ntlm_auth fails for none domain

John elmer_radius at yahoo.com.cn
Mon Jul 5 09:39:26 CEST 2010


 It is debug info when I use freeRADIUS-1.1.6. 
 
  rad_recv: Access-Request packet from host 10.155.20.85:32790, id=171, length=125
   --> Service-Type = Authorize-Only
   --> NAS-Port-Type = Wireless-802.11
   --> User-Name = "hhe"
   --> MS-CHAP-Challenge = 0x837a4fb32a47a5bda0c24d5e4329fcdc
   --> MS-CHAP2-Response = 0xe40069bdb5799e2fa75ccc2d53415669f4d900000000000000008cad47a91a94b2a475bda048fda283bf23e702b5129a3164
   --> NAS-IP-Address = 10.155.20.85
   Processing the authorize section of radiusd.conf
   modcall: entering group authorize for request 2
   modsingle[authorize]: calling chap (rlm_chap) for request 2
   modsingle[authorize]: returned from chap (rlm_chap) for request 2
   modcall[authorize]: module "chap" returns noop for request 2
   modsingle[authorize]: calling mschap (rlm_mschap) for request 2
   rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
   modsingle[authorize]: returned from mschap (rlm_mschap) for request 2
   modcall[authorize]: module "mschap" returns ok for request 2
   modsingle[authorize]: calling eap (rlm_eap) for request 2
   rlm_eap: No EAP-Message, not doing EAP
   modsingle[authorize]: returned from eap (rlm_eap) for request 2
   modcall[authorize]: module "eap" returns noop for request 2
   modsingle[authorize]: calling ldap (rlm_ldap) for request 2
   rlm_ldap: - authorize
   rlm_ldap: performing user authorization for hhe
   radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
   radius_xlat:  '(sAMAccountName=hhe)'
   radius_xlat:  'dc=xjtu,dc=cn'
   rlm_ldap: ldap_get_conn: Checking Id: 0
   rlm_ldap: ldap_get_conn: Got Id: 0
   rlm_ldap: No default NMAS login sequence
   rlm_ldap: looking for check items in directory...
   rlm_ldap: looking for reply items in directory...
   rlm_ldap: ldap_release_conn: Release Id: 0
   modsingle[authorize]: returned from ldap (rlm_ldap) for request 2
   modcall[authorize]: module "ldap" returns ok for request 2
   modsingle[authorize]: calling ldap (rlm_ldap) for request 2
   modsingle[authorize]: calling pap (rlm_pap) for request 2
   rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
   modsingle[authorize]: returned from pap (rlm_pap) for request 2
   modcall[authorize]: module "pap" returns noop for request 2
   modcall: leaving group authorize (returns ok) for request 2
   rad_check_password:  Found Auth-Type MS-CHAP
   auth: type "MS-CHAP"
   Processing the authenticate section of radiusd.conf
   modcall: entering group MS-CHAP for request 2
   modsingle[authenticate]: calling mschap (rlm_mschap) for request 2
   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
   rlm_mschap: Told to do MS-CHAPv2 for hhe with NT-Password
   radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain'
   rlm_mschap: No NT-Domain was found in the User-Name.
   radius_xlat:  '--domain=xjtu'
   radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
   radius_xlat:  '--username=hhe'
   radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
   mschap2: 83
   radius_xlat:  '--challenge=cfdb7016e508348d'
   radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
   radius_xlat:  '--nt-response=8cad47a91a94b2a475bda048fda283bf23e702b5129a3164'
   rlm_mschap: adding MS-CHAPv2 MPPE keys
   modsingle[authenticate]: returned from mschap (rlm_mschap) for request 2
   modcall[authenticate]: module "mschap" returns ok for request 2
   modcall: leaving group MS-CHAP (returns ok) for request 2
   Sending Access-Accept of id 171 to 10.155.20.85 port 32790
   --> MS-CHAP2-Success = 0xe4533d41313535304434313643373437413542363236393941394135393532374335424630423438384537
   --> MS-MPPE-Recv-Key = 0x6ac9*
   --> MS-MPPE-Send-Key = 0xcfe2*
   --> MS-MPPE-Encryption-Policy = 0x00000001
   --> MS-MPPE-Encryption-Types = 0x00000006
   Finished request 2


--- 10年7月5日,周一, John <elmer_radius at yahoo.com.cn> 写道:


发件人: John <elmer_radius at yahoo.com.cn>
主题: Re: ntlm_auth fails for none domain
收件人: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
日期: 2010年7月5日,周一,下午3:06








Yes. You are right. If I use hhe at xjtu.cn, it will work.
 
If I use old freeRADIUS-1.1.6, username "hhe" can work well.  I think it is because I set default domain name "xjtu" in mschap module (ntlm_auth) .  But freeRADIUS-2.1.9 could not work without domain. 
 
----
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-xjtu} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


--- 10年7月2日,周五, Alan DeKok <aland at deployingradius.com> 写道:


发件人: Alan DeKok <aland at deployingradius.com>
主题: Re: ntlm_auth fails for none domain
收件人: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
日期: 2010年7月2日,周五,下午3:45


John wrote:
> Hi,
> It is the whole debug info. I think the problem is we could not get the
> default domain name "xjtu".

  Because the username does not include the domain.

  Log in with "hhe at xjtu.cn", and it will work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 
-----下面为附件内容-----


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100705/b49bf1b9/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: FR1.1.6_debug.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100705/b49bf1b9/attachment.txt>


More information about the Freeradius-Users mailing list