<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Greetings list,<br>
<br>
I am trying to configure PAM on my remote Linux servers to
authenticate via FreeRADIUS to Active Directory. I have followed the
instructions at
<a class="moz-txt-link-freetext" href="http://deployingradius.com/documents/configuration/active_directory.html">http://deployingradius.com/documents/configuration/active_directory.html</a>
to the letter and am able to successfully run radtest against the
FreeRADIUS server : <br>
<br>
running <b>radtest -t mschap jonathanv <i>mypassword</i> localhost
0 testing123</b>, returns the following:<br>
<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 57650,
id=252, length=117<br>
User-Name = "jonathanv"<br>
NAS-IP-Address = 172.16.132.254<br>
NAS-Port = 0<br>
MS-CHAP-Challenge = 0x3ab2e0ada92d1a3b<br>
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000d868800a8540b1a1823945859c18d2596202279141f6daea<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'<br>
++[mschap] returns ok<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "jonathanv", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
++[files] returns noop<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.<br>
++[pap] returns noop<br>
Found Auth-Type = MSCHAP<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group MS-CHAP {...}<br>
[mschap] Told to do MS-CHAPv1 with NT-Password<br>
[mschap] expand: --username=%{mschap:User-Name:-None} ->
--username=jonathanv<br>
[mschap] No NT-Domain was found in the User-Name.<br>
[mschap] expand: %{mschap:NT-Domain} -> <br>
[mschap] ... expanding second conditional<br>
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-MSAD} ->
--domain=MSAD<br>
[mschap] mschap1: 3a<br>
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=3ab2e0ada92d1a3b<br>
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=d868800a8540b1a1823945859c18d2596202279141f6daea<br>
Exec-Program output: NT_KEY: 74910D7B290EDE12A3926DCD2EA68453 <br>
Exec-Program-Wait: plaintext: NT_KEY:
74910D7B290EDE12A3926DCD2EA68453 <br>
Exec-Program: returned: 0<br>
[mschap] adding MS-CHAPv1 MPPE keys<br>
++[mschap] returns ok<br>
# Executing section post-auth from file
/etc/raddb/sites-enabled/default<br>
+- entering group post-auth {...}<br>
++[exec] returns noop<br>
Sending Access-Accept of id 252 to 127.0.0.1 port 57650<br>
MS-CHAP-MPPE-Keys =
0x000000000000000074910d7b290ede12a3926dcd2ea684530000000000000000<br>
MS-MPPE-Encryption-Policy = 0x00000001<br>
MS-MPPE-Encryption-Types = 0x00000006<br>
Finished request 2.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 2 ID 252 with timestamp +269<br>
Ready to process requests.<br>
<br>
However, now, I would like to configure PAM on a test Linux (CentOS
6) box to authenticate Active Directory users (system-auth,
password-auth and ssh) via the FreeRADIUS server. I have installed
the <b>pam_radius</b> package from the EPEL repository on my test
box and have configured <b>/etc/pam_radius.conf</b> file like so:<br>
<br>
172.16.132.254 <i><b>mypassword</b></i><b><i></i></b> 3<br>
<br>
...172.16.132.254 being my FreeRADIUS server...<br>
<br>
To test SSH authentication I have added the following line to the <b>/etc/pam.d/sshd</b>
file:<br>
<br>
<b>auth required pam_radius_auth.so</b><br>
<br>
On the FreeRADIUS server I have configured the following in
clients.conf :<br>
<b><br>
client 172.16.132.140 {<br>
secret = <i>mypassword</i><br>
shortname = jonathan-c6<br>
nastype = other<br>
}</b><br>
<br>
...172.16.132.140 being the test box...<br>
<br>
When attempting to ssh to the test box as an Active Directory user I
receive the following debug output:<br>
<br>
rad_recv: Access-Request packet from host 172.16.132.140 port 32768,
id=12, length=95<br>
User-Name = "jonathanv"<br>
User-Password = "\010\n\r\177INCORRECT"<br>
NAS-IP-Address = 172.16.132.140<br>
NAS-Identifier = "sshd"<br>
NAS-Port = 4369<br>
NAS-Port-Type = Virtual<br>
Service-Type = Authenticate-Only<br>
Calling-Station-Id = "172.16.132.148"<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "jonathanv", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
++[files] returns noop<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.<br>
++[pap] returns noop<br>
<b>ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user</b><br>
Failed to authenticate the user.<br>
WARNING: Unprintable characters in the password.
Double-check the shared secret on the server and the NAS!<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> jonathanv<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 3 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 3<br>
Sending Access-Reject of id 12 to 172.16.132.140 port 32768<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 3 ID 12 with timestamp +1336<br>
Ready to process requests.<br>
<br>
From this output it's clear to me that neither MSCHAP, or any other
Auth-Type for that matter, are being used. I know I'm missing
something here, but really not sure what. Some advice would be much
appreciated!<br>
<br>
Greetings,<br>
<br>
Jonathan<br>
<br><br>
<p style="font-family: Verdana; font-size:10pt; color:#666666;" align="justify">
<b>Disclaimer</b>
</p>
<p style="font-family: Verdana; font-size:8pt; color:#666666;" align="justify">
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
<br><br>
This email has been scanned for viruses and malware, and automatically archived by <b>Mimecast SA (Pty) Ltd</b>, an innovator in Software as a Service (SaaS) for business. <b>Mimecast Unified Email Management
<span class="style1">™</span> (UEM)</b> offers email continuity, security, archiving and compliance with all current legislation. To find out more, <a href="http://www.mimecast.co.za/uem-ppc">contact Mimecast</a>.
<font color=white>itevomcid</font>
</p>
</body>
</html>