<span lang="EN">
<div>I follow <a href="http://deployingradius.com/documents/configuration/active_directory.html">http://deployingradius.com/documents/configuration/active_directory.html</a> to configure freeradius with Active Directory. Samba and Kerberos works. When running </div>
<div>"ntlm_auth --request-nt-key" command and it works but through Freeradius, it gives NT_STATUS_WRONG_PASSWORD. Following is the output of radiusd -X. Can you please help me find out what can be wrong?</div>
<div> </div>
<div>Output of radiusd -X:</div>
<div> </div>
<div>FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Dec 30 2009 at 13:47:58</div>
<div>Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. <br>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A <br>PARTICULAR PURPOSE. <br>You may redistribute copies of FreeRADIUS under the terms of the </div>
<p>GNU General Public License v2. </p>
<p>Starting - reading configuration files ...</p>
<p>including configuration file /etc/raddb/radiusd.conf</p>
<p>including configuration file /etc/raddb/proxy.conf</p>
<p>including configuration file /etc/raddb/clients.conf</p>
<p>including files in directory /etc/raddb/modules/</p>
<p>including configuration file /etc/raddb/modules/mschap</p>
<p>including configuration file /etc/raddb/modules/ntlm_auth</p>
<p>including configuration file /etc/raddb/modules/ldap</p>
<p>including configuration file /etc/raddb/modules/wimax</p>
<p>including configuration file /etc/raddb/modules/unix</p>
<p>including configuration file /etc/raddb/modules/sradutmp</p>
<p>including configuration file /etc/raddb/modules/sqlcounter_expire_on_login</p>
<p>including configuration file /etc/raddb/modules/sql_log</p>
<p>including configuration file /etc/raddb/modules/smsotp</p>
<p>including configuration file /etc/raddb/modules/smbpasswd</p>
<p>including configuration file /etc/raddb/modules/realm</p>
<p>including configuration file /etc/raddb/modules/radutmp</p>
<p>including configuration file /etc/raddb/modules/preprocess</p>
<p>including configuration file /etc/raddb/modules/policy</p>
<p>including configuration file /etc/raddb/modules/perl</p>
<p>including configuration file /etc/raddb/modules/passwd</p>
<p>including configuration file /etc/raddb/modules/pap</p>
<p>including configuration file /etc/raddb/modules/pam</p>
<p>including configuration file /etc/raddb/modules/otp</p>
<p>including configuration file /etc/raddb/modules/mac2vlan</p>
<p>including configuration file /etc/raddb/modules/mac2ip</p>
<p>including configuration file /etc/raddb/modules/logintime</p>
<p>including configuration file /etc/raddb/modules/linelog</p>
<p>including configuration file /etc/raddb/modules/ippool</p>
<p>including configuration file /etc/raddb/modules/inner-eap</p>
<p>including configuration file /etc/raddb/modules/files</p>
<p>including configuration file /etc/raddb/modules/expr</p>
<p>including configuration file /etc/raddb/modules/expiration</p>
<p>including configuration file /etc/raddb/modules/exec</p>
<p>including configuration file /etc/raddb/modules/etc_group</p>
<p>including configuration file /etc/raddb/modules/echo</p>
<p>including configuration file /etc/raddb/modules/digest</p>
<p>including configuration file /etc/raddb/modules/detail.log</p>
<p>including configuration file /etc/raddb/modules/<a href="http://detail.example.com">detail.example.com</a></p>
