Getting PAP to work with ntlm_auth

Neil Prockter n.prockter at lse.ac.uk
Mon Jun 14 15:47:48 CEST 2010 

Hello

I want to authenticate users against Active Directory for EAP-MSCHAPv2
and PAP.  PAP is for a wireless web authentication redirection service
that authenticates using PAP and its PAP I'm trying to debug not MSCHAP
at present.

I've been following
http://deployingradius.com/documents/configuration/active_directory.html

All goes well until I get towards the end.

Once I remove
DEFAULT Auth-Type = ntlm_auth
from users PAP stops working

where do I add the configuration to allow PAP to continue with ntlm_auth
rather than just failing?

with the setting I get success

Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "np", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] No EAP-Message, not doing EAP
Info: ++[eap] returns noop
Info: ++[unix] returns notfound
Info: [files] users: Matched entry DEFAULT at line 1
Info: ++[files] returns ok
Info: ++[expiration] returns noop
Info: ++[logintime] returns noop
Info: [pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Info: ++[pap] returns noop
Info: Found Auth-Type = ntlm_auth
Info: +- entering group authenticate {...}
Info: [ntlm_auth]  expand: --username=%{mschap:User-Name} -> --username=ID
Info: [ntlm_auth]  expand: --password=%{User-Password} -> --password=SECRET
Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Debug: Exec-Program: returned: 0
Info: ++[ntlm_auth] returns ok
Info: +- entering group post-auth {...}
Info: ++[exec] returns noop
Sending Access-Accept of id 243 to 158.143.207.212 port 42687

without it no ntlm is attempted

Info: +- entering group authorize {...}
Info: ++[preprocess] returns ok
Info: ++[chap] returns noop
Info: ++[mschap] returns noop
Info: [suffix] No '@' in User-Name = "np", looking up realm NULL
Info: [suffix] No such realm "NULL"
Info: ++[suffix] returns noop
Info: [eap] No EAP-Message, not doing EAP
Info: ++[eap] returns noop
Info: ++[unix] returns notfound
Info: ++[files] returns noop
Info: ++[expiration] returns noop
Info: ++[logintime] returns noop
Info: [pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Info: ++[pap] returns noop
Info: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
Info: Failed to authenticate the user.
Info: Using Post-Auth-Type Reject
Info: +- entering group REJECT {...}
Info: [attr_filter.access_reject]  expand: %{User-Name} -> ID
Debug:  attr_filter: Matched entry DEFAULT at line 11
Info: ++[attr_filter.access_reject] returns updated
Info: Delaying reject of request 0 for 1 seconds
Debug: Going to the next request
Debug: Waking up in 0.9 seconds.
Info: Sending delayed reject for request 0
Sending Access-Reject of id 7 to 158.143.207.212 port 53676


TIA,

Neil

Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplianceTeam/legal/disclaimer.htm

More information about the Freeradius-Users mailing list