bug in the version of Samba I'm using and that I need to install version 3.0.30. A job for tomorrow morning ... Thanks for everyone's help so far. Martin. -Original Message- From: freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org] On Behalf Of James J J Hooper Sent: 14 October 2011 18:29 To: freeradius-users@lists.freeradius.org Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP On 14/10/2011 16:13, Martin Ubank wrote: > Here’s the full output from ‘radiusd –X’: The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
On 14/10/2011 16:13, Martin Ubank wrote: Here’s the full output from ‘radiusd –X’: The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
> > I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP > correctly: > > > [eap] processing type mschapv2 > [mschapv2] +- entering group MS-CHAP {...} > [mschap] No Cleartext-Password configured. Cannot create LM-Password. > [mschap] No Cleartext-Password configured. Cannot create NT-Password. > [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password > [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. > [mschap] FAILED: MS-CHAP2-Response is incorrect > ++[mschap] returns reject > > You just snipped away the useful information in the log... Please include the full debug log for the EAP round where this message is produced. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I've been following the FreeRadius Deployment guide http://deployingradius.com/documents/configuration/active_directory.html The following software is installed on a Centos 6 VM: -Samba 3.5.4, Freeradius 2.1.9, wpa_supplicant-0.7.3, gcc v4.4.4-13, openssl, winbind. I successfully performed basic configuration tests with the 'eapol_test' command for: - PAP, EAP, EAP-TLS, EAP-TTLS, EAP-MD5 & EAP-MSCHAPv5. I've created production certificates & successfully tested for the above protocols. Installed Kerberos 1.8.2 & tested that successfully. I started to configure FreeRadius with AD and successfully tested it to use ntlm_auth. I've got to the final stage "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" in the deployment process. This stage says: 1) "... delete the testing entry used above from the users file, ...", which I've done. 2) "... fine (sic) the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It ... should be uncommented, ...", which I've done. 3) "Start the server ..." I ran 'radiusd -X'. 4) "... and use a test client to send an MS-CHAP authentication request." I've used the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123'. I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly: [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject The 'eapol_test' output reflects this: EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26 EAP-MSCHAPV2: RX identifier 8 mschapv2_id 8 EAP-MSCHAPV2: Received challenge EAP-MSCHAPV2: Authentication Servername - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME EAP-MSCHAPV2: Generating Challenge Response MSCHAPV2: Identity - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: Username - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: auth_challenge - hexdump(len=16): a5 e6 9e fa 6e 1f ec 2f 0b b6 a3 96 ef 45 15 32 MSCHAPV2: peer_challenge - hexdump(len=16): 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 MSCHAPV2: username - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: password - hexdump_ascii(len=20): 77 6f 72 6b 6d 61 6e 20 74 6f 64 61 79 20 61 72 PASSWORD 6e 69 63 61 MSCHAPV2: NT Response - hexdump(len=24): 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a MSCHAPV2: Auth Response - hexdump(len=20): f0 95 4d 86 ee 82 8f c0 12 84 cc a7 d0 72 fb e6 95 b3 ef d1 MSCHAPV2: Master Key - hexdump(len=16): 31 8d ae c0 3d e1 42 0f ae 05 bc f0 72 da 98 72 EAP-MSCHAPV2: TX identifier 8 mschapv2_id 8 (response) EAP-PEAP: Encrypting Phase 2 data - hexdump(len=70): 02 08 00 46 1a 02 08 00 41 31 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 00 00 00 00 00 00 00 00 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a 00 65 64 75 72 6f 61 6d 74 65 73 74 RADIUS packet matching with station decapsulated EAP packet (code=4 id=9 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE The peap-mschapv2-cert-ntlm_auth.conf file contains: # # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 # eapol_version=1 fast_reauth=0 network={ key_mgmt=WPA-EAP eap=PEAP identity="USERNAME" #anonymous_identity="anonymous" password="PASSWORD" phase2="auth=MSCHAPV2" priority=10 # # Uncomment the following to perform server certificate validation. ca_cert="/etc/raddb/certs/ca.der" } The file /etc/raddb/modules/mschap contains: # -*- text -*- # # $Id$ # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { #ntlm_auth = "/