<p>including configuration file /etc/raddb/modules/detail</p>
<p>including configuration file /etc/raddb/modules/cui</p>
<p>including configuration file /etc/raddb/modules/counter</p>
<p>including configuration file /etc/raddb/modules/checkval</p>
<p>including configuration file /etc/raddb/modules/chap</p>
<p>including configuration file /etc/raddb/modules/attr_rewrite</p>
<p>including configuration file /etc/raddb/modules/attr_filter</p>
<p>including configuration file /etc/raddb/modules/always</p>
<p>including configuration file /etc/raddb/modules/acct_unique</p>
<p>including configuration file /etc/raddb/modules/ldap.rpmsave</p>
<p>including configuration file /etc/raddb/modules/mschapBck</p>
<p>including configuration file /etc/raddb/modules/ldapBck</p>
<p>including configuration file /etc/raddb/eap.conf</p>
<p>including configuration file /etc/raddb/policy.conf</p>
<p>including files in directory /etc/raddb/sites-enabled/</p>
<p>including configuration file /etc/raddb/sites-enabled/inner-tunnel</p>
<p>including configuration file /etc/raddb/sites-enabled/default</p>
<p>including configuration file /etc/raddb/sites-enabled/control-socket</p>
<p>group = radiusd</p>
<p>user = radiusd</p>
<p>including dictionary file /etc/raddb/dictionary</p>
<p>main {</p>
<p>prefix = "/usr"</p>
<p>localstatedir = "/var"</p>
<p>logdir = "/var/log/radius"</p>
<p>libdir = "/usr/lib/freeradius"</p>
<p>radacctdir = "/var/log/radius/radacct"</p>
<p>hostname_lookups = no</p>
<p>max_request_time = 30</p>
<p>cleanup_delay = 5</p>
<p>max_requests = 1024</p>
<p>allow_core_dumps = no</p>
<p>pidfile = "/var/run/radiusd/radiusd.pid"</p>
<p>checkrad = "/usr/sbin/checkrad"</p>
<p>debug_level = 0</p>
<p>proxy_requests = yes</p>
<p>log {</p>
<p>stripped_names = no</p>
<p>auth = no</p>
<p>auth_badpass = no</p>
<p>auth_goodpass = no</p>
<p>}</p>
<p>security {</p>
<p>max_attributes = 200</p>
<p>reject_delay = 1</p>
<p>status_server = yes</p>
<p>}</p>
<p>}</p>
<p>radiusd: #### Loading Realms and Home Servers ####</p>
<p>proxy server {</p>
<p>retry_delay = 5</p>
<p>retry_count = 3</p>
<p>default_fallback = no</p>
<p>dead_time = 120</p>
<p>wake_all_if_all_dead = no</p>
<p>}</p>
<p>home_server localhost {</p>
<p>ipaddr = 127.0.0.1</p>
<p>port = 1812</p>
<p>type = "auth"</p>
<p>secret = "testing123"</p>
<p>response_window = 20</p>
<p>max_outstanding = 65536</p>
<p>require_message_authenticator = no</p>
<p>zombie_period = 40</p>
<p>status_check = "status-server"</p>
<p>ping_interval = 30</p>
<p>check_interval = 30</p>
<p>num_answers_to_alive = 3</p>
<p>num_pings_to_alive = 3</p>
<p>revive_interval = 120</p>
<p>status_check_timeout = 4</p>
<p>irt = 2</p>
<p>mrt = 16</p>
<p>mrc = 5</p>
<p>mrd = 30</p>
<p>}</p>
<p>home_server_pool my_auth_failover {</p>
<p>type = fail-over</p>
<p>home_server = localhost</p>
<p>}</p>
<p>realm <a href="http://example.com">example.com</a> {</p>
<p>auth_pool = my_auth_failover</p>
<p>}</p>
<p>realm LOCAL {</p>
<p>}</p>
<p>radiusd: #### Loading Clients ####</p>
<p>client 10.1.11.33 {</p>
<p>require_message_authenticator = no</p>
<p>secret = "testpwd"</p>
<p>shortname = "10.1.11.33"</p>
<p>nastype = "none"</p>
<p>}</p>
<p>client 10.1.1.1 {</p>
<p>require_message_authenticator = no</p>
<p>secret = "test123"</p>
<p>shortname = "localSystem"</p>
<p>nastype = "test"</p>
<p>}</p>
<p>client 10.1.0.33 {</p>
<p>require_message_authenticator = no</p>
