Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan! Thanks so much! The problem has been resolved~ Just a bit of tweaking on samba... but overall, everything is fine... Thanks a million! Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20575360.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
I am a little confused with this... tnt-4 wrote: ntlm_auth in mschap module works only for - mschap requests. It will not work for pap requests. Normally, ntlm_auth is set in the MSCHAP module. Authentication requests from logging into the system, like SSH, uses PAP? Is there anyway that I can get the server using pam_radius to get authentication from the radius server? And the server, in turn gets the authentication from ActiveDirectory? I am quite new to this, and might have problem understanding clearly... Instructions first show you how to set up and test ntlm_auth with pap requests. Simply: don't remove users file entry setting ntlm_auth auth-type; don't remove ntlm_auth from authenticate; keep ntlm_auth exec module. Just keep those things and pap requests will work as well. The only thing to change is operator in users file: DEFAULT Auth-Type = ntlm_auth (= not :=). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan,
Thanks!
I followed the manual by removing the entry that was added in users file...
And I added ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} to the MSCHAP module, and started
radiusd -X:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 27805, id=200,
length=8
6
User-Name = test
User-Password = Pa55w0rd
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 26780
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.0.0.151
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejectin
g the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 200 to 127.0.0.1 port 27805
Waking up in 4.9 seconds.
Cleaning up request 1 ID 200 with timestamp +47
Ready to process requests.
-
But after testing, I noticed that it did not hit the ntlm_auth command.
What is it I did wrong?
Regards,
Andy
--
View this message in context:
http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20536920.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
I followed the manual by removing the entry that was added in users file... But after testing, I noticed that it did not hit the ntlm_auth command. You removed it! ntlm_auth in mschap module works only for - mschap requests. It will not work for pap requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan, I am a little confused with this... tnt-4 wrote: ntlm_auth in mschap module works only for - mschap requests. It will not work for pap requests. Normally, ntlm_auth is set in the MSCHAP module. Authentication requests from logging into the system, like SSH, uses PAP? Is there anyway that I can get the server using pam_radius to get authentication from the radius server? And the server, in turn gets the authentication from ActiveDirectory? I am quite new to this, and might have problem understanding clearly... Thanks. Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20552483.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Thanks again! I amended it and it works. But that is only for testing... Yes. Now you go on with the manual. Can I use the MSCHAP method? Or I have to create a module of my own for users to authenticate? No, you configure the ntlm_auth line in raddb/modules/mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
1. Added user Auth-Type := ntlm_auth to users file in
/usr/local/etc/raddb
But your user is called test.
2. Added ntlm_auth into authenticate of default and inner-tunnel of
sites-enabled directory
authenticate {
ntlm_auth
Auth-Type PAP {
pap
}
..
..
..
}
3. Added into exec file in modules directory:
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key
--domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}
}
where domain is TEST
4. I did not enable ntlm for mschap yet
5. Ran radiusd -X and has no errors, and I extracted some information:
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key
--domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}
input_pairs = request
shell_escape = yes
}
6. I tried to do a SSH authentication with pam-radius and it was not
successful...
rad_recv: Access-Request packet from host 127.0.0.1 port 26805, id=72,
length=86
User-Name = test
User-Password = password
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 25780
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.0.0.151
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
No match in files. Fix users file entry.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan,
Thanks again! I amended it and it works.
But that is only for testing...
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=test
[ntlm_auth] expand: --password=%{User-Password} - --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Can I use the MSCHAP method? Or I have to create a module of my own for
users to authenticate?
I dun think it will be nice to have to add manually on the radius after I
added users on the activedirectory...
Andy
--
View this message in context:
http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20452959.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Currently, there are some questions that are going on in my head... :confused: 1. Must the ntlm_auth be placed in modules or in radiusd.conf? If the configuration exec ntlm_auth is to be placed in modules, which modules? Modules. 2. In the URL, that indicated that I must input ntlm_auth into the authenticate routine in freeradius 1.x, but freeradius 2.x is all separated, any idea which is the one that I should placed into? This has been pointed out to you twice: That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Is this the step you are struggling with? I will do some trial and error on my end though... And I think that after being successful on this, I will need help from you guys to get this documented, It is documented, but *you* have decided to skip steps as *you* felt that they are not appropriate for 2.x. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
tnt-4 wrote:
Currently, there are some questions that are going on in my head...
