Windows Pre-Login Auth

Scott Hughes scott at renshawauto.net
Sat Sep 10 17:52:31 CEST 2011 

 -----Original Message-----
> From: freeradius-users-
> bounces+scott=renshawauto.net at lists.freeradius.org [mailto:freeradius-
> users-bounces+scott=renshawauto.net at lists.freeradius.org] On Behalf Of
> Commonn Systems
> Sent: Friday, September 09, 2011 4:54 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Windows Pre-Login Auth
> 
> Once you have Samba and AD talking via winbind, it is pretty
straightforward.
> You can configure all the machines via Group Policy I have used this post,
> pretty much to the T:
> http://lists.cistron.nl/pipermail/freeradius-users/2009-
> March/msg00231.html
> 
> Good luck
> 

I am running into an issue attempting to make FreeRadius authenticate via
AD.  I am using FreeRadius version: 2.1.7, for host x86_64-redhat-linux-gnu
and I am using the following version for Samba/Winbind:  3.5.4-0.70.el5_6.1

I can join the domain and get a list of users, and complete the ntlm_auth
step successfully.

However, when I attempt to use a real AD username and password I get an
Access-Reject.  

----------------------------------------------------------------------------
------------------------------------

Here is the command I am sending to the FreeRadius server:

radtest scott kjsdfh7823 localhost 0 testing123

----------------------------------------------------------------------------
---------------------------------------

Here is what the Radius -X output shows:

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49689, id=38,
length=57
        User-Name = "scott"
        User-Password = "kjsdfh7823"
        NAS-IP-Address = 10.119.189.35
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "scott", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No MS-CHAP-Challenge in the request
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> scott
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 38 to 127.0.0.1 port 49689
Waking up in 4.9 seconds.
Cleaning up request 0 ID 38 with timestamp +17
Ready to process requests.
----------------------------------------------------------------------------
--------------

I think the line above (in the radius -X output) that reads, "[mschap] No
MS-CHAP-Challenge in the request" may be causing the issue (i.e. - not
testing it properly for MS-Chap - sending a cleartext username and password
instead of what the MS-Chap module expects?).

Any assistance would be greatly appreciated. I have and am continuing to
scour the internet for anything that might fix this issue.

Thanks,
Scott

More information about the Freeradius-Users mailing list