ntlm_auth works on commandline but not in radiusd.conf

radius at illiana.net radius at illiana.net
Wed Oct 1 16:11:45 CEST 2008 

Please forgive me as I'm a newbie to Radius.  I've been reading FAQs and
archived mail list for three days and haven't seen a problem similar to
mine.  ntlm_auth works as expected on the command line, however it does
not work in radius.  In radius it ALWAYS returns a status ok and
authenticates the user, even the the password is incorrect.  Below are log
snippets from issuing radiusd -X  I'm using the latest version, FreeRadius
2.1.1, compiled from source.  Very specifically, I followed the (out of
date) guide by Alan DeKok called "Deploying Radius"

http://deployingradius.com/documents/configuration/active_directory.html

Everything works ok in the guide up to the point of the first radtest
command.  I can put ANY password for the user in the radtest command and
it works.  Again issuing ntml_auth from the command line gives predictable
results.  Here's the real work example demonstrating that I have ntlm_auth
properly working.  These are the expected results.

Is there a better way to debug the exec module to see what is really
happening when exec called ntlm_auth from within freeradius?

[root at marauder ~]# ntlm_auth --domain=GTDEV --request-nt-key
--username=ntlmtest --password=radpw
NT_STATUS_OK: Success (0x0)
[root at marauder ~]# ntlm_auth --domain=GTDEV --request-nt-key
--username=ntlmtest --password=radpwnogood
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)


Radtest is issued from the command line and this is the debug output from
radiusd -X

[root at marauder ~]# radtest ntlmtest radpw localhost 0 testing123
Sending Access-Request of id 103 to 127.0.0.1 port 1812
        User-Name = "ntlmtest"
        User-Password = "radpw"
        NAS-IP-Address = 10.10.3.5
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=103,
length=20

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 60006, id=103,
length=60
        User-Name = "ntlmtest"
        User-Password = "radpw"
        NAS-IP-Address = 10.10.3.5
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ntlmtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry ntlmtest at line 96
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=ntlmtest
[ntlm_auth]     expand: --password=%{User-Password} -> --password=radpw
++[ntlm_auth] returns ok
Login OK: [ntlmtest/radpw] (from client localhost port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 103 to 127.0.0.1 port 60006
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 103 with timestamp +3
Ready to process requests.

OK now here's the same radtest with a bad password.  It works but it
shouldnt!

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 58940, id=87,
length=60
        User-Name = "ntlmtest"
        User-Password = "radpwnogood"
        NAS-IP-Address = 10.10.3.5
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ntlmtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry ntlmtest at line 96
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=ntlmtest
[ntlm_auth]     expand: --password=%{User-Password} -> --password=radpwnogood
++[ntlm_auth] returns ok
Login OK: [ntlmtest/radpwnogood] (from client localhost port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 87 to 127.0.0.1 port 58940
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 87 with timestamp +7
Ready to process requests.

And for those of you who must see the ntlm_auth config portion, here it
is: (it's the same as the deployment guide)

       $INCLUDE ${confdir}/modules/
#
# put exec ntlm_auth AFTER the exec module is defined
#
        exec ntlm_auth {
                wait = no
        program = "/usr/bin/ntlm_auth --request-nt-key --domain=GTDEV
--username=%{mschap:User-Name} --password=%{User-Password}"

More information about the Freeradius-Users mailing list