Re: FR with AD authentication not working
Hi,
> rad_recv: Access-Request packet from host 127.0.0.1:32772, id=101,
> length=61 User-Name = ""
> User-Password = ""
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 0
> modcall[authorize]: module "mschap" returns noop for request 0
FreeRADIUS doesn't even try to do AD auth, because the incoming request does
not contain a MS-CHAP challenge. If you want to try AD auth, try it with a
_real_ client that speaks MS-CHAP.
If you send clear-text passwords, as in the packet below, you could simply
configure ldap {} to bind to the AD server, and then ntlm_auth would be
obsolete.
Stefan
--
This mail is guaranteed to be virus free because it was sent from a computer
running Linux.
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR with AD authentication not working
> -Original Message-> But while using radtest tool with the same logon credentials> as above it rejects the user and here is the log message.Please paste the entire debug log. It looks like you missed a few bits
in the cut and paste.
Mike,
Here is the entire debug log. In the users file, auth-type =system has been commented out.
Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.confConfig: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024
main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no
main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no
main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes
proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200
security: reject_delay = 1 security: status_server = no main: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.
read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded exec exec: wait = yes exec: program = "(null)"
exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)
Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = no mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Respo
nse:-00}"Module: Instantiated mschap (mschap)Module: Loaded PAP pap: encryption_scheme = "crypt"Module: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)
Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no unix: cache_reload = 600Module: Instantiated unix (unix)Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP"rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-
srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chainrlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yesrlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2Module: Instantiated eap (eap)Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess)Module: Loaded realm realm: format = "suffix"
realm: delimiter = "@" realm: ignore_default = n
Re: FR with AD authentication not working
Message: 2Date: Fri, 27 Oct 2006 09:22:39 +0100From: [EMAIL PROTECTED]Subject: Re: FR with AD authentication not working To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>Message-ID: < [EMAIL PROTECTED]>Content-Type: text/plain; charset=us-asciihi,remove the System authentication line from your users file. alan Alan, I tried commenting that line, but no luck, Kartthik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR with AD authentication not working
hi, remove the System authentication line from your users file. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR with AD authentication not working
Using freeradius v1.1.1 on a RHEL 4 box trying to authenticate users against Windows 2003 Active directory. I was able to bind linux box to Windows domain successfully and able to read the active directory users and groups using
wbinfo - uR1\AdministratorR1\Guest
and wbinfo -g.
Using ntlm_auth tool am able to successfully authenticate the users too.
-bash-3.00# ntlm_auth --request-nt-key --username=kartthikrpassword:NT_STATUS_OK: Success (0x0)
But while using radtest tool with the same logon credentials as above it rejects the user and here is the log message. But I didnt find logon success failure in AD when i checked event viewer.
rad_recv: Access-Request packet from host 127.0.0.1:32927, id=243, length=61 User-Name = "" User-Password = ""
NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "", looking up realm NULL
rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 0modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System
auth: type "System" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0auth: Failed to validate the user.Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list ---
Sending Access-Reject of id 243 to 127.0.0.1 port 32927Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 0 ID 243 with timestamp 45413139
Nothing to do. Sleeping until we see a request.
Here is nss config file:
passwd: files winbindshadow: files winbindgroup: files winbind
hosts: files winbind nis dns
protocols: files winbind # nisservices: files winbind # nisnetgroup: files winbind # nisautomount: files winbind nis
Here is radiusd.conf file:
modules {pap { encryption_scheme = crypt }
chap { authtype = CHAP }
pam { pam_auth = radiusd }unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp }
$INCLUDE ${confdir}/eap.conf
mschap {authtype = MS-CHAP #use_mppe = no
require_encryption = yes
#require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
So aint sure what am i missed here, any help will be appreciated.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
