<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><div>Thanks Alan for your answer<br>I follow your documentation and succeed with the part "Configuring FreeRADIUS to use ntlm_auth"<br><br>So I want to use "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP", so I delete my user in database.<br>Do I have to keep the following line in my radiusd.conf ?<br><br>exec ntlm_auth {<br> wait = no<br>
program = "/path/to/ntlm_auth ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"<br> }<br><br>authenticate {<br> ...<br> ntlm_auth<br> ...<br>} <br><br>Here is my radiusd.conf<br><br>prefix = /usr<br>exec_prefix = /usr<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = /usr/sbin<br>logdir = ${localstatedir}/log/radius<br>raddbdir = ${sysconfdir}/raddb<br>radacctdir = ${logdir}/radacct<br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/radiusd<br>log_file = ${logdir}/radius.log<br>libdir = /usr/lib<br>pidfile = ${run_dir}/radiusd.pid<br>user = radiusd<br>group = radiusd<br>max_request_time = 30<br>delete_blocked_requests = no<br>cleanup_delay = 5<br>max_requests = 1024<br>bind_address = *<br>port = 0<br>hostname_lookups = no<br>allow_core_dumps = no<br>regular_expressions = yes<br>extended_expressions = yes<br>log_stripped_names = no<br>log_auth =
no<br>log_auth_badpass = no<br>log_auth_goodpass = no<br>usercollide = no<br>lower_user = no<br>lower_pass = no<br>nospace_user = no<br>nospace_pass = no<br>checkrad = ${sbindir}/checkrad<br>security {<br> max_attributes = 200<br> reject_delay = 1<br> status_server = no<br>}<br>proxy_requests = yes<br>$INCLUDE ${confdir}/proxy.conf<br>$INCLUDE ${confdir}/clients.conf<br>snmp = no<br>$INCLUDE ${confdir}/snmp.conf<br>thread pool {<br> start_servers = 5<br> max_servers = 32<br> min_spare_servers = 3<br> max_spare_servers = 10<br> max_requests_per_server = 0<br>}<br>modules {<br> pap {<br> encryption_scheme = crypt<br>
}<br> chap {<br> authtype = CHAP<br> }<br> pam {<br> pam_auth = radiusd<br> }<br> unix {<br> cache = no<br> cache_reload = 600<br> shadow = /etc/shadow<br> radwtmp = ${logdir}/radwtmp<br> }<br>$INCLUDE ${confdir}/eap.conf<br> mschap {<br>
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"<br> }<br> ldap {<br> server = "ldap.your.domain"<br> basedn = "o=My Org,c=UA"<br> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<br> start_tls = no<br> access_attr = "dialupAccess"<br> dictionary_mapping = ${raddbdir}/ldap.attrmap<br> ldap_connections_number = 5<br> timeout = 4<br> timelimit = 3<br> net_timeout =
1<br> }<br> realm IPASS {<br> format = prefix<br> delimiter = "/"<br> ignore_default = no<br> ignore_null = no<br> }<br> realm suffix {<br> format = suffix<br> delimiter = "@"<br> ignore_default = no<br> ignore_null = no<br> }<br> realm realmpercent {<br> format = suffix<br>
delimiter = "%"<br> ignore_default = no<br> ignore_null = no<br> }<br> realm ntdomain {<br> format = prefix<br> delimiter = "\\"<br> ignore_default = no<br> ignore_null = no<br> }<br> checkval {<br> item-name = Calling-Station-Id<br> check-name = Calling-Station-Id<br> data-type = string<br> }<br><br>
preprocess {<br> huntgroups = ${confdir}/huntgroups<br> hints = ${confdir}/hints<br> with_ascend_hack = no<br> ascend_channels_per_line = 23<br> with_ntdomain_hack = no<br> with_specialix_jetstream_hack = no<br> with_cisco_vsa_hack = no<br> }<br> files {<br> usersfile = ${confdir}/users<br> acctusersfile = ${confdir}/acct_users<br>
