Windows Pre-Login Auth

Sat Sep 10 20:30:20 CEST 2011

What does your mschap module configuration look like? Having the radiusd 
-X output before the request would be helpful too.

Gondar


On 9/10/2011 8:52 AM, Scott Hughes wrote:
>   -----Original Message-----
>> From: freeradius-users-
>> bounces+scott=renshawauto.net at lists.freeradius.org [mailto:freeradius-
>> users-bounces+scott=renshawauto.net at lists.freeradius.org] On Behalf Of
>> Commonn Systems
>> Sent: Friday, September 09, 2011 4:54 PM
>> To: freeradius-users at lists.freeradius.org
>> Subject: Re: Windows Pre-Login Auth
>>
>> Once you have Samba and AD talking via winbind, it is pretty
> straightforward.
>> You can configure all the machines via Group Policy I have used this post,
>> pretty much to the T:
>> http://lists.cistron.nl/pipermail/freeradius-users/2009-
>> March/msg00231.html
>>
>> Good luck
>>
> I am running into an issue attempting to make FreeRadius authenticate via
> AD.  I am using FreeRadius version: 2.1.7, for host x86_64-redhat-linux-gnu
> and I am using the following version for Samba/Winbind:  3.5.4-0.70.el5_6.1
>
> I can join the domain and get a list of users, and complete the ntlm_auth
> step successfully.
>
> However, when I attempt to use a real AD username and password I get an
> Access-Reject.
>
> ----------------------------------------------------------------------------
> ------------------------------------
>
> Here is the command I am sending to the FreeRadius server:
>
> radtest scott kjsdfh7823 localhost 0 testing123
>
> ----------------------------------------------------------------------------
> ---------------------------------------
>
> Here is what the Radius -X output shows:
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 49689, id=38,
> length=57
>          User-Name = "scott"
>          User-Password = "kjsdfh7823"
>          NAS-IP-Address = 10.119.189.35
>          NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "scott", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 206
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No MS-CHAP-Challenge in the request
> ++[mschap] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} ->  scott
>   attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 38 to 127.0.0.1 port 49689
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 38 with timestamp +17
> Ready to process requests.
> ----------------------------------------------------------------------------
> --------------
>
> I think the line above (in the radius -X output) that reads, "[mschap] No
> MS-CHAP-Challenge in the request" may be causing the issue (i.e. - not
> testing it properly for MS-Chap - sending a cleartext username and password
> instead of what the MS-Chap module expects?).
>
> Any assistance would be greatly appreciated. I have and am continuing to
> scour the internet for anything that might fix this issue.
>
> Thanks,
> Scott
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>