NTLM_auth active directory - what is wrong?

Santiago Matiz V santimatiz at yahoo.com
Tue Oct 7 16:08:24 CEST 2008


Syed thanks for your answer, when i configure the file "users" with "ntlm_auth" appears the error :

"/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type
Errors reading /usr/local/etc/raddb/users"

thanks again...

Santiago Matiz (santimatiz at yahoo.com)
Systems Engineer
Bogotá, Colombia (South America)


--- On Tue, 10/7/08, Syed Anwarul Hasan <syedanwarulhasan2007 at gmail.com> wrote:

> From: Syed Anwarul Hasan <syedanwarulhasan2007 at gmail.com>
> Subject: Re: NTLM_auth active directory - what is wrong?
> To: santimatiz at yahoo.com, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Date: Tuesday, October 7, 2008, 2:20 PM
> Hi Santiago,
> 
>      I would suggest you to first try with radtest to see
> ntlm_auth BIND AS
> USER is working or not.
> 
> Have a User entry in Users file with Auth-Type := ntlm_auth
> Add *ntlm_auth* in Authenticate section of default and
> inner-tunnel files in
> /sites-enabled directory.
> 
> Then if radtest returns NT Success Ok or ntlm_auth is being
> done by Server.
> Then Try for RADIUS requests from actual NAS.
> 
> I have done this way as of now to check ntlm_auth Bind.
> 
> The Experts can show you more light in your problem.
> 
> Regards,
> SYED
> 
> 
> 
> On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V
> <santimatiz at yahoo.com>wrote:
> 
> >
> > Hi all
> > I follow the instructions of Alan :
> >
> >
> <http://deployingradius.com/documents/configuration/active_directory.html>
> >
> > to authenticate ntlm_auth with radius but appers the
> following message:
> >
> > " WARNING: Unknown value specified for Auth-Type.
>  Cannot perform requested
> > action.
> > auth: Failed to validate the user."
> >
> > what is wrong?
> >
> > Please help.
> > Santiago
> >
> >
> > FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu,
> built on Sep  3 2008
> > at 15:55:02
> > Copyright (C) 1999-2008 The FreeRADIUS server project
> and contributors.
> > There is NO warranty; not even for MERCHANTABILITY or
> FITNESS FOR A
> > PARTICULAR PURPOSE.
> > You may redistribute copies of FreeRADIUS under the
> terms of the
> > GNU General Public License v2.
> > Starting - reading configuration files ...
> > including configuration file
> /usr/local/etc/raddb/radiusd.conf
> > including configuration file
> /usr/local/etc/raddb/proxy.conf
> > including configuration file
> /usr/local/etc/raddb/clients.conf
> > including configuration file
> /usr/local/etc/raddb/snmp.conf
> > including configuration file
> /usr/local/etc/raddb/eap.conf
> > including dictionary file
> /usr/local/etc/raddb/dictionary
> > main {
> >        prefix = "/usr/local"
> >        localstatedir = "/var"
> >        logdir = "/var/log/radius"
> >        libdir = "/usr/local/lib"
> >        radacctdir =
> "/var/log/radius/radacct"
> >        hostname_lookups = no
> >        max_request_time = 30
> >        cleanup_delay = 5
> >        max_requests = 1024
> >        allow_core_dumps = no
> >        pidfile =
> "/var/run/radiusd/radiusd.pid"
> >        checkrad = "/usr/local/sbin/checkrad"
> >        debug_level = 0
> >        proxy_requests = yes
> >        log_auth = yes
> >        log_auth_badpass = no
> >        log_auth_goodpass = no
> >        log_stripped_names = no
> > }
> >  client localhost {
> >        ipaddr = 127.0.0.1
> >        require_message_authenticator = no
> >        secret = "testing123"
> >        nastype = "other"
> >  }
> >  client 192.100.16.11 {
> >        require_message_authenticator = no
> >        secret = "123"
> >  }
> > radiusd: #### Loading Realms and Home Servers ####
> >  proxy server {
> >        retry_delay = 5
> >        retry_count = 3
> >        default_fallback = no
> >        dead_time = 120
> >        wake_all_if_all_dead = no
> >  }
> >  home_server localhost {
> >        ipaddr = 127.0.0.1
> >        port = 1812
> >        type = "auth"
> >        secret = "testing123"
> >        response_window = 20
> >        max_outstanding = 65536