preproxy_usersfile = ${confdir}/preproxy_users<br> compat = no<br> }<br> detail {<br> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d<br> detailperm = 0600<br> }<br> acct_unique {<br> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br> }<br> $INCLUDE ${confdir}/sql.conf<br><br> radutmp {<br> filename = ${logdir}/radutmp<br> username = %{User-Name}<br>
case_sensitive = yes<br> check_with_nas = yes<br> perm = 0600<br> callerid = "yes"<br> }<br> radutmp sradutmp {<br> filename = ${logdir}/sradutmp<br> perm = 0644<br> callerid = "no"<br> }<br> attr_filter {<br> attrsfile = ${confdir}/attrs<br> }<br> counter daily {<br> filename = ${raddbdir}/db.daily<br>
key = User-Name<br> count-attribute = Acct-Session-Time<br> reset = daily<br> counter-name = Daily-Session-Time<br> check-name = Max-Daily-Session<br> allowed-servicetype = Framed-User<br> cache-size = 5000<br> }<br> sqlcounter dailycounter {<br> counter-name = Daily-Session-Time<br> check-name = Max-Daily-Session<br> sqlmod-inst = sql<br> key =
User-Name<br> reset = daily<br> query = "SELECT SUM(AcctSessionTime - \<br> GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \<br> FROM radacct WHERE UserName='%{%k}' AND \<br> UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"<br> }<br> sqlcounter monthlycounter {<br> counter-name = Monthly-Session-Time<br> check-name = Max-Monthly-Session<br> sqlmod-inst = sql<br> key = User-Name<br>
reset = monthly<br> query = "SELECT SUM(AcctSessionTime - \<br> GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \<br> FROM radacct WHERE UserName='%{%k}' AND \<br> UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"<br> }<br> always fail {<br> rcode = fail<br> }<br> always reject {<br> rcode = reject<br> }<br> always ok {<br> rcode = ok<br>
simulcount = 0<br> mpp = no<br> }<br> expr {<br> }<br> digest {<br> }<br> exec {<br> wait = yes<br> input_pairs = request<br> }<br> exec echo {<br> wait = yes<br> program = "/bin/echo %{User-Name}"<br> input_pairs = request<br> output_pairs = reply<br> }<br> ippool main_pool
{<br> range-start = 192.168.1.1<br> range-stop = 192.168.3.254<br> netmask = 255.255.255.0<br> cache-size = 800<br> session-db = ${raddbdir}/db.ippool<br> ip-index = ${raddbdir}/db.ipindex<br> override = no<br> maximum-timeout = 0<br> }<br>}<br>instantiate {<br> exec<br> expr<br>}<br>authorize {<br> preprocess<br><br> chap<br> mschap<br>
suffix<br> eap<br> sql<br>}<br>authenticate {<br> Auth-Type PAP {<br> pap<br> }<br> Auth-Type CHAP {<br> chap<br> }<br> Auth-Type MS-CHAP {<br> mschap<br> }<br> unix<br> eap<br>}<br>preacct {<br> preprocess<br> acct_unique<br> suffix<br> files<br>}<br>accounting {<br> detail<br> unix<br> radutmp<br>}<br>session {<br>
radutmp<br>}<br>post-auth {<br>}<br>pre-proxy {<br>}<br>post-proxy {<br> eap<br>}<br><br>But when I'm testing with a Alcatel client, here what I obtain :<br><br>rlm_sql (sql): Read entry nasname=192.48.19.111,shortname=NANATESTPRC,secret=titi;<br>rlm_sql (sql): Adding client 192.48.19.111 (NANATESTPRC) to clients list<br>rlm_sql (sql): Released sql socket id: 4<br>Module: Instantiated sql (sql)<br>Module: Loaded Acct-Unique-Session-Id<br> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br>Module: Instantiated acct_unique (acct_unique)<br>Module: Loaded files<br> files: usersfile = "/etc/raddb/users"<br> files: acctusersfile = "/etc/raddb/acct_users"<br> files: preproxy_usersfile = "/etc/raddb/preproxy_users"<br> files: compat = "no"<br>Module: Instantiated files (files)<br>Module: Loaded detail<br> detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br> detail: detailperm = 384<br> detail: dirperm = 493<br> detail: locking = no<br>Module: Instantiated detail (detail)<br>Module: Loaded radutmp<br> radutmp: filename = "/var/log/radius/radutmp"<br> radutmp: username = "%{User-Name}"<br> radutmp: case_sensitive = yes<br> radutmp: check_with_nas = yes<br> radutmp: perm = 384<br> radutmp: callerid = yes<br>Module: Instantiated radutmp (radutmp)<br>Listening on authentication *:1812<br>Listening on accounting *:1813<br>Ready to process requests.<br>rad_recv: Access-Request packet from host 192.48.19.111:49154, id=0, length=77<br> User-Name = "TOTO"<br> User-Password = "toto"<br> Cisco-AVPair = "shell:priv-lvl=1"<br> NAS-IP-Address = 192.48.19.111<br> Processing the authorize section of radiusd.conf<br>modcall: entering group
authorize for request 0<br> modcall[authorize]: module "preprocess" returns ok for request 0<br> modcall[authorize]: module "chap" returns noop for request 0<br> modcall[authorize]: module "mschap" returns noop for request 0<br> rlm_realm: No '@' in User-Name = "TOTO", looking up realm NULL<br> rlm_realm: No such realm "NULL"<br> modcall[authorize]: module "suffix" returns noop for request 0<br> rlm_eap: No EAP-Message, not doing EAP<br> modcall[authorize]: module "eap" returns noop for request 0<br>radius_xlat: 'TOTO'<br>rlm_sql (sql): sql_set_user escaped user --> 'x073129'<br>radius_xlat:
'SELECT id, UserName, Attribute, Value, op FROM radcheck
WHERE Username = 'TOTO' ORDER BY id'<br>rlm_sql (sql): Reserving sql socket id: 3<br>rlm_sql (sql): User TOTO not found in radcheck<br>radius_xlat:
'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'TOTO' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'<br>radius_xlat:
'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'TOTO' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'<br>rlm_sql (sql): User TOTO not found in radgroupcheck<br>rlm_sql (sql): Released sql socket id: 3<br>rlm_sql (sql): User not found<br> modcall[authorize]: module "sql" returns notfound for request 0<br>modcall: leaving group authorize (returns ok) for request 0<br>auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user<br>auth: Failed to validate the user.<br>Delaying request 0 for 1 seconds<br>Finished request 0<br>Going to the next request<br>--- Walking the entire request list ---<br>Waking up in 1 seconds...<br>--- Walking the entire request list ---<br>Waking up in 1 seconds...<br>--- Walking the entire request list ---<br>Sending Access-Reject of id 0 to 192.48.19.111 port 49154<br>Waking up in 4 seconds...<br><br>But I don't understand how to use a test client to send an MS-CHAP<br>authentication request ? <br>It's seem that i
don't have a Auth-Type ?</div><div><br><div>----- Message d'origine ----<br>De : Alan DeKok <aland@deployingradius.com><br>À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org><br>Envoyé le : Lundi, 30 Juin 2008, 15h06mn 20s<br>Objet : Re: Re : Active Directory Integration<br><br>pingouin osmolateur wrote:<br>> So I have to modify the first request from the client to use MS-CHAP request ?<br><br> No.<br><br>> Because in my database for the User-Name, I have the following<br><br> Which is wrong. You were told it is wrong.<br><br>> So what I have to do ?<br><br> Delete that row from the database.<br><br> The documentation tries to make it clear: Setting Auth-Type is wrong.<br>Don't do it.<br><br>> Do you have a link for Active Directory Integration ?<br><br> See my web site: <a href="http://deployingradius.com"
target="_blank">http://deployingradius.com</a><br><br> Alan DeKok.<br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></div></div></div><br>
<hr size="1">
Envoyé avec <a href="http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html">Yahoo! Mail</a>.<br>Une boite mail plus intelligente. </a></body></html>