Re: NTLM_Auth will not work from within FreeRadius
Nice catch on the hyphen but that did not fix the problem (probably left
out after changing the line several times testing different
configurations). I realize the problem is in the creation of the
response for the user/password/challenge combination however it is just
a question of why. I have tried using with_ntdomain_hack = yes and
using with_ntdomain_hack = no but neither combination works, it seems to
ignore that value.
It may possibly be helpful if someone could give me a valid user, pass,
challenge, and response so that I can test ntlm with known good values.
my radiusd.conf follows
Thanks,
Neal
___________________________________________________
radiusd.conf
___________________________________________________
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
#user = nobody
#group = nobody
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
#use_mppe = yes
#require_encryption = yes
#require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
#passwd etc_group {
# filename = /etc/group
# format = "=Group-Name:::*,User-Name"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = ":"
#}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to
the original string
# append = no
#}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
#with_ntdomain_hack = yes
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
#packet_type = Access-Accept
}
ippool main_pool {
#this section isnt used is it?
}
}
instantiate {
exec
expr
# daily
}
authorize {
preprocess
auth_log
# attr_filter
# chap
mschap
# digest
# IPASS
#suffix
# ntdomain
eap
# files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
}
# Authentication.
authenticate {
#Auth-Type PAP {
#pap
#}
#Auth-Type CHAP {
#chap
#}
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
#unix
# Auth-Type LDAP {
# ldap
# }
eap
}
preacct {
preprocess
acct_unique
# IPASS
# suffix
#ntdomain
#files
}
accounting {
detail
# daily
unix
radutmp
# sradutmp
# main_pool
sql
# pgsql-voip
}
session {
radutmp
# sql
}
post-auth {
# Get an address from the IP Pool.
# main_pool
reply_log
# sql
# ldap
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}
pre-proxy {
}
post-proxy {
eap
}
James J J Hooper wrote:
On 21 Nov 2006, at 10:34, Phil Mayers wrote:
Neal Bullins wrote:
/usr/bin/ntlm_auth --request-nt-key --domain=MyDom
--username=radtest And then I enter the correct password and the
result is “NT_STATUS_OK: Success (0x0)”.
Well, that's a plaintext auth, so not really relevant to the next bit...
The debug output from freeradius is:
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MyDom
--username=radtest --challenge=3bdc9461e268b957
--ntresponse=d618ee49ab97f0ea5cc9c491904dbbbea5a56eb5c9cc0608
Exec-Program output: Logon failure (0xc000006d)
This is a challenge-response auth. The logical conclusion is that the
response is not correct for that user/password/challenge combination.
... or you have made a typo in the command.... there should be a
hyphen between nt and response in --nt-response
-James
--
James J J Hooper
Information Services
University of Bristol
--
-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.