> >        zombie_period = 40
> >        status_check = "status-server"
> >        ping_check = "none"
> >        ping_interval = 30
> >        check_interval = 30
> >        num_answers_to_alive = 3
> >        num_pings_to_alive = 3
> >        revive_interval = 120
> >        status_check_timeout = 4
> >  }
> >  home_server_pool my_auth_failover {
> >        type = fail-over
> >        home_server = localhost
> >  }
> >  realm example.com {
> >        auth_pool = my_auth_failover
> >  }
> >  realm LOCAL {
> >  }
> >  realm DOMAIN.LOC {
> >        authhost = LOCAL
> >        accthost = LOCAL
> >  }
> >  realm DOMAIN {
> >        authhost = LOCAL
> >        accthost = LOCAL
> >  }
> > radiusd: #### Instantiating modules ####
> >  instantiate {
> >  Module: Linked to module rlm_expr
> >  Module: Instantiating expr
> >  }
> > radiusd: #### Loading Virtual Servers ####
> > server {
> >  modules {
> >  Module: Checking authenticate {...} for more modules
> to load
> >  Module: Linked to module rlm_mschap
> >  Module: Instantiating mschap
> >  mschap {
> >        use_mppe = yes
> >        require_encryption = no
> >        require_strong = no
> >        with_ntdomain_hack = yes
> >        ntlm_auth = "/usr/bin/ntlm_auth           
>      --request-nt-key
> >            --domain=%{mschap:NT-Domain:-DOMAIN}
> >  --username=%{mschap:User-Name}         
> --challenge=%{mschap:Challenge:-00}
> >            
> --nt-response=%{mschap:NT-Response:-00}"
> >  }
> >  Module: Checking authorize {...} for more modules to
> load
> >  Module: Linked to module rlm_preprocess
> >  Module: Instantiating preprocess
> >  preprocess {
> >        huntgroups =
> "/usr/local/etc/raddb/huntgroups"
> >        hints = "/usr/local/etc/raddb/hints"
> >        with_ascend_hack = no
> >        ascend_channels_per_line = 23
> >        with_ntdomain_hack = no
> >        with_specialix_jetstream_hack = no
> >        with_cisco_vsa_hack = no
> >        with_alvarion_vsa_hack = no
> >  }
> >  Module: Linked to module rlm_realm
> >  Module: Instantiating realmslash
> >  realm realmslash {
> >        format = "prefix"
> >        delimiter = "\"
> >        ignore_default = no
> >        ignore_null = no
> >  }
> >  Module: Instantiating suffix
> >  realm suffix {
> >        format = "suffix"
> >        delimiter = "@"
> >        ignore_default = no
> >        ignore_null = no
> >  }
> >  Module: Linked to module rlm_eap
> >  Module: Instantiating eap
> >  eap {
> >        default_eap_type = "peap"
> >        timer_expire = 60
> >        ignore_unknown_eap_types = no
> >        cisco_accounting_username_bug = no
> >  }
> >  Module: Linked to sub-module rlm_eap_md5
> >  Module: Instantiating eap-md5
> >  Module: Linked to sub-module rlm_eap_leap
> >  Module: Instantiating eap-leap
> >  Module: Linked to sub-module rlm_eap_gtc
> >  Module: Instantiating eap-gtc
> >   gtc {
> >        challenge = "Password: "
> >        auth_type = "PAP"
> >   }
> >  Module: Linked to sub-module rlm_eap_tls
> >  Module: Instantiating eap-tls
> >   tls {
> >        rsa_key_exchange = no
> >        dh_key_exchange = yes
> >        rsa_key_length = 512
> >        dh_key_length = 512
> >        verify_depth = 0
> >        pem_file_type = yes
> >        private_key_file =
> "/usr/local/etc/raddb/certs/server.pem"
> >        certificate_file =
> "/usr/local/etc/raddb/certs/server.pem"
> >        CA_file =
> "/usr/local/etc/raddb/certs/ca.pem"
> >        private_key_password = "whatever"
> >        dh_file =
> "/usr/local/etc/raddb/certs/dh"
> >        random_file =
> "/usr/local/etc/raddb/certs/random"
> >        fragment_size = 1024
> >        include_length = yes
> >        check_crl = no
> >        cipher_list = "DEFAULT"
> >        make_cert_command =
> "/usr/local/etc/raddb/certs/bootstrap"
> >   }
> >  Module: Linked to sub-module rlm_eap_ttls
> >  Module: Instantiating eap-ttls
> >   ttls {
> >        default_eap_type = "md5"
> >        copy_request_to_tunnel = no
> >        use_tunneled_reply = no