<p>secret = "testpwd"</p>
<p>shortname = "10.1.0.33"</p>
<p>nastype = "none"</p>
<p>}</p>
<p>client localhost {</p>
<p>require_message_authenticator = no</p>
<p>secret = "test123"</p>
<p>nastype = "test"</p>
<p>}</p>
<p>radiusd: #### Instantiating modules ####</p>
<p>instantiate {</p>
<p>Module: Linked to module rlm_exec</p>
<p>Module: Instantiating exec</p>
<p>exec {</p>
<p>wait = no</p>
<p>input_pairs = "request"</p>
<p>shell_escape = yes</p>
<p>}</p>
<p>Module: Linked to module rlm_expr</p>
<p>Module: Instantiating expr</p>
<p>Module: Linked to module rlm_expiration</p>
<p>Module: Instantiating expiration</p>
<p>expiration {</p>
<p>reply-message = "Password Has Expired "</p>
<p>}</p>
<p>Module: Linked to module rlm_logintime</p>
<p>Module: Instantiating logintime</p>
<p>logintime {</p>
<p>reply-message = "You are calling outside your allowed timespan "</p>
<p>minimum-timeout = 60</p>
<p>}</p>
<p>}</p>
<p>radiusd: #### Loading Virtual Servers ####</p>
<p>server inner-tunnel {</p>
<p>modules {</p>
<p>Module: Checking authenticate {...} for more modules to load</p>
<p>Module: Linked to module rlm_pap</p>
<p>Module: Instantiating pap</p>
<p>pap {</p>
<p>encryption_scheme = "auto"</p>
<p>auto_header = no</p>
<p>}</p>
<p>Module: Linked to module rlm_chap</p>
<p>Module: Instantiating chap</p>
<p>Module: Linked to module rlm_mschap</p>
<p>Module: Instantiating mschap</p>
<p>mschap {</p>
<p>use_mppe = yes</p>
<p>require_encryption = yes</p>
<p>require_strong = no</p>
<p>with_ntdomain_hack = yes</p>
<p>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-<a href="http://MYDOMAIN.COM">MYDOMAIN.COM</a>} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"</p>
<p>}</p>
<p>Module: Instantiating ntlm_auth</p>
<p>exec ntlm_auth {</p>
<p>wait = yes</p>
<p>program = "/usr/bin/ntlm_auth --request-nt-key --domain=<a href="http://MYDOMAIN.COM">MYDOMAIN.COM</a> --username=%{mschap:User-Name} --password=%{User-Password}"</p>
<p>input_pairs = "request"</p>
<p>shell_escape = yes</p>
<p>}</p>
<p>Module: Checking authorize {...} for more modules to load</p>
<p>Module: Linked to module rlm_unix</p>
<p>Module: Instantiating unix</p>
<p>unix {</p>
<p>radwtmp = "/var/log/radius/radwtmp"</p>
<p>}</p>
<p>Module: Linked to module rlm_realm</p>
<p>Module: Instantiating suffix</p>
<p>realm suffix {</p>
<p>format = "suffix"</p>
<p>delimiter = "@"</p>
<p>ignore_default = no</p>
<p>ignore_null = no</p>
<p>}</p>
<p>Module: Linked to module rlm_eap</p>
<p>Module: Instantiating eap</p>
<p>eap {</p>
<p>default_eap_type = "ttls"</p>
<p>timer_expire = 60</p>
<p>ignore_unknown_eap_types = no</p>
<p>cisco_accounting_username_bug = no</p>
<p>max_sessions = 2048</p>
<p>}</p>
<p>Module: Linked to sub-module rlm_eap_md5</p>
<p>Module: Instantiating eap-md5</p>
<p>Module: Linked to sub-module rlm_eap_leap</p>
<p>Module: Instantiating eap-leap</p>
<p>Module: Linked to sub-module rlm_eap_gtc</p>
<p>Module: Instantiating eap-gtc</p>
<p>gtc {</p>
<p>challenge = "Password: "</p>
<p>auth_type = "PAP"</p>
<p>}</p>
<p>Module: Linked to sub-module rlm_eap_tls</p>
<p>Module: Instantiating eap-tls</p>
<p>tls {</p>
<p>rsa_key_exchange = no</p>
<p>dh_key_exchange = yes</p>
<p>rsa_key_length = 512</p>
<p>dh_key_length = 512</p>
<p>verify_depth = 0</p>
<p>pem_file_type = yes</p>
<p>private_key_file = "/etc/raddb/certs/server.pem"</p>