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > Already search in here but the two info pages I find are broken: > http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm > http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOW > TO.html > > How can I do this ? Read http://freeradius.org/doc/ This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > But Windows XP and Vista Supplicant can't authenticate, always have "Sending > Access-Challenge" > > What is the best Samba version to communicate with Win2008 server Standard > R2 (Active Directory) ? http://deployingradius.com Follow the HOWTOs on the main page for getting EAP to work. They include instructions on how to debug common problems, how to find out exactly what's going wrong, and how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I see that the file xpextensions is already in /raddb/certs dir and is included when create certificates using bootstrap : "openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1" But Windows XP and Vista Supplicant can't authenticate, always have "Sending Access-Challenge" What is the best Samba version to communicate with Win2008 server Standard R2 (Active Directory) ? Cumprimentos Pedro Alves -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: sexta-feira, 30 de Abril de 2010 8:58 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > Using JRadiusSimulator to test and receive "Sending Access-Accept" :) > > But when i use a client AP Cisco Aironet 1121, only users from "files" can > connect, users on AD dont. ... > Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 > EAP-Message = > 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 > 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a > Message-Authenticator = 0x > State = 0xac9d3931ab8120751e3f7dd68458a60f > Finished request 149. > Going to the next request > Waking up in 4.7 seconds. See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I think the problem is the Windows Supplicant because i use a "Intel PROSet Wireless" to connect with success. Need to add [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 to the PKCS#7 keybag attributes holding the client's private key. Already search in here but the two info pages I find are broken: http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOW TO.html How can I do this ? Thanks -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: sexta-feira, 30 de Abril de 2010 8:58 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > Using JRadiusSimulator to test and receive "Sending Access-Accept" :) > > But when i use a client AP Cisco Aironet 1121, only users from "files" can > connect, users on AD dont. ... > Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 > EAP-Message = > 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 > 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a > Message-Authenticator = 0x > State = 0xac9d3931ab8120751e3f7dd68458a60f > Finished request 149. > Going to the next request > Waking up in 4.7 seconds. See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I'm using Samba v3.4.0, freeradius v2.1.8, on unbuntu desktop v9.10. Active Directory is a Win2008 server Standard R2. Do you think can be a samba bug ? -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: sexta-feira, 30 de Abril de 2010 8:58 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > Using JRadiusSimulator to test and receive "Sending Access-Accept" :) > > But when i use a client AP Cisco Aironet 1121, only users from "files" can > connect, users on AD dont. ... > Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 > EAP-Message = > 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 > 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a > Message-Authenticator = 0x > State = 0xac9d3931ab8120751e3f7dd68458a60f > Finished request 149. > Going to the next request > Waking up in 4.7 seconds. See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > Using JRadiusSimulator to test and receive "Sending Access-Accept" :) > > But when i use a client AP Cisco Aironet 1121, only users from "files" can > connect, users on AD dont. ... > Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 > EAP-Message = > 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 > 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a > Message-Authenticator = 0x > State = 0xac9d3931ab8120751e3f7dd68458a60f > Finished request 149. > Going to the next request > Waking up in 4.7 seconds. See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
3 State = 0xac9d3931aa8620751e3f7dd68458a60f NAS-IP-Address = 10.1.3.17 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 27 length 88 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x021b00411a021b003c31cd2f712e07f9dfe9f598c4709e20991f3e5f3c c91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c4900726164697573 server { PEAP: Setting User-Name to radius Sending tunneled request EAP-Message = 0x021b00411a021b003c31cd2f712e07f9dfe9f598c4709e20991f3e5f3c c91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c4900726164697573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "radius" State = 0xf2895040f2924a11970822f6475488c4 server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 27 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for radius with NT-Password [mschap]expand: --username=%{mschap:User-Name:-None} -> --username=radius [mschap] No NT-Domain was found in the User-Name. [mschap]expand: %{mschap:NT-Domain} -> [mschap]... expanding second conditional [mschap]expand: --domain=%{%{mschap:NT-Domain}:-domain} -> --domain=domain [mschap] mschap2: 10 [mschap]expand: --challenge=%{mschap:Challenge:-00} -> --challenge=f8ee793b104b9514 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3e5f3cc91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c49 Exec-Program output: NT_KEY: 