> >        virtual_server = "inner-tunnel"
> >   }
> >  Module: Linked to sub-module rlm_eap_peap
> >  Module: Instantiating eap-peap
> >   peap {
> >        default_eap_type = "mschapv2"
> >        copy_request_to_tunnel = no
> >        use_tunneled_reply = no
> >        proxy_tunneled_request_as_eap = yes
> >        virtual_server = "inner-tunnel"
> >   }
> >  Module: Linked to module rlm_files
> >  Module: Instantiating files
> >  files {
> >        usersfile =
> "/usr/local/etc/raddb/users"
> >        acctusersfile =
> "/usr/local/etc/raddb/acct_users"
> >        compat = "no"
> >  }
> >  Module: Checking preacct {...} for more modules to
> load
> >  Module: Checking accounting {...} for more modules to
> load
> >  Module: Linked to module rlm_acct_unique
> >  Module: Instantiating acct_unique
> >  acct_unique {
> >        key = "User-Name, Acct-Session-Id,
> NAS-IP-Address,
> > Client-IP-Address, NAS-Port-Id"
> >  }
> >  Module: Linked to module rlm_detail
> >  Module: Instantiating detail
> >  detail {
> >        detailfile =
> >
> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> >        header = "%t"
> >        detailperm = 384
> >        dirperm = 493
> >        locking = no
> >        log_packet_header = no
> >  }
> >  Module: Linked to module rlm_radutmp
> >  Module: Instantiating radutmp
> >  radutmp {
> >        filename = "/var/log/radius/radutmp"
> >        username = "%{User-Name}"
> >        case_sensitive = yes
> >        check_with_nas = yes
> >        perm = 384
> >        callerid = yes
> >  }
> >  Module: Checking session {...} for more modules to
> load
> >  Module: Checking post-proxy {...} for more modules to
> load
> >  }
> > }
> > radiusd: #### Opening IP addresses and Ports ####
> >        bind_address = *
> > WARNING: The directive 'bind_adress' is
> deprecated, and will be removed in
> > future versions of FreeRADIUS. Please edit the
> configuration files to use
> > the directive 'listen'.
> > Listening on authentication address * port 1812
> > Listening on accounting address * port 1813
> > Listening on proxy address * port 1814
> > Ready to process requests.
> > rad_recv: Access-Request packet from host
> 192.100.16.11 port 1308, id=0,
> > length=217
> >        Message-Authenticator =
> 0x92d1b860b93a1c6d28f08eaa37697101
> >        Service-Type = Framed-User
> >        User-Name =
> "DOMAIN\\user\000"
> >        Framed-MTU = 1488
> >        Called-Station-Id =
> "00-16-E0-04-FE-44:pcountry"
> >        Calling-Station-Id =
> "00-1B-77-4D-1A-74"
> >        NAS-Identifier = "PISO 7 UG SISTEMAS"
> >        NAS-Port-Type = Wireless-802.11
> >        Connect-Info = "CONNECT 54Mbps
> 802.11g"
> >        EAP-Message =
> 0x0200001601434c49434f554e5452595c736d6174697a
> >        NAS-IP-Address = 192.100.16.11
> >        NAS-Port = 1
> >        NAS-Port-Id = "STA port # 1"
> > +- entering group authorize
> > ++[preprocess] returns ok
> > ++[mschap] returns noop
> >    rlm_realm: Looking up realm "DOMAIN" for
> User-Name = "DOMAIN\user"
> >    rlm_realm: Found realm "DOMAIN"
> >    rlm_realm: Adding Stripped-User-Name =
> "user"
> >    rlm_realm: Adding Realm = "DOMAIN"
> >    rlm_realm: Authentication realm is LOCAL.
> > ++[realmslash] returns ok
> >    rlm_realm: Request already proxied.  Ignoring.
> > ++[suffix] returns ok
> >  rlm_eap: EAP packet type response id 0 length 22
> >  rlm_eap: No EAP Start, assuming it's an on-going
> EAP conversation
> > ++[eap] returns updated
> >    users: Matched entry user at line 178
> > ++[files] returns ok
> >  rad_check_password:  Found Auth-Type EAP
> > auth: type "EAP"
> >  WARNING: Unknown value specified for Auth-Type. 
> Cannot perform requested
> > action.
> > auth: Failed to validate the user.
> > Login incorrect: [DOMAIN\\user\000] (from
> client 192.100.16.11 port 1 cli
> > 00-1B-77-4D-1A-74)
> > Sending Access-Reject of id 0 to 192.100.16.11 port
> 1308
> > Finished request 0.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host
> 192.100.16.11 port 1310, id=0,
> > length=217
> >        Message-Authenticator =
