ClearText-Password?

Dean, Barry B.Dean at liverpool.ac.uk
Mon Mar 3 14:30:32 CET 2008 

Debug:
==============

rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49
        User-Name = "user"
        User-Password = "passwd"
        NAS-IP-Address = 138.253.XXX.XXX
+- entering group authorize
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /barred-user/i)
        expand: %{User-Name} -> user
? Evaluating ("%{User-Name}" =~ /barred-user/i) -> FALSE
++? if ("%{User-Name}" =~ /barred-user/i) -> FALSE
        expand: /usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303
rlm_detail: /usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303
        expand: %t -> Mon Mar  3 11:28:08 2008
++[auth_log] returns ok
++[mschap] returns noop
++[chap] returns noop
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "user"
    rlm_realm: Proxying request from user user to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
    users: Matched entry DEFAULT at line 211
++[files] returns ok
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type mschap
auth: type "MSCHAP"
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: No MS-CHAP-Challenge in the request
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [user/passwd] (from client EZProxy port 0)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> user
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49
Sending duplicate reply to client EZProxy port 47032 - ID: 195
Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032
Waking up in 4.9 seconds.
Cleaning up request 0 ID 195 with timestamp +24
Ready to process requests.

==================

Config:

users:

DEFAULT Auth-Type = mschap
        Acct-Session-Id = "Local",
        Fall-Through = Yes

radiusd.conf:

mschap {
                use_mppe = yes
                require_encryption = yes
                require_strong = yes
                with_ntdomain_hack = yes
                ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

        }

If I don’t force MSCHAP in users, how else do I get the user checked against AD when the only place ntlm_auth is called is inside the mschap module?

---------------
Barry Dean
Networks Team

More information about the Freeradius-Users mailing list