Thank you Phil for your reply,
What is prompting here? How is the firewall asking the user for a
password? Is this web intercept?
exactly right the firewall is prompting the user to authenticate using
its internal captive portal page.
What I am trying to achieve here is single sign on with radius
accounting using the following scenario:
our users authenticate to the Windows Domain, and when they try to
access the internet they hit a firewall protected policy which
requires authentication. now instead of authenticating via the
firewall captive portal I want to use NTLM to check is the user is
already authenticated on the AD and if so pass the authorization to
the radius for accounting.
the firewall has the option to do NTLM authentication on the protected
policy but I am trying to fit the Radius as well for accounting
perpouses
Bellow is the debug output
rad_recv: Access-Request packet from host 193.188.X.X port 5027,
id=40, length=126
NAS-Identifier = WAN-HA
User-Name = rsa
User-Password = **
NAS-IP-Address = 193.188.X.X
NAS-Port = 1
Called-Station-Id = 193.188.X.X
Calling-Station-Id = 192.168.1.74
Acct-Session-Id = 0fa5011f
Connect-Info = web-auth
Fortinet-Vdom-Name = root
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/193.188.X.X/auth-detail-20101022
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/193.188.X.X/auth-detail-20101022
[auth_log] expand: %t - Fri Oct 22 09:04:24 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 71
++[files] returns ok
[sql] expand: %{User-Name} - rsa
[sql] sql_set_user escaped user -- 'rsa'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'rsa' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= 'rsa' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User rsa not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=rsa
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [rsa/*...@] (from client vdk-f-fgwan port 1 cli 192.168.1.74)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 40 to 193.188.X.X port 5027
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 193.188.X.X port 5028,
id=41, length=98
Acct-Status-Type = Start
Acct-Session-Id = 0fa5011f
User-Name = rsa
NAS-Identifier = VDK-F-FGWAN
Framed-IP-Address = 30.48.67.87
Fortinet-Client-IP-Address = 192.168.1.74
Fortinet-Vdom-Name = root
Calling-Station-Id = 192.168.1.74
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 193.188.X.X,NAS-IP-Address
= 193.188.X.X,Acct-Session-Id = 0fa5011f,User-Name = rsa'
[acct_unique] Acct-Unique-Session-ID = f774c3b998804d6a.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/193.188.X.X/detail-20101022
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/193.188.X.X/detail-20101022
[detail]expand: %t - Fri Oct 22 09:04:24 2010
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: