<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
code
{mso-style-priority:99;
font-family:"Courier New";}
span.E-MailFormatvorlage19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=DE link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>So to understand you right:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Every user that should be authenticated has to be an entry in
the users file?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Isn’t it possible to add an forwarding for every user so
that all requests are just forwarded and checked?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If not I must add all users from the AD to the users file, mustn’t
I?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org
[mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org]
<b>Im Auftrag von </b>Syed Anwarul Hasan<br>
<b>Gesendet:</b> Donnerstag, 9. Oktober 2008 13:16<br>
<b>An:</b> FreeRadius users mailing list<br>
<b>Betreff:</b> Re: Problem with ntlm_auth<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>And also don't remove ntlm_auth
from authenticate section of both default and inner-tunnel files.<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <<a
href="mailto:syedanwarulhasan2007@gmail.com">syedanwarulhasan2007@gmail.com</a>>
wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal>Ok, Where are USER CREDENTIALS stored, the one descibed in
the Manual is Bind as User. That is USer Entry is added in Users file and after
using ntlm_auth, it is checked against a Active Directory or LDAP server
backend using NT Lan manager Authentication Protocol.<br>
<br>
For example:<br>
Users file:<br>
User Auth-Type :- ntlm_auth<br>
<br>
In Active Directory<br>
User should be a member.<br>
<br>
So, then ntlm_auth requests will be passed from your Server to Active Directory
or LDAP Server.<br>
<br>
Otherwise you will not setup ntlm_auth.<br>
<span style='color:#888888'><br>
SYED</span><o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Thu, Oct 9, 2008 at 12:58 PM, <<a
href="mailto:Frederik.Niedernolte@bertelsmann.de" target="_blank">Frederik.Niedernolte@bertelsmann.de</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>OK, I have tested it
with "radtest MyUser MyPassword localhost 0 testing123" and this is
what the server gave back:</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Ready to process
requests.</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>rad_recv:
Access-Request packet from host <a href="http://127.0.0.1" target="_blank">127.0.0.1</a>
port 32793, id=92, length=58</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>
User-Name = "MyUser"</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>
User-Password = "MyPassword"</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>
NAS-IP-Address = IP.OF.THE.SERVER</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>
NAS-Port = 0</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>+- entering group
authorize {...}</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[preprocess]
returns ok</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[chap] returns
noop</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[mschap] returns
noop</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>[suffix] No '@' in
User-Name = "MyUser", looking up realm NULL</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>[suffix] No such
realm "NULL"</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[suffix] returns
noop</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>[eap] No
EAP-Message, not doing EAP</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[eap] returns noop</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[unix] returns
notfound</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[files] returns
noop</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[expiration]
returns noop</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[logintime]
returns noop</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>[pap] WARNING! No
"known good" password found for the user. Authentication may
fail because of this.</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[pap] returns noop</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>No authenticate
method (Auth-Type) configuration found for the request: Rejecting the user</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Failed to
authenticate the user.</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Using Post-Auth-Type
Reject</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>+- entering group
REJECT {...}</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>[attr_filter.access_reject]
expand: %{User-Name} -> MyUser</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'> attr_filter:
Matched entry DEFAULT at line 11</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>++[attr_filter.access_reject]
returns updated</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Delaying reject of
request 0 for 1 seconds</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Going to the next
request</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Waking up in 0.9
seconds.</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Sending delayed
reject for request 0</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Sending
Access-Reject of id 92 to <a href="http://127.0.0.1" target="_blank">127.0.0.1</a>
port 32793</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Waking up in 4.9
seconds.</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Cleaning up request
0 ID 92 with timestamp +3710</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Ready to process
requests.</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Now what should I
do?<br>
Thanks in advance.</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;
border-color:-moz-use-text-color -moz-use-text-color'>
<p><b><span style='font-size:10.0pt'>Von:</span></b><span style='font-size:
10.0pt'> freeradius-users-bounces+frederik.niedernolte=<a
href="http://bertelsmann.de" target="_blank">bertelsmann.de</a>@<a
href="http://lists.freeradius.org" target="_blank">lists.freeradius.org</a>
[mailto:<a href="mailto:freeradius-users-bounces%2Bfrederik.niedernolte"
target="_blank">freeradius-users-bounces+frederik.niedernolte</a>=<a
href="http://bertelsmann.de" target="_blank">bertelsmann.de</a>@<a
href="http://lists.freeradius.org" target="_blank">lists.freeradius.org</a>] <b>Im
Auftrag von </b>Syed Anwarul Hasan<br>
<b>Gesendet:</b> Donnerstag, 9. Oktober 2008 12:12<o:p></o:p></span></p>
