freeradius with ntlm-auth and server2012

Carsten Czerner carsten.czerner at leuphana.de
Thu Jan 9 09:39:53 CET 2014


Hi,

I tried to setup a radius server with ntlm_auth but it didn't work. I 
used this howto for the basic setup:

http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO

And I made some progress:

- The ntlm_auth returned "ok"
- The radius_server accepted the pap-auth from the user-file

But when I try to enable the ntlm_auth I get these results:

+- entering group authorize {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> 
--username=peterpan
[ntlm_auth]     expand: --password=%{User-Password} -> --password=1234567
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "peterpan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: 
Rejecting the user

Why do I get this error?

cat default / inner-tunnel

authenticate {
         #
         #  PAP authentication, when a back-end database listed
         #  in the 'authorize' section supplies a password.  The
         #  password can be clear-text, or encrypted.
         Auth-Type PAP {
                 pap
         }
         Auth-Type ntlm_auth {
                 ntlm_auth


Regards
Carsten


-------------- Complete Log

root at rad1:~# freeradius -X
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Dec 16 
2012 at 13:28:43
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/krb5
including configuration file 
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
         user = "freerad"
         group = "freerad"
         allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
         name = "freeradius"
         prefix = "/usr"
         localstatedir = "/var"
         sbindir = "/usr/sbin"
         logdir = "/var/log/freeradius"
         run_dir = "/var/run/freeradius"
         libdir = "/usr/lib/freeradius"
         radacctdir = "/var/log/freeradius/radacct"
         hostname_lookups = no
         max_request_time = 30
         cleanup_delay = 5
         max_requests = 1024
         pidfile = "/var/run/freeradius/freeradius.pid"
         checkrad = "/usr/sbin/checkrad"
         debug_level = 0
         proxy_requests = yes
  log {
         stripped_names = no
         auth = yes
         auth_badpass = yes
         auth_goodpass = yes
  }
  security {
         max_attributes = 200
         reject_delay = 1
         status_server = yes
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
         retry_delay = 5
         retry_count = 3
         default_fallback = no
         dead_time = 120
         wake_all_if_all_dead = no
  }
  home_server localhost {
         ipaddr = 127.0.0.1
         port = 1812
         type = "auth"
         secret = "testing123"
         response_window = 20
         max_outstanding = 65536
         require_message_authenticator = yes
         zombie_period = 40
         status_check = "status-server"
         ping_interval = 30
         check_interval = 30
         num_answers_to_alive = 3
         num_pings_to_alive = 3
         revive_interval = 120
         status_check_timeout = 4
   coa {
         irt = 2
         mrt = 16
         mrc = 5
         mrd = 30
   }
  }
  home_server_pool my_auth_failover {
         type = fail-over
         home_server = localhost
  }
  realm example.com {
         auth_pool = my_auth_failover
  }
  realm LOCAL {
  }
radiusd: #### Loading Clients ####
  client localhost {
         ipaddr = 127.0.0.1
         require_message_authenticator = no
         secret = "testing123"
         nastype = "other"
  }
  client 193.174.32.73 {
         require_message_authenticator = no
         secret = "insecure"
         shortname = "firewall"
  }
radiusd: #### Instantiating modules ####
  instantiate {
  Module: Linked to module rlm_exec
  Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
   exec {
         wait = no
         input_pairs = "request"
         shell_escape = yes
   }
  Module: Linked to module rlm_expr
  Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
  Module: Linked to module rlm_expiration
  Module: Instantiating module "expiration" from file 
/etc/freeradius/modules/expiration
   expiration {
         reply-message = "Password Has Expired  "
   }
  Module: Linked to module rlm_logintime
  Module: Instantiating module "logintime" from file 
/etc/freeradius/modules/logintime
   logintime {
         reply-message = "You are calling outside your allowed timespan  "
         minimum-timeout = 60
   }
  }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
  modules {
   Module: Creating Auth-Type = NTLM-AUTH
   Module: Creating Auth-Type = digest
   Module: Creating Post-Auth-Type = REJECT
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_pap
  Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
   pap {
         encryption_scheme = "auto"
         auto_header = no
   }
  Module: Instantiating module "ntlm_auth" from file 
/etc/freeradius/modules/ntlm_auth
   exec ntlm_auth {
         wait = yes
         program = "/usr/bin/ntlm_auth --request-nt-key 
--domain=ADINT.DIR --username=%{mschap:User-Name} 
--password=%{User-Password}"
         input_pairs = "request"
         shell_escape = yes
   }
  Module: Linked to module rlm_chap
  Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
  Module: Linked to module rlm_mschap
  Module: Instantiating module "mschap" from file 
/etc/freeradius/modules/mschap
   mschap {
         use_mppe = yes
         require_encryption = no
         require_strong = no
         with_ntdomain_hack = yes
         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--challenge=%{%{mschap:Challenge}:-00} --domain=%{mschap:NT-Domain} 
--nt-response=%{%{mschap:NT-Response}:-00}"
         allow_retry = yes
   }
  Module: Linked to module rlm_digest
  Module: Instantiating module "digest" from file 
/etc/freeradius/modules/digest
  Module: Linked to module rlm_unix
  Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
   unix {
         radwtmp = "/var/log/freeradius/radwtmp"
   }
  Module: Linked to module rlm_eap
  Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
   eap {
         default_eap_type = "peap"
         timer_expire = 60
         ignore_unknown_eap_types = no
         cisco_accounting_username_bug = no
         max_sessions = 4096
   }
  Module: Linked to sub-module rlm_eap_md5
  Module: Instantiating eap-md5
  Module: Linked to sub-module rlm_eap_leap
  Module: Instantiating eap-leap
  Module: Linked to sub-module rlm_eap_gtc
  Module: Instantiating eap-gtc
    gtc {
         challenge = "Password: "
         auth_type = "PAP"
    }
  Module: Linked to sub-module rlm_eap_tls
  Module: Instantiating eap-tls
    tls {
         rsa_key_exchange = no
         dh_key_exchange = yes
         rsa_key_length = 512
         dh_key_length = 512
         verify_depth = 0
         CA_path = "/etc/freeradius/certs"
         pem_file_type = yes
         private_key_file = "/etc/freeradius/certs/server.key"
         certificate_file = "/etc/freeradius/certs/server.pem"
         CA_file = "/etc/freeradius/certs/ca.pem"
         private_key_password = "whatever"
         dh_file = "/etc/freeradius/certs/dh"
         random_file = "/dev/urandom"
         fragment_size = 1024
         include_length = yes
         check_crl = no
         cipher_list = "DEFAULT"
         make_cert_command = "/etc/freeradius/certs/bootstrap"
         ecdh_curve = "prime256v1"
     cache {
         enable = no
         lifetime = 24
         max_entries = 255
     }
     verify {
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1/ocsp/"
     }
    }
  Module: Linked to sub-module rlm_eap_ttls
  Module: Instantiating eap-ttls
    ttls {
         default_eap_type = "md5"
         copy_request_to_tunnel = no
         use_tunneled_reply = no
         virtual_server = "inner-tunnel"
         include_length = yes
    }
  Module: Linked to sub-module rlm_eap_peap
  Module: Instantiating eap-peap
    peap {
         default_eap_type = "mschapv2"
         copy_request_to_tunnel = no
         use_tunneled_reply = no
         proxy_tunneled_request_as_eap = yes
         virtual_server = "inner-tunnel"
         soh = no
    }
  Module: Linked to sub-module rlm_eap_mschapv2
  Module: Instantiating eap-mschapv2
    mschapv2 {
         with_ntdomain_hack = no
         send_error = no
    }
  Module: Checking authorize {...} for more modules to load
  Module: Linked to module rlm_preprocess
  Module: Instantiating module "preprocess" from file 
/etc/freeradius/modules/preprocess
   preprocess {
         huntgroups = "/etc/freeradius/huntgroups"
         hints = "/etc/freeradius/hints"
