Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan! Thanks so much! The problem has been resolved~ Just a bit of tweaking on samba... but overall, everything is fine... Thanks a million! Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20575360.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
I am a little confused with this... tnt-4 wrote: ntlm_auth in mschap module works only for - mschap requests. It will not work for pap requests. Normally, ntlm_auth is set in the MSCHAP module. Authentication requests from logging into the system, like SSH, uses PAP? Is there anyway that I can get the server using pam_radius to get authentication from the radius server? And the server, in turn gets the authentication from ActiveDirectory? I am quite new to this, and might have problem understanding clearly... Instructions first show you how to set up and test ntlm_auth with pap requests. Simply: don't remove users file entry setting ntlm_auth auth-type; don't remove ntlm_auth from authenticate; keep ntlm_auth exec module. Just keep those things and pap requests will work as well. The only thing to change is operator in users file: DEFAULT Auth-Type = ntlm_auth (= not :=). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan, Thanks! I followed the manual by removing the entry that was added in users file... And I added ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} to the MSCHAP module, and started radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 27805, id=200, length=8 6 User-Name = test User-Password = Pa55w0rd NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 26780 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.0.0.151 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejectin g the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 200 to 127.0.0.1 port 27805 Waking up in 4.9 seconds. Cleaning up request 1 ID 200 with timestamp +47 Ready to process requests. - But after testing, I noticed that it did not hit the ntlm_auth command. What is it I did wrong? Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20536920.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
I followed the manual by removing the entry that was added in users file... But after testing, I noticed that it did not hit the ntlm_auth command. You removed it! ntlm_auth in mschap module works only for - mschap requests. It will not work for pap requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan, I am a little confused with this... tnt-4 wrote: ntlm_auth in mschap module works only for - mschap requests. It will not work for pap requests. Normally, ntlm_auth is set in the MSCHAP module. Authentication requests from logging into the system, like SSH, uses PAP? Is there anyway that I can get the server using pam_radius to get authentication from the radius server? And the server, in turn gets the authentication from ActiveDirectory? I am quite new to this, and might have problem understanding clearly... Thanks. Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20552483.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Thanks again! I amended it and it works. But that is only for testing... Yes. Now you go on with the manual. Can I use the MSCHAP method? Or I have to create a module of my own for users to authenticate? No, you configure the ntlm_auth line in raddb/modules/mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
1. Added user Auth-Type := ntlm_auth to users file in /usr/local/etc/raddb But your user is called test. 2. Added ntlm_auth into authenticate of default and inner-tunnel of sites-enabled directory authenticate { ntlm_auth Auth-Type PAP { pap } .. .. .. } 3. Added into exec file in modules directory: exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=TEST --username=%{mschap:User-Name} --password=%{User-Password} } where domain is TEST 4. I did not enable ntlm for mschap yet 5. Ran radiusd -X and has no errors, and I extracted some information: server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=TEST --username=%{mschap:User-Name} --password=%{User-Password} input_pairs = request shell_escape = yes } 6. I tried to do a SSH authentication with pam-radius and it was not successful... rad_recv: Access-Request packet from host 127.0.0.1 port 26805, id=72, length=86 User-Name = test User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 25780 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.0.0.151 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop No match in files. Fix users file entry. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan, Thanks again! I amended it and it works. But that is only for testing... +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=test [ntlm_auth] expand: --password=%{User-Password} - --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok Can I use the MSCHAP method? Or I have to create a module of my own for users to authenticate? I dun think it will be nice to have to add manually on the radius after I added users on the activedirectory... Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20452959.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Currently, there are some questions that are going on in my head... :confused: 1. Must the ntlm_auth be placed in modules or in radiusd.conf? If the configuration exec ntlm_auth is to be placed in modules, which modules? Modules. 2. In the URL, that indicated that I must input ntlm_auth into the authenticate routine in freeradius 1.x, but freeradius 2.x is all separated, any idea which is the one that I should placed into? This has been pointed out to you twice: That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Is this the step you are struggling with? I will do some trial and error on my end though... And I think that after being successful on this, I will need help from you guys to get this documented, It is documented, but *you* have decided to skip steps as *you* felt that they are not appropriate for 2.x. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