:confused:
1. Must the ntlm_auth be placed in modules or in radiusd.conf?
If the configuration exec ntlm_auth is to be placed in modules, which
modules?
Modules.
2. In the URL, that indicated that I must input ntlm_auth into the
authenticate routine in freeradius 1.x, but freeradius 2.x is all
separated,
any idea which is the one that I should placed into?
This has been pointed out to you twice:
That's one of the steps. Just add ntlm_auth to authenticate in both
virtual servers (default and inner-tunnel).
Is this the step you are struggling with?
I will do some trial and error on my end though...
And I think that after being successful on this, I will need help from you
guys to get this documented,
It is documented, but *you* have decided to skip steps as *you* felt that
they are not appropriate for 2.x.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Guess I was too smart to skip steps...
Thank you for pointing out Ivan! ;-)
I have retraced my steps again, and have done the following...
1. Added user Auth-Type := ntlm_auth to users file in
/usr/local/etc/raddb
2. Added ntlm_auth into authenticate of default and inner-tunnel of
sites-enabled directory
authenticate {
ntlm_auth
Auth-Type PAP {
pap
}
.
.
.
}
3. Added into exec file in modules directory:
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key
--domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}
}
where domain is TEST
4. I did not enable ntlm for mschap yet
5. Ran radiusd -X and has no errors, and I extracted some information:
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key
--domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}
input_pairs = request
shell_escape = yes
}
6. I tried to do a SSH authentication with pam-radius and it was not
successful...
rad_recv: Access-Request packet from host 127.0.0.1 port 26805, id=72,
length=86
User-Name = test
User-Password = password
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 25780
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.0.0.151
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 72 to 127.0.0.1 port 26805
Waking up in 4.9 seconds.
Seems like it didn't touch ntlm_auth.
Previously, I tried according the manual on freeradius 1.17, and was
successful when I do the testing, but failed when I enabled ntlm_auth on
MSCHAP, and tested the same way as I was doing now
Regards,
Andy
--
View this message in context:
http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20433178.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Anders Holm-3 wrote: You have two errors to fix... This; /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type And this: Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. Well, yes. You said you were following the instructions in http://deployingradius.com/documents/configuration/active_directory.html That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Is this the step you are struggling with? The URL that I was following is using freeradius 1.x A lot of the documentation on the site is for 1.x so when you have figured things out, documenting it is a geeat way to return something to the project Now, I am using freeradius 2.x, and thus I skipped the creation of exec ntlm_auth Furthermore, I do not know how to do so... If the docs don't give an example, this is your chance to help getting it updated. I tried to add it to the exec file in the module directory, but it didn't work. The error is still reported to be the same. Well, yes, as it is still the same problem. Should I fall back to freeradius 1.x instead? No. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Anders, The problems that you have highlighted are the ones that I have having :-) I added exec ntlm_auth into the exec file in the modules folder, and as Ivan has recommended, I added a line to the users file. The next step is to make exec ntlm_auth recognized by the radius configuration. Currently, there are some questions that are going on in my head... :confused: 1. Must the ntlm_auth be placed in modules or in radiusd.conf? If the configuration exec ntlm_auth is to be placed in modules, which modules? 2. In the URL, that indicated that I must input ntlm_auth into the authenticate routine in freeradius 1.x, but freeradius 2.x is all separated, any idea which is the one that I should placed into? I will do some trial and error on my end though... And I think that after being successful on this, I will need help from you guys to get this documented, I think that freeradius 2.x has very little documentation, and not many will be willing to take the plunge to 2.x... Thanks! Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20415385.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