> 0xf829fc414e9407ab04ede033d5a60941
> >        Service-Type = Framed-User
> >        User-Name =
> "DOMAIN\\user\000"
> >        Framed-MTU = 1488
> >        Called-Station-Id =
> "00-16-E0-04-FE-44:pcountry"
> >        Calling-Station-Id =
> "00-1B-77-4D-1A-74"
> >        NAS-Identifier = "PISO 7 UG SISTEMAS"
> >        NAS-Port-Type = Wireless-802.11
> >        Connect-Info = "CONNECT 54Mbps
> 802.11g"
> >        EAP-Message =
> 0x0200001601434c49434f554e5452595c736d6174697a
> >        NAS-IP-Address = 192.100.16.11
> >        NAS-Port = 1
> >        NAS-Port-Id = "STA port # 1"
> > +- entering group authorize
> > ++[preprocess] returns ok
> > ++[mschap] returns noop
> >    rlm_realm: Looking up realm "DOMAIN" for
> User-Name = "DOMAIN\user"
> >    rlm_realm: Found realm "DOMAIN"
> >    rlm_realm: Adding Stripped-User-Name =
> "user"
> >    rlm_realm: Adding Realm = "DOMAIN"
> >    rlm_realm: Authentication realm is LOCAL.
> > ++[realmslash] returns ok
> >    rlm_realm: Request already proxied.  Ignoring.
> > ++[suffix] returns ok
> >  rlm_eap: EAP packet type response id 0 length 22
> >  rlm_eap: No EAP Start, assuming it's an on-going
> EAP conversation
> > ++[eap] returns updated
> >    users: Matched entry user at line 178
> > ++[files] returns ok
> >  rad_check_password:  Found Auth-Type EAP
> > auth: type "EAP"
> >  WARNING: Unknown value specified for Auth-Type. 
> Cannot perform requested
> > action.
> > auth: Failed to validate the user.
> > Login incorrect: [DOMAIN\\user\000] (from
> client 192.100.16.11 port 1 cli
> > 00-1B-77-4D-1A-74)
> > Sending Access-Reject of id 0 to 192.100.16.11 port
> 1310
> > Finished request 1.
> > Going to the next request
> > Waking up in 4.7 seconds.
> > rad_recv: Access-Request packet from host
> 192.100.16.11 port 1312, id=0,
> > length=217
> >        Message-Authenticator =
> 0xef8314925f34ccf891d91ca6fa18857d
> >        Service-Type = Framed-User
> >        User-Name =
> "DOMAIN\\user\000"
> >        Framed-MTU = 1488
> >        Called-Station-Id =
> "00-16-E0-04-FE-44:pcountry"
> >        Calling-Station-Id =
> "00-1B-77-4D-1A-74"
> >        NAS-Identifier = "PISO 7 UG SISTEMAS"
> >        NAS-Port-Type = Wireless-802.11
> >        Connect-Info = "CONNECT 54Mbps
> 802.11g"
> >        EAP-Message =
> 0x0200001601434c49434f554e5452595c736d6174697a
> >        NAS-IP-Address = 192.100.16.11
> >        NAS-Port = 1
> >        NAS-Port-Id = "STA port # 1"
> > +- entering group authorize
> > ++[preprocess] returns ok
> > ++[mschap] returns noop
> >    rlm_realm: Looking up realm "DOMAIN" for
> User-Name = "DOMAIN\user"
> >    rlm_realm: Found realm "DOMAIN"
> >    rlm_realm: Adding Stripped-User-Name =
> "user"
> >    rlm_realm: Adding Realm = "DOMAIN"
> >    rlm_realm: Authentication realm is LOCAL.
> > ++[realmslash] returns ok
> >    rlm_realm: Request already proxied.  Ignoring.
> > ++[suffix] returns ok
> >  rlm_eap: EAP packet type response id 0 length 22
> >  rlm_eap: No EAP Start, assuming it's an on-going
> EAP conversation
> > ++[eap] returns updated
> >    users: Matched entry user at line 178
> > ++[files] returns ok
> >  rad_check_password:  Found Auth-Type EAP
> > auth: type "EAP"
> >  WARNING: Unknown value specified for Auth-Type. 
> Cannot perform requested
> > action.
> > auth: Failed to validate the user.
> > Login incorrect: [DOMAIN\\user\000] (from
> client 192.100.16.11 port 1 cli
> > 00-1B-77-4D-1A-74)
> > Sending Access-Reject of id 0 to 192.100.16.11 port
> 1312
> > Finished request 2.
> > Going to the next request
> > Waking up in 4.4 seconds.
> > Cleaning up request 0 ID 0 with timestamp +113
> > Waking up in 0.2 seconds.
> > Cleaning up request 1 ID 0 with timestamp +113
> > Waking up in 0.2 seconds.
> > Cleaning up request 2 ID 0 with timestamp +114
> > Ready to process requests.
> >
> > Santiago Matiz (santimatiz at yahoo.com)
> > Systems Engineer
> > Bogotá, Colombia (South America)
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >


      




More information about the Freeradius-Users mailing list