tnt-4 wrote: Currently, there are some questions that are going on in my head... :confused: 1. Must the ntlm_auth be placed in modules or in radiusd.conf? If the configuration exec ntlm_auth is to be placed in modules, which modules? Modules. 2. In the URL, that indicated that I must input ntlm_auth into the authenticate routine in freeradius 1.x, but freeradius 2.x is all separated, any idea which is the one that I should placed into? This has been pointed out to you twice: That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Is this the step you are struggling with? I will do some trial and error on my end though... And I think that after being successful on this, I will need help from you guys to get this documented, It is documented, but *you* have decided to skip steps as *you* felt that they are not appropriate for 2.x. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Guess I was too smart to skip steps... Thank you for pointing out Ivan! ;-) I have retraced my steps again, and have done the following... 1. Added user Auth-Type := ntlm_auth to users file in /usr/local/etc/raddb 2. Added ntlm_auth into authenticate of default and inner-tunnel of sites-enabled directory authenticate { ntlm_auth Auth-Type PAP { pap } . . . } 3. Added into exec file in modules directory: exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=TEST --username=%{mschap:User-Name} --password=%{User-Password} } where domain is TEST 4. I did not enable ntlm for mschap yet 5. Ran radiusd -X and has no errors, and I extracted some information: server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=TEST --username=%{mschap:User-Name} --password=%{User-Password} input_pairs = request shell_escape = yes } 6. I tried to do a SSH authentication with pam-radius and it was not successful... rad_recv: Access-Request packet from host 127.0.0.1 port 26805, id=72, length=86 User-Name = test User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 25780 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.0.0.151 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 72 to 127.0.0.1 port 26805 Waking up in 4.9 seconds. Seems like it didn't touch ntlm_auth. Previously, I tried according the manual on freeradius 1.17, and was successful when I do the testing, but failed when I enabled ntlm_auth on MSCHAP, and tested the same way as I was doing now Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20433178.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Anders Holm-3 wrote: You have two errors to fix... This; /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type And this: Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. Well, yes. You said you were following the instructions in http://deployingradius.com/documents/configuration/active_directory.html That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Is this the step you are struggling with? The URL that I was following is using freeradius 1.x A lot of the documentation on the site is for 1.x so when you have figured things out, documenting it is a geeat way to return something to the project Now, I am using freeradius 2.x, and thus I skipped the creation of exec ntlm_auth Furthermore, I do not know how to do so... If the docs don't give an example, this is your chance to help getting it updated. I tried to add it to the exec file in the module directory, but it didn't work. The error is still reported to be the same. Well, yes, as it is still the same problem. Should I fall back to freeradius 1.x instead? No. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Anders, The problems that you have highlighted are the ones that I have having :-) I added exec ntlm_auth into the exec file in the modules folder, and as Ivan has recommended, I added a line to the users file. The next step is to make exec ntlm_auth recognized by the radius configuration. Currently, there are some questions that are going on in my head... :confused: 1. Must the ntlm_auth be placed in modules or in radiusd.conf? If the configuration exec ntlm_auth is to be placed in modules, which modules? 2. In the URL, that indicated that I must input ntlm_auth into the authenticate routine in freeradius 1.x, but freeradius 2.x is all separated, any idea which is the one that I should placed into? I will do some trial and error on my end though... And I think that after being successful on this, I will need help from you guys to get this documented, I think that freeradius 2.x has very little documentation, and not many will be willing to take the plunge to 2.x... Thanks! Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20415385.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
tnt-4 wrote: Firstly, Thanks for taking time to look at the problems I am facing. I have followed your instructions, and set the following in the users file: DEFAULT Auth-Type = ntlm_auth After doing that, I ran radiusd -X The configuration was fine at the beginning, but as it reaches an abrupt stop with the following errors in the debug: /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. Well, yes. You said you were following the instructions in http://deployingradius.com/documents/configuration/active_directory.html That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The URL that I was following is using freeradius 1.x Now, I am using freeradius 2.x, and thus I skipped the creation of exec ntlm_auth Furthermore, I do not know how to do so... I tried to add it to the exec file in the module directory, but it didn't work. The error is still reported to be the same. Should I fall back to freeradius 1.x instead? Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20413490.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
You have two errors to fix... This; /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type And this: Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. Well, yes. You said you were following the instructions in http://deployingradius.com/documents/configuration/active_directory.html That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Is this the step you are struggling with? The URL that I was following is using freeradius 1.x A lot of the documentation on the site is for 1.x so when you have figured things out, documenting it is a geeat way to return something to the project Now, I am using freeradius 2.x, and thus I skipped the creation of exec ntlm_auth Furthermore, I do not know how to do so... If the docs don't give an example, this is your chance to help getting it updated. I tried to add it to the exec file in the module directory, but it didn't work. The error is still reported to be the same. Well, yes, as it is still the same problem. Should I fall back to freeradius 1.x instead? No. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan, Firstly, Thanks for taking time to look at the problems I am facing. I have followed your instructions, and set the following in the users file: DEFAULT Auth-Type = ntlm_auth After doing that, I ran radiusd -X The configuration was fine at the beginning, but as it reaches an abrupt stop with the following errors in the debug: /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. I pick and match certain items from the URLS that I have previously attached. Just want to make it work at the minimum first, before I proceed expand it. Thanks! Regards, Andy tnt-4 wrote: I am implementing Freeradius 2.0 to be integrated with Microsoft Activedirectory and has encountered problems. All are being run in Virtual Environment (VMware Server 1.07) RADIUS OS: CentOS5.2 Freeradius Server 2.1.1 PAM radius 1.3.17 Active Directory OS: Windows 2003 Server I refer to a number of URLS: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html I have successfully been able to join the RADIUS server to the AD, and is able to have output for wbinfo -u, and NTLM works well: [EMAIL PROTECTED] tmp]# ntlm_auth --request-nt-key --domain=TEST --username=test password: NT_STATUS_OK: Success (0x0) I used freeradius with it's default settings, but modifying MSCHAP module, enabling ntlm_auth: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Installed pam_radius 1.3.17, and configured sshd for pam to authenticate from pam_radius first: #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so I ran radiusd -X, and opened another SSH session, using test account, that I tried with ntlm_auth previously, and got the following as in the debug output: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71, length=86 User-Name = test User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 26171 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.0.0.151 You have to go back to the step where you force Auth-Type ntlm_auth. DEAFAULT Auth-Type = ntlm_auth Put that in users file (just = not :=). If you send mschap request mschap in authorize will set the Auth-Type and this will have no effect; it will set Auth-Type for pap requests. Integration document describes how to make it work for mschap (PEAP) request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20376253.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Firstly, Thanks for taking time to look at the problems I am facing. I have followed your instructions, and set the following in the users file: DEFAULT Auth-Type = ntlm_auth After doing that, I ran radiusd -X The configuration was fine at the beginning, but as it reaches an abrupt stop with the following errors in the debug: /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. Well, yes. You said you were following the instructions in http://deployingradius.com/documents/configuration/active_directory.html That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
I am implementing Freeradius 2.0 to be integrated with Microsoft Activedirectory and has encountered problems. All are being run in Virtual Environment (VMware Server 1.07) RADIUS OS: CentOS5.2 Freeradius Server 2.1.1 PAM radius 1.3.17 Active Directory OS: Windows 2003 Server I refer to a number of URLS: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html http://deployingradius.com/documents/configuration/active_directory.html I have successfully been able to join the RADIUS server to the AD, and is able to have output for wbinfo -u, and NTLM works well: [EMAIL PROTECTED] tmp]# ntlm_auth --request-nt-key --domain=TEST --username=test password: NT_STATUS_OK: Success (0x0) I used freeradius with it's default settings, but modifying MSCHAP module, enabling ntlm_auth: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Installed pam_radius 1.3.17, and configured sshd for pam to authenticate from pam_radius first: #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so I ran radiusd -X, and opened another SSH session, using test account, that I tried with ntlm_auth previously, and got the following as in the debug output: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71, length=86 User-Name = test User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 26171 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.0.0.151 You have to go back to the step where you force Auth-Type ntlm_auth. DEAFAULT Auth-Type = ntlm_auth Put that in users file (just = not :=). If you send mschap request mschap in authorize will set the Auth-Type and this will have no effect; it will set Auth-Type for pap requests. Integration document describes how to make it work for mschap (PEAP) request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.0 with Activedirectory Integration Failed
Hi all, I am implementing Freeradius 2.0 to be integrated with Microsoft Activedirectory and has encountered problems. All are being run in Virtual Environment (VMware Server 1.07) RADIUS OS: CentOS5.2 Freeradius Server 2.1.1 PAM radius 1.3.17 Active Directory OS: Windows 2003 Server I refer to a number of URLS: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html http://deployingradius.com/documents/configuration/active_directory.html I have successfully been able to join the RADIUS server to the AD, and is able to have output for wbinfo -u, and NTLM works well: [EMAIL PROTECTED] tmp]# ntlm_auth --request-nt-key --domain=TEST --username=test password: NT_STATUS_OK: Success (0x0) I used freeradius with it's default settings, but modifying MSCHAP module, enabling ntlm_auth: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Installed pam_radius 1.3.17, and configured sshd for pam to authenticate from pam_radius first: #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so I ran radiusd -X, and opened another SSH session, using test account, that I tried with ntlm_auth previously, and got the following as in the debug output: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71, length=86 User-Name = test User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 26171 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.0.0.151 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 71 to 127.0.0.1 port 27196 Waking up in 4.9 seconds. Cleaning up request 0 ID 71 with timestamp +13 Ready to process requests. It doesn't seem to be doing ntlm_auth? I am not sure how I am supposed to debug this problem further, as I have tried a number of troubleshooting, but still to no avail. Can someone enlighten me on this problem? If there is more information required, please tell me. I have attached my radius configuration as well: http://www.nabble.com/file/p20355701/radiusd.conf radiusd.conf Thanks in advance! Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20355701.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html