Problem with ntlm_auth

Syed Anwarul Hasan syedanwarulhasan2007 at gmail.com
Thu Oct 9 13:15:31 CEST 2008


And also don't remove ntlm_auth from authenticate section of both default
and inner-tunnel files.

On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <
syedanwarulhasan2007 at gmail.com> wrote:

> Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
> Bind as User. That is USer Entry is added in Users file and after using
> ntlm_auth, it is checked against a Active Directory or LDAP server backend
> using NT Lan manager Authentication Protocol.
>
> For example:
> Users file:
> User      Auth-Type :- ntlm_auth
>
> In Active Directory
> User should be a member.
>
> So, then ntlm_auth requests will be passed from your Server to Active
> Directory or LDAP Server.
>
> Otherwise you will not setup ntlm_auth.
>
> SYED
>
>
> On Thu, Oct 9, 2008 at 12:58 PM, <Frederik.Niedernolte at bertelsmann.de>wrote:
>
>>  OK, I have tested it with "radtest MyUser MyPassword localhost 0
>> testing123" and this is what the server gave back:
>>
>>
>>
>> Ready to process requests.
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92,
>> length=58
>>
>>         User-Name = "MyUser"
>>
>>         User-Password = "MyPassword"
>>
>>         NAS-IP-Address = IP.OF.THE.SERVER
>>
>>         NAS-Port = 0
>>
>> +- entering group authorize {...}
>>
>> ++[preprocess] returns ok
>>
>> ++[chap] returns noop
>>
>> ++[mschap] returns noop
>>
>> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL
>>
>> [suffix] No such realm "NULL"
>>
>> ++[suffix] returns noop
>>
>> [eap] No EAP-Message, not doing EAP
>>
>> ++[eap] returns noop
>>
>> ++[unix] returns notfound
>>
>> ++[files] returns noop
>>
>> ++[expiration] returns noop
>>
>> ++[logintime] returns noop
>>
>> [pap] WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>>
>> ++[pap] returns noop
>>
>> No authenticate method (Auth-Type) configuration found for the request:
>> Rejecting the user
>>
>> Failed to authenticate the user.
>>
>> Using Post-Auth-Type Reject
>>
>> +- entering group REJECT {...}
>>
>> [attr_filter.access_reject]     expand: %{User-Name} -> MyUser
>>
>>  attr_filter: Matched entry DEFAULT at line 11
>>
>> ++[attr_filter.access_reject] returns updated
>>
>> Delaying reject of request 0 for 1 seconds
>>
>> Going to the next request
>>
>> Waking up in 0.9 seconds.
>>
>> Sending delayed reject for request 0
>>
>> Sending Access-Reject of id 92 to 127.0.0.1 port 32793
>>
>> Waking up in 4.9 seconds.
>>
>> Cleaning up request 0 ID 92 with timestamp +3710
>>
>> Ready to process requests.
>>
>>
>>
>> Now what should I do?
>> Thanks in advance.
>>
>>
>>
>> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
>> lists.freeradius.org [mailto:
>> freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte>
>> =bertelsmann.de at lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan
>> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
>>
>> *An:* FreeRadius users mailing list
>> *Betreff:* Re: Problem with ntlm_auth
>>
>>
>>
>> Hi,
>> You can use radtest tool to check with the Server.The Server will return
>> accept-accept message.
>> Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
>> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
>> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
>> you have)
>>
>> SYED
>>
>>  On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte at bertelsmann.de>
>> wrote:
>>
>> Thanks, now it works :)
>>
>>
>>
>> Now the last step: How can I test it? What tool/program etc. can/should I
>> use to test it?
>>
>> "The radclient cannot currently be used to send this request,
>> unfortunately, which makes testing a little difficult If everything goes
>> well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above."
>>
>>
>>
>> Mit freundlichen Grüßen / Kind regards
>>
>> Frederik Niedernolte
>> -------------------------------------------------------
>> arvato services
>> An der Autobahn
>> 33310 Gütersloh
>> Germany
>> http://www.arvato-services.de
>> frederik.niedernolte at bertelsmann.de<frederik.niedernolte at bertelsmann.deTel>
>> Tel.:      +49 (0)5241 80-40554
>>
>> arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 |
>> Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard
>> Südmersen
>>
>>
>>
>> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
>> lists.freeradius.org [mailto:
>> freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte>
>> =bertelsmann.de at lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan
>> *Gesendet:* Donnerstag, 9. Oktober 2008 11:44
>> *An:* FreeRadius users mailing list
>> *Betreff:* Re: Problem with ntlm_auth
>>
>>
>>
>> Hi Frederik,
>>
>> 1) Put User entry on *TOP* of users file.
>> 2) In default file, in authenticate section, add *ntlm_auth. *Don't set
>> using Auth-Type.
>> 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner
>> Tunnel. Add *ntlm_auth* in Authenticate Section.
>>
>> I hope it will solve your problem.
>> SYED
>>
>>  On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte at bertelsmann.de>
>> wrote:
>>
>> I have finished all steps till „*user*     Auth-Type := ntlm_auth" from
>> http://deployingradius.com/documents/configuration/active_directory.html.
>>
>> With this command I get this error message at the end of
>> "/usr/sbin/freeradius –X":
>>
>>
>>
>> /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown
>> value ntlm_auth for attribute Auth-Type
>>
>> Errors reading /etc/freeradius/users
>>
>> /etc/freeradius/modules/files[7]: Instantiation failed for module "files"
>>
>> /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module
>> "files".
>>
>> /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize
>> section.
>>
>>  }
>>
>> }
>>
>> Errors initializing modules
>>
>>
>>
>> The authenticate section in the /etc/freeradius/sites-enabled/default
>> looks like this (only important part):
>>
>>
>>
>> authenticate {
>>
>> #
>>
>> #  NTML_AUTH authentication.
>>
>> Auth-Type ntlm_auth {
>>
>>        ntlm_auth
>>
>> }
>>
>>
>>
>> What is wrong and what can I do to solve the problem?
>>
>> Thanks in advance.
>>
>> Best regards, F. Niedernolte
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081009/106b3c60/attachment.html>


More information about the Freeradius-Users mailing list