On Jun 21, 2017, at 2:12 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
*1) Configuring Freeradius to use ntlm_auth, in /etc/freeradius/modules/ntlm_**auth:*
exec ntlm_auth { wait = yes program = "*/usr/bin/ntlm_auth* --request-nt-key --domain=*DOMAIN.COM <http://DOMAIN.COM>* --username=%{mschap:User-Name} --password=%{User-Password}" }
But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not the following authenticate sections at all:
authenticate { ... ntlm_auth ... }
If I have to put them, what do I have to add in the "..." lines you don't specify???
The "..." is a place-holder. It indicates other things in that section. it does' t mean insert a literal "..."
*2) After that, you recommend to use the testing command:*
$ radtest *user* *password* localhost 0 testing123
This user correspond to my domain "DOMAIN.COM", or is a local user in order to test the config ???
If you're testing a user in AD, you should run radtest with a user in AD.
*3) Configuring Freeradius to use ntlm_auth for MSCHAP*
In /etc/freeradius/modules/mschap file I put:
ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-*DOMAIN.COM <http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
After that I start the Freeradius service in debug mode, and I use radtest command to send a MSCHAP authentication request. I have Freeradius 2.2.5, so I execute:
$ radtest -t mschap bob hello localhost 0 testing123
Is bob/hello a username/password from DOMAIN.COM ???
If I execute this in this way:
Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>"
Is the account in AD called "alejandro@domain.com"? Or is it just alejandro ? Again... if you're testing a user in AD, you just need to test with the username that's in AD. There is simply no reason to do anything else.
NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0xdb6688ffc58b6208 MS-CHAP-Response = 0x0001000000000000000000000000 0000000000000000000000007cf9df3af3b49e1fa7eb2697b78da21f1e9dde3f44a6493a r ad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=220, length=38 MS-CHAP-Error = "\000E=691 R=1"
And all of the FAQ, web pages, "man" pages and EVERYTHING ELSE says to look at / post the debug output of the server. NOT the output of "radtest". Alan DeKok.