<div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt'><br>
<b>An:</b> FreeRadius users mailing list<br>
<b>Betreff:</b> Re: Problem with ntlm_auth<o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<div>
<p style='margin-bottom:12.0pt'>Hi,<br>
You can use radtest tool to check with the Server.The Server will return
accept-accept message.<br>
Other tool includes JRadius Simulator as IVAN told. bu I have not used it.<br>
Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you
have)<br>
<br>
SYED<o:p></o:p></p>
<div>
<p>On Thu, Oct 9, 2008 at 11:54 AM, <<a
href="mailto:Frederik.Niedernolte@bertelsmann.de" target="_blank">Frederik.Niedernolte@bertelsmann.de</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>Thanks, now it works :)</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Now the last step:
How can I test it? What tool/program etc. can/should I use to test it?</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>"</span><span
lang=EN-US>The </span><code><span lang=EN-US style='font-size:10.0pt'>radclient</span></code><span
lang=EN-US> cannot currently be used to send this request, unfortunately, which
makes testing a little difficult If everything goes well, you should see the
server returning an </span><a
href="http://freeradius.org/rfc/rfc2865.html#Access-Accept" target="_blank"><span
lang=EN-US>Access-Accept</span></a><span lang=EN-US> message as above."</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Mit freundlichen Grüßen / Kind
regards</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Frederik Niedernolte<br>
-------------------------------------------------------<br>
</span><span style='font-size:11.0pt;color:#595959'>arvato</span><span
style='font-size:11.0pt;color:#1F497D'> </span><span style='font-size:11.0pt;
color:#0070C0'>services</span><span style='font-size:11.0pt;color:black'><br>
</span><span style='font-size:11.0pt;color:#1F497D'>An der Autobahn<br>
33310 Gütersloh<br>
Germany<br>
<a href="http://www.arvato-services.de" target="_blank"
title="blocked::www.arvato-direct-services.de">http://www.arvato-services.de</a><br>
</span><span style='font-size:11.0pt;color:blue'><a
href="mailto:frederik.niedernolte@bertelsmann.deTel" target="_blank">frederik.niedernolte@bertelsmann.de</a></span><span
style='font-size:11.0pt;color:#1F497D'><br>
Tel.: +49 (0)5241 80-40554</span><o:p></o:p></p>
<p><span style='font-size:9.0pt;color:#1F497D'>arvato services GmbH: Sitz
Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf
Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0cm 0cm 0cm;
border-color:-moz-use-text-color'>
<p><b><span style='font-size:10.0pt'>Von:</span></b><span style='font-size:
10.0pt'> freeradius-users-bounces+frederik.niedernolte=<a
href="http://bertelsmann.de" target="_blank">bertelsmann.de</a>@<a
href="http://lists.freeradius.org" target="_blank">lists.freeradius.org</a> [mailto:<a
href="mailto:freeradius-users-bounces%2Bfrederik.niedernolte" target="_blank">freeradius-users-bounces+frederik.niedernolte</a>=<a
href="http://bertelsmann.de" target="_blank">bertelsmann.de</a>@<a
href="http://lists.freeradius.org" target="_blank">lists.freeradius.org</a>] <b>Im
Auftrag von </b>Syed Anwarul Hasan<br>
<b>Gesendet:</b> Donnerstag, 9. Oktober 2008 11:44<br>
<b>An:</b> FreeRadius users mailing list<br>
<b>Betreff:</b> Re: Problem with ntlm_auth</span><o:p></o:p></p>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<div>
<p style='margin-bottom:12.0pt'>Hi Frederik,<br>
<br>
1) Put User entry on <b>TOP</b> of users file.<br>
2) In default file, in authenticate section, add <b>ntlm_auth. </b>Don't set
using Auth-Type.<br>
3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add
<b>ntlm_auth</b> in Authenticate Section.<br>
<br>
I hope it will solve your problem.<br>
SYED<o:p></o:p></p>
<div>
<p>On Thu, Oct 9, 2008 at 11:17 AM, <<a
href="mailto:Frederik.Niedernolte@bertelsmann.de" target="_blank">Frederik.Niedernolte@bertelsmann.de</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p><span lang=EN-US>I have finished all steps till „<b>user</b> Auth-Type
:= ntlm_auth" from <a
href="http://deployingradius.com/documents/configuration/active_directory.html"
target="_blank">http://deployingradius.com/documents/configuration/active_directory.html</a>.</span><o:p></o:p></p>
<p><span lang=EN-US>With this command I get this error message at the end of
"/usr/sbin/freeradius –X":</span><o:p></o:p></p>
<p><span lang=EN-US> </span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>/etc/freeradius/users[1]: Parse
error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>Errors reading
/etc/freeradius/users</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>/etc/freeradius/modules/files[7]:
Instantiation failed for module "files"</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>/etc/freeradius/sites-enabled/inner-tunnel[111]:
Failed to find module "files".</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>/etc/freeradius/sites-enabled/inner-tunnel[34]:
Errors parsing authorize section.</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'> }</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>}</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>Errors initializing modules</span><o:p></o:p></p>
<p><span lang=EN-US> </span><o:p></o:p></p>
<p><span lang=EN-US>The authenticate section in the
/etc/freeradius/sites-enabled/default looks like this (only important part):</span><o:p></o:p></p>
<p><span lang=EN-US> </span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>authenticate {</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>#</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'># NTML_AUTH authentication.</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>Auth-Type ntlm_auth {</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>
ntlm_auth</span><o:p></o:p></p>
<p><span lang=EN-US style='font-size:9.0pt'>}</span><o:p></o:p></p>
<p><span lang=EN-US> </span><o:p></o:p></p>
<p><span lang=EN-US>What is wrong and what can I do to solve the problem?<br>
<br>
Thanks in advance.</span><o:p></o:p></p>
<p><span lang=EN-US>Best regards, F. Niedernolte</span><o:p></o:p></p>
</div>
</div>
<p><br>
-<br>
List info/subscribe/unsubscribe? See <a
href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p><br>
-<br>
List info/subscribe/unsubscribe? See <a
href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><br>
-<br>
List info/subscribe/unsubscribe? See <a
href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>