tnt-4 wrote: Firstly, Thanks for taking time to look at the problems I am facing. I have followed your instructions, and set the following in the users file: DEFAULT Auth-Type = ntlm_auth After doing that, I ran radiusd -X The configuration was fine at the beginning, but as it reaches an abrupt stop with the following errors in the debug: /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. Well, yes. You said you were following the instructions in http://deployingradius.com/documents/configuration/active_directory.html That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The URL that I was following is using freeradius 1.x Now, I am using freeradius 2.x, and thus I skipped the creation of exec ntlm_auth Furthermore, I do not know how to do so... I tried to add it to the exec file in the module directory, but it didn't work. The error is still reported to be the same. Should I fall back to freeradius 1.x instead? Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20413490.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
You have two errors to fix... This; /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type And this: Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. Well, yes. You said you were following the instructions in http://deployingradius.com/documents/configuration/active_directory.html That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Is this the step you are struggling with? The URL that I was following is using freeradius 1.x A lot of the documentation on the site is for 1.x so when you have figured things out, documenting it is a geeat way to return something to the project Now, I am using freeradius 2.x, and thus I skipped the creation of exec ntlm_auth Furthermore, I do not know how to do so... If the docs don't give an example, this is your chance to help getting it updated. I tried to add it to the exec file in the module directory, but it didn't work. The error is still reported to be the same. Well, yes, as it is still the same problem. Should I fall back to freeradius 1.x instead? No. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan,
Firstly, Thanks for taking time to look at the problems I am facing.
I have followed your instructions, and set the following in the users file:
DEFAULT Auth-Type = ntlm_auth
After doing that, I ran radiusd -X
The configuration was fine at the beginning, but as it reaches an abrupt
stop with the following errors in the debug:
/usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT:
Unknown value ntlm_auth for attribute Auth-Type
Errors reading /usr/local/etc/raddb/users
/usr/local/etc/raddb/modules/files[7]: Instantiation failed for module
files
/usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module
files.
/usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing
authorize section.
}
}
Errors initializing modules
It seems like it require an external ntlm_auth to execute, rather than one
that is embedded in MSCHAP module.
I pick and match certain items from the URLS that I have previously
attached. Just want to make it work at the minimum first, before I proceed
expand it.
Thanks!
Regards,
Andy
tnt-4 wrote:
I am implementing Freeradius 2.0 to be integrated with Microsoft
Activedirectory and has encountered problems.
All are being run in Virtual Environment (VMware Server 1.07)
RADIUS
OS: CentOS5.2
Freeradius Server 2.1.1
PAM radius 1.3.17
Active Directory
OS: Windows 2003 Server
I refer to a number of URLS:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
http://deployingradius.com/documents/configuration/active_directory.html
I have successfully been able to join the RADIUS server to the AD, and is
able to have output for wbinfo -u, and NTLM works well:
[EMAIL PROTECTED] tmp]# ntlm_auth --request-nt-key --domain=TEST
--username=test
password:
NT_STATUS_OK: Success (0x0)
I used freeradius with it's default settings, but modifying MSCHAP module,
enabling ntlm_auth:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Installed pam_radius 1.3.17, and configured sshd for pam to authenticate
from pam_radius first:
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so
auth include system-auth
accountrequired pam_nologin.so
accountinclude system-auth
password include system-auth
sessionoptional pam_keyinit.so force revoke
sessioninclude system-auth
sessionrequired pam_loginuid.so
I ran radiusd -X, and opened another SSH session, using test account,
that I tried with ntlm_auth previously, and got the following as in the
debug output:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71,
length=86
User-Name = test
User-Password = password
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 26171
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.0.0.151
You have to go back to the step where you force Auth-Type ntlm_auth.
DEAFAULT Auth-Type = ntlm_auth
Put that in users file (just = not :=). If you send mschap request mschap
in authorize will set the Auth-Type and this will have no effect; it
will set Auth-Type for pap requests.
