Freeradius 2.0 with Activedirectory Integration Failed

Andy Ng nding at
Tue Nov 11 05:04:00 CET 2008

tnt-4 wrote:
>>Currently, there are some questions that are going on in my head...
>>1. Must the ntlm_auth be placed in modules or in radiusd.conf?
>>If the configuration exec ntlm_auth is to be placed in modules, which
> Modules.
>>2. In the URL, that indicated that I must input ntlm_auth into the
>>authenticate routine in freeradius 1.x, but freeradius 2.x is all
>>any idea which is the one that I should placed into?
> This has been pointed out to you twice:
>>>>> That's one of the steps. Just add ntlm_auth to authenticate in both
>>>>> virtual servers (default and inner-tunnel).
>>> Is this the step you are struggling with?
>>I will do some trial and error on my end though...
>>And I think that after being successful on this, I will need help from you
>>guys to get this documented,
> It is documented, but *you* have decided to skip steps as *you* felt that
> they are not appropriate for 2.x.
> Ivan Kalik
> Kalik Informatika ISP
> -
> List info/subscribe/unsubscribe? See

Guess I was "too smart" to skip steps...
Thank you for pointing out Ivan! ;-)

I have retraced my steps again, and have done the following...

1. Added "user     Auth-Type := ntlm_auth" to users file in
2. Added "ntlm_auth" into authenticate of default and inner-tunnel of
sites-enabled directory

authenticate {

        Auth-Type PAP {

3. Added into exec file in modules directory:
"exec ntlm_auth {
                wait = yes
                program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key
--domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}"

where domain is TEST

4. I did not enable ntlm for mschap yet

5. Ran radiusd -X and has no errors, and I extracted some information:

server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Instantiating ntlm_auth
  exec ntlm_auth {
        wait = yes
        program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key
--domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}"
        input_pairs = "request"
        shell_escape = yes

6. I tried to do a SSH authentication with pam-radius and it was not
rad_recv: Access-Request packet from host port 26805, id=72,
        User-Name = "test"
        User-Password = "password"
        NAS-IP-Address =
        NAS-Identifier = "sshd"
        NAS-Port = 25780
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = ""
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 72 to port 26805
Waking up in 4.9 seconds.

Seems like it didn't touch ntlm_auth.
Previously, I tried according the manual on freeradius 1.17, and was
successful when I do the testing, but failed when I enabled ntlm_auth on
MSCHAP, and tested the same way as I was doing now

View this message in context:
Sent from the FreeRadius - User mailing list archive at

More information about the Freeradius-Users mailing list