FR/AD integration

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Sat Feb 19 09:39:37 CET 2011


Hi,

>    Trying to use FR to query AD as an authentication oracle and set up per
>    the docs at
>    [1]http://deployingradius.com/documents/configuration/active_directory.html
>    and several others pertaining to setting up Kerberos and winbind.

read the output - its clearly failing on the ntlm_auth line - which is
being called without any available username -  you have configured it to use
--username=%{mschap:User-Name}  - which is all well and good, but radtest
is a plain PAP method so no mschap present.  if you want to use ntlm_ath in all
kinds of weather , then you need to follow the docs and guides to ensure that username
is fed a username if given any other form of 'feed'.   OR, if you really know
that its only going to ever get MSCHAP requests, then use a suitable tool to
feed it such tests - eapol_test from the wpa_supplicant package, or the rad_eap_test
stuff which is supplied with newer versions of FreeRADIUS (best to use 2.1.10 if
you have a new install work anyway)

here:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{%{Stripped-User-Name}:-%{User-Name:-None}
}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


that sort of construct would ensure that is mschap:user-name has no value, then it'll fall back
to stipped-user-name....and then back to user-name before just being blank


>    DEFAULT     Auth-Type = ntlm_auth

dont do that - you really dont need to do that. 


alan



More information about the Freeradius-Users mailing list