         with_ascend_hack = no
         ascend_channels_per_line = 23
         with_ntdomain_hack = no
         with_specialix_jetstream_hack = no
         with_cisco_vsa_hack = no
         with_alvarion_vsa_hack = no
   }
  Module: Linked to module rlm_realm
  Module: Instantiating module "suffix" from file 
/etc/freeradius/modules/realm
   realm suffix {
         format = "suffix"
         delimiter = "@"
         ignore_default = no
         ignore_null = no
   }
  Module: Linked to module rlm_files
  Module: Instantiating module "files" from file 
/etc/freeradius/modules/files
   files {
         usersfile = "/etc/freeradius/users"
         acctusersfile = "/etc/freeradius/acct_users"
         preproxy_usersfile = "/etc/freeradius/preproxy_users"
         compat = "no"
   }
  Module: Checking preacct {...} for more modules to load
  Module: Linked to module rlm_acct_unique
  Module: Instantiating module "acct_unique" from file 
/etc/freeradius/modules/acct_unique
   acct_unique {
         key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
   }
  Module: Checking accounting {...} for more modules to load
  Module: Linked to module rlm_detail
  Module: Instantiating module "detail" from file 
/etc/freeradius/modules/detail
   detail {
         detailfile = 
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
         header = "%t"
         detailperm = 384
         dirperm = 493
         locking = no
         log_packet_header = no
   }
  Module: Linked to module rlm_radutmp
  Module: Instantiating module "radutmp" from file 
/etc/freeradius/modules/radutmp
   radutmp {
         filename = "/var/log/freeradius/radutmp"
         username = "%{User-Name}"
         case_sensitive = yes
         check_with_nas = yes
         perm = 384
         callerid = yes
   }
  Module: Linked to module rlm_attr_filter
  Module: Instantiating module "attr_filter.accounting_response" from 
file /etc/freeradius/modules/attr_filter
   attr_filter attr_filter.accounting_response {
         attrsfile = "/etc/freeradius/attrs.accounting_response"
         key = "%{User-Name}"
         relaxed = no
   }
  Module: Checking session {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  Module: Instantiating module "attr_filter.access_reject" from file 
/etc/freeradius/modules/attr_filter
   attr_filter attr_filter.access_reject {
         attrsfile = "/etc/freeradius/attrs.access_reject"
         key = "%{User-Name}"
         relaxed = no
   }
  } # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Checking authorize {...} for more modules to load
  Module: Checking session {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
         type = "auth"
         ipaddr = *
         port = 0
}
listen {
         type = "acct"
         ipaddr = *
         port = 0
}
listen {
         type = "auth"
         ipaddr = 127.0.0.1
         port = 18120
}
  ... adding new socket proxy address * port 35911
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server 
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 46572, id=207, 
length=78
         User-Name = "peterpan"
         User-Password = "1234567"
         NAS-IP-Address = 127.0.1.1
         NAS-Port = 1812
         Message-Authenticator = 0x20147fc89d9fff841e5fa13785e48b9a
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> 
--username=peterpan
[ntlm_auth]     expand: --password=%{User-Password} -> --password=1234567
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "peterpan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: 
Rejecting the user
Failed to authenticate the user.
Login incorrect: [peterpan/1234567] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> peterpan
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 207 to 127.0.0.1 port 46572
Waking up in 4.9 seconds.
Cleaning up request 0 ID 207 with timestamp +5
Ready to process requests.

-- 
Mit freundlichen Grüßen
Dipl. Inform. (FH) Carsten Czerner
Medien- und Informationszentrum (MIZ)
Leuphana Universität Lüneburg
Scharnhorststraße 1, C7.217
21335 Lüneburg
Fon 04131.677-1241
Fax 04131.677-1246


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5180 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140109/171e115c/attachment-0001.bin>


More information about the Freeradius-Users mailing list