Integration document describes how to make it work for mschap (PEAP)
request.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20376253.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
Firstly, Thanks for taking time to look at the problems I am facing. I have followed your instructions, and set the following in the users file: DEFAULT Auth-Type = ntlm_auth After doing that, I ran radiusd -X The configuration was fine at the beginning, but as it reaches an abrupt stop with the following errors in the debug: /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. Well, yes. You said you were following the instructions in http://deployingradius.com/documents/configuration/active_directory.html That's one of the steps. Just add ntlm_auth to authenticate in both virtual servers (default and inner-tunnel). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
I am implementing Freeradius 2.0 to be integrated with Microsoft
Activedirectory and has encountered problems.
All are being run in Virtual Environment (VMware Server 1.07)
RADIUS
OS: CentOS5.2
Freeradius Server 2.1.1
PAM radius 1.3.17
Active Directory
OS: Windows 2003 Server
I refer to a number of URLS:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
http://deployingradius.com/documents/configuration/active_directory.html
http://deployingradius.com/documents/configuration/active_directory.html
I have successfully been able to join the RADIUS server to the AD, and is
able to have output for wbinfo -u, and NTLM works well:
[EMAIL PROTECTED] tmp]# ntlm_auth --request-nt-key --domain=TEST
--username=test
password:
NT_STATUS_OK: Success (0x0)
I used freeradius with it's default settings, but modifying MSCHAP module,
enabling ntlm_auth:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Installed pam_radius 1.3.17, and configured sshd for pam to authenticate
from pam_radius first:
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so
auth include system-auth
accountrequired pam_nologin.so
accountinclude system-auth
password include system-auth
sessionoptional pam_keyinit.so force revoke
sessioninclude system-auth
sessionrequired pam_loginuid.so
I ran radiusd -X, and opened another SSH session, using test account,
that I tried with ntlm_auth previously, and got the following as in the
debug output:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71,
length=86
User-Name = test
User-Password = password
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 26171
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.0.0.151
You have to go back to the step where you force Auth-Type ntlm_auth.
DEAFAULT Auth-Type = ntlm_auth
Put that in users file (just = not :=). If you send mschap request mschap
in authorize will set the Auth-Type and this will have no effect; it
will set Auth-Type for pap requests.
Integration document describes how to make it work for mschap (PEAP)
request.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.0 with Activedirectory Integration Failed
Hi all,
I am implementing Freeradius 2.0 to be integrated with Microsoft
Activedirectory and has encountered problems.
All are being run in Virtual Environment (VMware Server 1.07)
RADIUS
OS: CentOS5.2
Freeradius Server 2.1.1
PAM radius 1.3.17
Active Directory
OS: Windows 2003 Server
I refer to a number of URLS:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
http://deployingradius.com/documents/configuration/active_directory.html
http://deployingradius.com/documents/configuration/active_directory.html
I have successfully been able to join the RADIUS server to the AD, and is
able to have output for wbinfo -u, and NTLM works well:
[EMAIL PROTECTED] tmp]# ntlm_auth --request-nt-key --domain=TEST --username=test
password:
NT_STATUS_OK: Success (0x0)
I used freeradius with it's default settings, but modifying MSCHAP module,
enabling ntlm_auth:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Installed pam_radius 1.3.17, and configured sshd for pam to authenticate
from pam_radius first:
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so
auth include system-auth
accountrequired pam_nologin.so
accountinclude system-auth
password include system-auth
sessionoptional pam_keyinit.so force revoke
sessioninclude system-auth
sessionrequired pam_loginuid.so
I ran radiusd -X, and opened another SSH session, using test account,
that I tried with ntlm_auth previously, and got the following as in the
debug output:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71,
length=86
User-Name = test
User-Password = password
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 26171
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.0.0.151
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 71 to 127.0.0.1 port 27196
Waking up in 4.9 seconds.
Cleaning up request 0 ID 71 with timestamp +13
Ready to process requests.
It doesn't seem to be doing ntlm_auth?
I am not sure how I am supposed to debug this problem further, as I have
tried a number of troubleshooting, but still to no avail.
Can someone enlighten me on this problem?
If there is more information required, please tell me.
I have attached my radius configuration as well:
http://www.nabble.com/file/p20355701/radiusd.conf radiusd.conf
Thanks in advance!
Regards,
Andy
--
View this message in context:
http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20355701.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