46AA6F75892B0C742D6F219B7DE53841 Exec-Program-Wait: plaintext: NT_KEY: 46AA6F75892B0C742D6F219B7DE53841 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011c00331a031b002e533d3537343234373641383630373337373030443645313134443939 3143374137323538434136333633 Message-Authenticator = 0x State = 0xf2895040f3954a11970822f6475488c4 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011c00331a031b002e533d3537343234373641383630373337373030443645313134443939 3143374137323538434136333633 Message-Authenticator = 0x State = 0xf2895040f3954a11970822f6475488c4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 EAP-Message = 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a Message-Authenticator = 0x State = 0xac9d3931ab8120751e3f7dd68458a60f Finished request 149. Going to the next request Waking up in 4.7 seconds. -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 20:59 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > This is the test with AD user: > > AP#test aaa group radius userad userpass new-code > Trying to authenticate with Servergroup radius > User rejected > > rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 > User-Password = "userpass" > User-Name = "userad" > NAS-IP-Address = xx.xx.xx.xx So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Correct. Just use JRadiusSimulator to make MS-CHAP and work fine. Thanks -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 20:59 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > This is the test with AD user: > > AP#test aaa group radius userad userpass new-code > Trying to authenticate with Servergroup radius > User rejected > > rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 > User-Password = "userpass" > User-Name = "userad" > NAS-IP-Address = xx.xx.xx.xx So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > This is the test with AD user: > > AP#test aaa group radius userad userpass new-code > Trying to authenticate with Servergroup radius > User rejected > > rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, > length=52 > User-Password = "userpass" > User-Name = "userad" > NAS-IP-Address = xx.xx.xx.xx So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Hello Again. This is the test with local user: AP#test aaa group radius userlocal localpass new-code Trying to authenticate with Servergroup radius User successfully authenticated rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=174, length=53 User-Password = " localpass " User-Name = " userlocal " NAS-IP-Address = xx.xx.xx.xx +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "local01", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry local01 at line 79 [files] expand: Ola, %{User-Name} -> Ola, local01 ++[files] returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 174 to 10.1.3.17 port 1645 Reply-Message = "Ola, local01" Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 174 with timestamp +416 Ready to process requests. This is the test with AD user: AP#test aaa group radius userad userpass new-code Trying to authenticate with Servergroup radius User rejected rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 User-Password = "userpass" User-Name = "userad" NAS-IP-Address = xx.xx.xx.xx +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 175 to 10.1.3.17 port 1645 Waking up in 4.9 seconds. Cleaning up request 6 ID 175 with timestamp +531 Ready to process requests. -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 16:40 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > User define in user “files” work fine, but user on AD don’t. > > In freeradius using the test bellow, I can access users on AD. Have you followed the "Active Directory" howto on http://deployingradius.com? > r...@mhvrad01:/usr/local/etc/raddb# radiusd -X ... > Ready to process requests. ... and the server doesn't receive any packets. We can't help you debug an issue if you don't show us what's happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > User define in user “files” work fine, but user on AD don’t. > > In freeradius using the test bellow, I can access users on AD. Have you followed the "Active Directory" howto on http://deployingradius.com? > r...@mhvrad01:/usr/local/etc/raddb# radiusd -X ... > Ready to process requests. ... and the server doesn't receive any packets. We can't help you debug an issue if you don't show us what's happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
> Why is not working ntlm_auth for ms-chap ? It would be easier to answer your question if you included the debug output for a rejected request as opposed to just the startup messages.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
After edit mschap file module by uncommented line containing ntlm_auth =, i used a AP Cisco client from freeradius to test with "test aaa group radius user userpass new-code" User define in user "files" work fine, but user on AD don't. In freeradius using the test bellow, I can access users on AD. r...@m:~# ntlm_auth --request-nt-key --domain=XXX --username= password: NT_STATUS_OK: Success (0x0) Why is not working ntlm_auth for ms-chap ? thanks r...@mhvrad01:/usr/local/etc/raddb# radiusd -X FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Apr 28 2010 at 12:00:46 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 102