Problem with MSCHAP and Freeradius authentication
Dhiraj Gaur
dhiraj.gaur at gmail.com
Sat Jan 21 17:14:57 CET 2012
hi Fajar
I did read the replies as well as Alan's page. Being a newbie to FR i
actually started with that only.
On Sat, Jan 21, 2012 at 7:44 PM, Fajar A. Nugraha <list at fajar.net> wrote:
> Did you REALLY read the replies sent to this list?
> Did you REALLY read Alan's page,
> http://deployingradius.com/documents/configuration/active_directory.html
> to the end?
>
>
The version of radtest on my system doesnt support the -t option, hence
even after doing radtest -h I could not find anything. I settled for
jradius client to achieve the same effect already. Have tried upgrading the
package but its already in the latest version.
> If yes, you'd know that:
> - radtest can send mschap request as well (see 'radtest -h')
>
The only changes I have done to default config is in the inner tunnel or
default file. Attaching the same if you may have a look. I have never
blamed Alan that his recipe is flawed.
> - Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth',
> contains detailed instruction on how to make FR works with AD and pap.
> If you can't get it to work, that means you're doing something wrong.
> Probably editing some entries you shouldn't, since your ntlm_auth
> result is OK (which means samba + AD part is working correctly). It's
> perfectly fine to be creative and edit the config file as you see fit,
> but ONLY if you know what you're doing. If you're given a recipe, and
> choose to stray from it, and messed up, don't blame the guy who
> created the recipe.
>
The PAP things is already working fine as I mentioned earlier and have
followed every bit of Alans guide. Would redo the things again if it works.
> - Also on Alan's page, there's the section 'Configuring FreeRADIUS to
> use ntlm_auth for MS-CHAP'. That pretty much answers the last part of
> your question, but ONLY if you already got pap working properly.
>
Attaching the inner tunnel and default file, please go through the same and
point out if something is amiss.....
Default File
------------------------------------------------------------------------------
authorize {
preprocess
# auth_log
chap
mschap
# digest
# wimax
# IPASS
suffix
# ntdomain
eap {
ok = return
}
# unix
# files
# sql
ntlm_auth
# etc_smbpasswd
# ldap
# checkval
expiration
logintime
pap
#if(!control:Auth-Type) {
#update control {
# Auth-Type = "ntlm_auth"
#}
#}
# Autz-Type Status-Server {
#
# }
}
authenticate {
Auth-Type NTLM_AUTH {
ntlm_auth
}
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
# unix
# Auth-Type LDAP {
# ldap
# }
eap
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from attr_filter
# }
# }
}
INNER TUNNEL FILE
--------------------------------------------------
server inner-tunnel {
#listen {
# ipaddr = 127.0.0.1
# port = 18120
# type = auth
#}
authorize {
chap
mschap
# unix
# IPASS
suffix
# ntdomain
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
#sql
ntlm_auth
# etc_smbpasswd
# ldap
# daily
# checkval
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# pam
ntlm_auth
# unix
# Auth-Type LDAP {
# ldap
# }
eap
}
--
Regards
Dhiraj Gaur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120121/e2b54806/attachment.html>
More information about the Freeradius-Users
mailing list