So to understand you right:
Every user that should be authenticated has to be an entry in
the users file?
Isn’t it possible to add an forwarding for every user so
that all requests are just forwarded and checked?
If not I must add all users from the AD to the users file, mustn’t
I?
Von:
freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org
[mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org]
Im Auftrag von Syed Anwarul Hasan
Gesendet: Donnerstag, 9. Oktober 2008 13:16
An: FreeRadius users mailing list
Betreff: Re: Problem with ntlm_auth
And also don't remove ntlm_auth
from authenticate section of both default and inner-tunnel files.
On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <syedanwarulhasan2007@gmail.com>
wrote:
Ok, Where are USER CREDENTIALS stored, the one descibed in
the Manual is Bind as User. That is USer Entry is added in Users file and after
using ntlm_auth, it is checked against a Active Directory or LDAP server
backend using NT Lan manager Authentication Protocol.
For example:
Users file:
User Auth-Type :- ntlm_auth
In Active Directory
User should be a member.
So, then ntlm_auth requests will be passed from your Server to Active Directory
or LDAP Server.
Otherwise you will not setup ntlm_auth.
SYED
On Thu, Oct 9, 2008 at 12:58 PM, <Frederik.Niedernolte@bertelsmann.de>
wrote:
OK, I have tested it
with "radtest MyUser MyPassword localhost 0 testing123" and this is
what the server gave back:
Ready to process
requests.
rad_recv:
Access-Request packet from host 127.0.0.1
port 32793, id=92, length=58
User-Name = "MyUser"
User-Password = "MyPassword"
NAS-IP-Address = IP.OF.THE.SERVER
NAS-Port = 0
+- entering group
authorize {...}
++[preprocess]
returns ok
++[chap] returns
noop
++[mschap] returns
noop
[suffix] No '@' in
User-Name = "MyUser", looking up realm NULL
[suffix] No such
realm "NULL"
++[suffix] returns
noop
[eap] No
EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns
notfound
++[files] returns
noop
++[expiration]
returns noop
++[logintime]
returns noop
[pap] WARNING! No
"known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
No authenticate
method (Auth-Type) configuration found for the request: Rejecting the user
Failed to
authenticate the user.
Using Post-Auth-Type
Reject
+- entering group
REJECT {...}
[attr_filter.access_reject]
expand: %{User-Name} -> MyUser
attr_filter:
Matched entry DEFAULT at line 11
++[attr_filter.access_reject]
returns updated
Delaying reject of
request 0 for 1 seconds
Going to the next
request
Waking up in 0.9
seconds.
Sending delayed
reject for request 0
Sending
Access-Reject of id 92 to 127.0.0.1
port 32793
Waking up in 4.9
seconds.
Cleaning up request
0 ID 92 with timestamp +3710
Ready to process
requests.
Now what should I
do?
Thanks in advance.
Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org
[mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im
Auftrag von Syed Anwarul Hasan
Gesendet: Donnerstag, 9. Oktober 2008 12:12
An: FreeRadius users mailing list
Betreff: Re: Problem with ntlm_auth
Hi,
You can use radtest tool to check with the Server.The Server will return
accept-accept message.
Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you
have)
SYED
On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte@bertelsmann.de>
wrote:
Thanks, now it works :)
Now the last step:
How can I test it? What tool/program etc. can/should I use to test it?
"The radclient cannot currently be used to send this request, unfortunately, which
makes testing a little difficult If everything goes well, you should see the
server returning an Access-Accept message as above."
Mit freundlichen Grüßen / Kind
regards
Frederik Niedernolte
-------------------------------------------------------
arvato services
An der Autobahn
33310 Gütersloh
Germany
http://www.arvato-services.de
frederik.niedernolte@bertelsmann.de
Tel.: +49 (0)5241 80-40554
arvato services GmbH: Sitz
Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf
Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen
Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im
Auftrag von Syed Anwarul Hasan
Gesendet: Donnerstag, 9. Oktober 2008 11:44
An: FreeRadius users mailing list
Betreff: Re: Problem with ntlm_auth
Hi Frederik,
1) Put User entry on TOP of users file.
2) In default file, in authenticate section, add ntlm_auth. Don't set
using Auth-Type.
3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add
ntlm_auth in Authenticate Section.
I hope it will solve your problem.
SYED
On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de>
wrote:
I have finished all steps till „user Auth-Type
:= ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html.
With this command I get this error message at the end of
"/usr/sbin/freeradius –X":
/etc/freeradius/users[1]: Parse
error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type
Errors reading
/etc/freeradius/users
/etc/freeradius/modules/files[7]:
Instantiation failed for module "files"
/etc/freeradius/sites-enabled/inner-tunnel[111]:
Failed to find module "files".
/etc/freeradius/sites-enabled/inner-tunnel[34]:
Errors parsing authorize section.
}
}
Errors initializing modules
The authenticate section in the
/etc/freeradius/sites-enabled/default looks like this (only important part):
authenticate {
#
# NTML_AUTH authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
What is wrong and what can I do to solve the problem?
Thanks in advance.
Best regards, F. Niedernolte
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html