FreeRADIUS with NTLM Auth not returning VSA after successful auth

Sipes, Nathan Nathan_Sipes at kindermorgan.com
Tue Nov 23 23:59:30 CET 2010 

I am having two problems and not sure where to look
>From the Users file

userjeff Cleartext-Password := "BADPASS"
                Juniper-Local-User-Name = "engineer",
                Service-Type = Login-User,
                Reply-Message = "Hello, %{User-Name}",
                Fall-Through = Yes



1.       With the DEFAULT Auth-Type = ntlm_auth

a.       The nas gets an accept back but the attribute Juniper-Local-User-Name is not passed back
cat /var/log/radius/radacct/10.34.250.14/reply-detail-20101123

Tue Nov 23 15:44:34 2010

                Packet-Type = Access-Accept







2.       With the DEFAULT Auth-Type = ntlm_auth commented out PAP isn't happy and I get



eady to process requests.

rad_recv: Access-Request packet from host 10.34.250.14 port 62435, id=126, length=71

        User-Name = "userjeff"

        User-Password = "some_password"

        NAS-Identifier = "LKWDCO93S14-lab"

        NAS-IP-Address = 10.34.250.14

+- entering group authorize {...}

++[preprocess] returns ok

[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.34.250.14/auth-detail-20101123

[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.34.250.14/auth-detail-20101123

[auth_log]      expand: %t -> Tue Nov 23 15:57:13 2010

++[auth_log] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "userjeff", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[ntdomain] No '\' in User-Name = "userjeff", looking up realm NULL

[ntdomain] No such realm "NULL"

++[ntdomain] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

[files] users: Matched entry userjeff at line 107

[files]         expand: Hello, %{User-Name} -> Hello, userjeff

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

WARNING: Please update your configuration, and remove 'Auth-Type = Local'

WARNING: Use the PAP or CHAP modules instead.

User-Password in the request does NOT match "known good" password.

Failed to authenticate the user.

Login incorrect: [userjeff/some_password] (from client default-network port 0)

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> userjeff

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 126 to 10.34.250.14 port 62435

        Reply-Message = "Hello, userjeff"





>From radius -X
ad_recv: Access-Request packet from host 10.34.250.14 port 51941, id=158, length=71
        User-Name = "userjeff"
        User-Password = "some_password"
        NAS-Identifier = "LKWDCO93S14-lab"
        NAS-IP-Address = 10.34.250.14
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.34.250.14/auth-detail-20101123
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.34.250.14/auth-detail-20101123
[auth_log]      expand: %t -> Tue Nov 23 15:44:34 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "userjeff", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "userjeff", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 94
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=userjeff
[ntlm_auth]     expand: --password=%{User-Password} -> --password=some_password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [userjeff] (from client default-network port 0)
+- entering group post-auth {...}
[reply_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.34.250.14/reply-detail-20101123
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.34.250.14/reply-detail-20101123
[reply_log]     expand: %t -> Tue Nov 23 15:44:34 2010
++[reply_log] returns ok
++[exec] returns noop
Sending Access-Accept of id 158 to 10.34.250.14 port 51941
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 158 with timestamp +15
Ready to process requests.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101123/a55ca8f2/attachment.html>

More information about the Freeradius-Users mailing list