FreeRadius+AD integration

shrikant Bhat shrikabhat at gmail.com
Wed May 2 14:02:20 CEST 2007


Sorry I forgot to attach the radiusd.conf and debug results
***************************************************************
..........
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

#
#  The logging messages for the server are appended to the
#  tail of this file.
#
log_file = ${logdir}/radius.log

libdir = /usr/local/lib

pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
#
max_requests = 1024
#
bind_address = *
#
port = 0
#
hostname_lookups = no
#
allow_core_dumps = no

#  Regular expressions
#
regular_expressions	= yes
extended_expressions	= yes

#  Log the full User-Name attribute, as it was found in the request.
#
log_stripped_names = no

#  Log authentication requests to the log file.
#
#  allowed values: {no, yes}
#
log_auth = no

#  Log passwords with the authentication requests.
#  log_auth_badpass  - logs password if it's rejected
#  log_auth_goodpass - logs password if it's correct
#
#  allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
#
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
#
security {
		max_attributes = 200
		reject_delay = 1
		status_server = no
	}
$INCLUDE  ${confdir}/clients.conf
# SNMP CONFIGURATION
snmp	= no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
		start_servers = 5

		max_servers = 32
		#
	min_spare_servers = 3
	max_spare_servers = 10

	#  There may be memory leaks or resource allocation problems with
	
	max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
          exec ntlm_auth {
               wait = no
                program = "/usr/bin/ntlm_auth  --request-nt-key
--domain=MYDOMAIN.ORG --username=%{mschap:User-Name}
--password=%{User-Password}"
        }
	#
	pap {
		encryption_scheme = crypt
	}
	
	chap {
		authtype = CHAP
	}
	
$INCLUDE ${confdir}/eap.conf
	mschap {
		#
		authtype = MS-CHAP
	#	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-MYDOMAIN.ORG}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
	}

	checkval {
		# The attribute to look for in the request
		item-name = Calling-Station-Id
		# The attribute to look for in check items. Can be multi valued
		check-name = Calling-Station-Id
		# The data type. Can be
		# string,integer,ipaddr,date,abinary,octets
		data-type = string
		# If set to yes and we dont find the item-name attribute in the
		# request then we send back a reject
		# DEFAULT is no
		#notfound-reject = no
	}
	preprocess {
		huntgroups = ${confdir}/huntgroups
		hints = ${confdir}/hints
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no
		with_cisco_vsa_hack = no
	}
	files {
	}
	detail {
		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm = 0600
	}
	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
	}
	radutmp {
		filename = ${logdir}/radutmp
		username = %{User-Name}
		case_sensitive = yes
		check_with_nas = yes		
		perm = 0600
		callerid = "yes"
	}
	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}
	attr_filter {
		attrsfile = ${confdir}/attrs
	}
	counter daily {
		filename = ${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}
	expr {
	}
	exec {
		wait = yes
		input_pairs = request
	}
	exec echo {
		#
		wait = yes
		#
		program = "/bin/echo %{User-Name}"
		input_pairs = request
		output_pairs = reply
	}
}
# Instantiation
instantiate {
	expr
}
authorize {
		preprocess
	chap
	mschap
	suffix
	eap
	files
}
authenticate {
	ntlm_auth
}
preacct {
	preprocess
	acct_unique
	suffix
	files
}
accounting {
	detail
}
session {
	radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}



***********************************************************************
rad_recv: Access-Request packet from host 127.0.0.1:32783, id=159, length=57
        User-Name = "raduser"
        User-Password = "test123"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 154
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type ntlm_auth
auth: type "ntlm_auth"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
radius_xlat: Running registered xlat function of module mschap for
string 'User-
                    Name'
radius_xlat:  '--username=raduser'
radius_xlat:  '--password=test123'
  modcall[authenticate]: module "ntlm_auth" returns ok for request 0
modcall: leaving group authenticate (returns ok) for request 0
Sending Access-Accept of id 159 to 127.0.0.1 port 32783
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 159 with timestamp 463879cf
Nothing to do.  Sleeping until we see a request.
*****************************************************************************
On 5/2/07, shrikant Bhat <shrikabhat at gmail.com> wrote:
> Hello All,
> Could some one please tell me why ntlm_auth resurning OK with out
> looking up the ADS .
> I couldnt understand the debug.
>
> On 5/1/07, shrikant Bhat <shrikabhat at gmail.com> wrote:
> > Alan,
> > My intention is not argue, since I coudnt understand the debug I
> > posted the messege.
> >
> > On 4/30/07, Alan DeKok <aland at deployingradius.com> wrote:
> > > shrikant Bhat wrote:
> > > > I dont have the user in Active directory, yet  free radius sends a
> > > > accept packet.
> > >
> > >   I did read the debug output, unlike you.  It shows why.  I told you
> > > why.  Stop arguing and read the debug output again, and my responses.
> > >
> > >   It's not FreeRADIUS.  You have configured FreeRADIUS to reply with an
> > > Access-Accept if the ntlm_auth module returns OK.  For some reason, the
> > > ntlm_auth is returning OK.  Go find out why that's happening, and fix it.
> > >
> > >   Do NOT reply with "but freeradius sends an access accept".  That reply
> > > indicates that you're not reading the messages here.  If you're not
> > > going to read the answers to your questions, I suggest you stop asking
> > > the questions.  You're wasting your time, and ours.
> > >
> > >   Alan DeKok.
> > > --
> > >   http://deployingradius.com       - The web site of the book
> > >   http://deployingradius.com/blog/ - The blog
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >
> >
>



More information about the Freeradius-Users mailing list