<p>certificate_file = "/etc/raddb/certs/server.pem"</p>
<p>CA_file = "/etc/raddb/certs/ca.pem"</p>
<p>private_key_password = "whatever"</p>
<p>dh_file = "/etc/raddb/certs/dh"</p>
<p>random_file = "/etc/raddb/certs/random"</p>
<p>fragment_size = 1024</p>
<p>include_length = yes</p>
<p>check_crl = no</p>
<p>cipher_list = "DEFAULT"</p>
<p>make_cert_command = "/etc/raddb/certs/bootstrap"</p>
<p>cache {</p>
<p>enable = no</p>
<p>lifetime = 24</p>
<p>max_entries = 255</p>
<p>}</p>
<p>}</p>
<p>Module: Linked to sub-module rlm_eap_ttls</p>
<p>Module: Instantiating eap-ttls</p>
<p>ttls {</p>
<p>default_eap_type = "mschapv2"</p>
<p>copy_request_to_tunnel = yes</p>
<p>use_tunneled_reply = yes</p>
<p>virtual_server = "inner-tunnel"</p>
<p>include_length = yes</p>
<p>}</p>
<p>Module: Linked to sub-module rlm_eap_peap</p>
<p>Module: Instantiating eap-peap</p>
<p>peap {</p>
<p>default_eap_type = "mschapv2"</p>
<p>copy_request_to_tunnel = yes</p>
<p>use_tunneled_reply = yes</p>
<p>proxy_tunneled_request_as_eap = yes</p>
<p>virtual_server = "inner-tunnel"</p>
<p>}</p>
<p>Module: Linked to sub-module rlm_eap_mschapv2</p>
<p>Module: Instantiating eap-mschapv2</p>
<p>mschapv2 {</p>
<p>with_ntdomain_hack = no</p>
<p>}</p>
<p>Module: Linked to module rlm_files</p>
<p>Module: Instantiating files</p>
<p>files {</p>
<p>usersfile = "/etc/raddb/users"</p>
<p>acctusersfile = "/etc/raddb/acct_users"</p>
<p>preproxy_usersfile = "/etc/raddb/preproxy_users"</p>
<p>compat = "no"</p>
<p>}</p>
<p>Module: Checking session {...} for more modules to load</p>
<p>Module: Linked to module rlm_radutmp</p>
<p>Module: Instantiating radutmp</p>
<p>radutmp {</p>
<p>filename = "/var/log/radius/radutmp"</p>
<p>username = "%{User-Name}"</p>
<p>case_sensitive = yes</p>
<p>check_with_nas = yes</p>
<p>perm = 384</p>
<p>callerid = yes</p>
<p>}</p>
<p>Module: Checking post-proxy {...} for more modules to load</p>
<p>Module: Checking post-auth {...} for more modules to load</p>
<p>Module: Linked to module rlm_attr_filter</p>
<p>Module: Instantiating attr_filter.access_reject</p>
<p>attr_filter attr_filter.access_reject {</p>
<p>attrsfile = "/etc/raddb/attrs.access_reject"</p>
<p>key = "%{User-Name}"</p>
<p>}</p>
<p>} # modules</p>
<p>} # server</p>
<p>server {</p>
<p>modules {</p>
<p>Module: Checking authenticate {...} for more modules to load</p>
<p>Module: Checking authorize {...} for more modules to load</p>
<p>Module: Linked to module rlm_preprocess</p>
<p>Module: Instantiating preprocess</p>
<p>preprocess {</p>
<p>huntgroups = "/etc/raddb/huntgroups"</p>
<p>hints = "/etc/raddb/hints"</p>
<p>with_ascend_hack = no</p>
<p>ascend_channels_per_line = 23</p>
<p>with_ntdomain_hack = no</p>
<p>with_specialix_jetstream_hack = no</p>
<p>with_cisco_vsa_hack = no</p>
<p>with_alvarion_vsa_hack = no</p>
<p>}</p>
<p>Module: Checking preacct {...} for more modules to load</p>
<p>Module: Linked to module rlm_acct_unique</p>
<p>Module: Instantiating acct_unique</p>
<p>acct_unique {</p>
<p>key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"</p>
<p>}</p>
<p>Module: Checking accounting {...} for more modules to load</p>
<p>Module: Linked to module rlm_detail</p>
<p>Module: Instantiating detail</p>
<p>detail {</p>
<p>detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"</p>
<p>header = "%t"</p>
<p>detailperm = 384</p>
<p>dirperm = 493</p>
<p>locking = no</p>
<p>log_packet_header = no</p>
<p>}</p>
<p>Module: Instantiating attr_filter.accounting_response</p>
<p>attr_filter attr_filter.accounting_response {</p>
<p>attrsfile = "/etc/raddb/attrs.accounting_response"</p>
<p>key = "%{User-Name}"</p>
<p>}</p>
<p>Module: Checking session {...} for more modules to load</p>
<p>Module: Checking post-proxy {...} for more modules to load</p>
<p>Module: Checking post-auth {...} for more modules to load</p>
<p>} # modules</p>
<p>} # server</p>
<p>radiusd: #### Opening IP addresses and Ports ####</p>
<p>listen {</p>
<p>type = "auth"</p>
<p>ipaddr = *</p>
<p>port = 0</p>
<p>}</p>
<p>listen {</p>
<p>type = "acct"</p>
<p>ipaddr = *</p>
<p>port = 0</p>
<p>}</p>
<p>listen {</p>
<p>type = "control"</p>
<p>listen {</p>
<p>socket = "/var/run/radiusd/radiusd.sock"</p>
<p>}</p>
<p>}</p>
<p>Listening on authentication address * port 1812</p>
<p>Listening on accounting address * port 1813</p>
<p>Listening on command file /var/run/radiusd/radiusd.sock</p>
<p>Listening on proxy address * port 1814</p>
<p>Ready to process requests.</p>
<p>rad_recv: Access-Request packet from host 10.1.0.33 port 1645, id=183, length=141</p>
<p>User-Name = "testuser"</p>
<p>Framed-MTU = 1400</p>
<p>Called-Station-Id = "00-19-56-B0-90-18"</p>
<p>Calling-Station-Id = "00-1B-77-89-0E-6D"</p>
<p>Service-Type = Login-User</p>
<p>Message-Authenticator = 0xacce4dee9361babf8639ffeecac12bd2</p>
<p>EAP-Message = 0x0202000d01666c616d696e676f</p>
<p>NAS-Port-Type = Wireless-802.11</p>
<p>NAS-Port = 17098251</p>
<p>NAS-Port-Id = "17098251"</p>
<p>NAS-IP-Address = 10.1.0.33</p>
<p>+- entering group authorize {...}</p>
<p>++[preprocess] returns ok</p>
<p>++[chap] returns noop</p>
<p>++[mschap] returns noop</p>
<p>[suffix] No '@' in User-Name = "testuser", looking up realm NULL</p>
<p>[suffix] No such realm "NULL"</p>
<p>++[suffix] returns noop</p>
<p>[eap] EAP packet type response id 2 length 13</p>
<p>[eap] No EAP Start, assuming it's an on-going EAP conversation</p>
<p>++[eap] returns updated</p>
<p>++[unix] returns notfound</p>
<p>[files] users: Matched entry DEFAULT at line 4</p>
<p>++[files] returns ok</p>
<p>++[expiration] returns noop</p>
<p>++[logintime] returns noop</p>
<p>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</p>
<p>++[pap] returns noop</p>
<p>Found Auth-Type = ntlm_auth</p>
<p>+- entering group authenticate {...}</p>
<p>[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=testuser</p>
<p>[ntlm_auth] expand: --password=%{User-Password} -> --password=</p>
<p>Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) </p>
<p>Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) </p>
<p>Exec-Program: returned: 1</p>
<p>++[ntlm_auth] returns reject</p>
<p>Failed to authenticate the user.</p>
<p>Using Post-Auth-Type Reject</p>
<p>+- entering group REJECT {...}</p>
<p>[attr_filter.access_reject] expand: %{User-Name} -> testuser</p>
<p>attr_filter: Matched entry DEFAULT at line 11</p>
<p>++[attr_filter.access_reject] returns updated</p>
<p>Delaying reject of request 0 for 1 seconds</p>
<p>Going to the next request</p>
<p>Waking up in 0.9 seconds.</p>
<p>Sending delayed reject for request 0</p>
<p>Sending Access-Reject of id 183 to 10.1.0.33 port 1645</p>
<p>Waking up in 4.9 seconds.</p>
<p>Cleaning up request 0 ID 183 with timestamp +16</p>
<div>Ready to process requests.</div>
<div> </div>
<div> </div>
<div> </div>
<div>Thanks.</div></span>