We’re not able to get the user authenticated. 

 

[root@u701radius02 raddb]# wbinfo -a dw68406a%garrett05

plaintext password authentication succeeded

challenge/response password authentication succeeded

 

 [root@u701radius02 raddb]# ntlm_auth --request-nt-key --domain=dom002 --username=dw68406a --password=garrett05

NT_STATUS_OK: Success (0x0)

 

[root@u701radius02 raddb]# radiusd -X

FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec  8 2008 at 15:31:31

Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License v2.

Starting - reading configuration files ...

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/modules/

including configuration file /etc/raddb/modules/smbpasswd

including configuration file /etc/raddb/modules/inner-eap

including configuration file /etc/raddb/modules/etc_group

including configuration file /etc/raddb/modules/checkval

including configuration file /etc/raddb/modules/policy

including configuration file /etc/raddb/modules/logintime

including configuration file /etc/raddb/modules/preprocess

including configuration file /etc/raddb/modules/attr_filter

including configuration file /etc/raddb/modules/always

including configuration file /etc/raddb/modules/pam

including configuration file /etc/raddb/modules/sqlcounter_expire_on_login

including configuration file /etc/raddb/modules/mac2ip

including configuration file /etc/raddb/modules/acct_unique

including configuration file /etc/raddb/modules/expr

including configuration file /etc/raddb/modules/sradutmp

including configuration file /etc/raddb/modules/pap

including configuration file /etc/raddb/modules/exec

including configuration file /etc/raddb/modules/detail.example.com

including configuration file /etc/raddb/modules/attr_rewrite

including configuration file /etc/raddb/modules/detail.log

including configuration file /etc/raddb/modules/wimax

including configuration file /etc/raddb/modules/detail

including configuration file /etc/raddb/modules/radutmp

including configuration file /etc/raddb/modules/unix

including configuration file /etc/raddb/modules/files

including configuration file /etc/raddb/modules/expiration

including configuration file /etc/raddb/modules/sql_log

including configuration file /etc/raddb/modules/echo

including configuration file /etc/raddb/modules/realm

including configuration file /etc/raddb/modules/counter

including configuration file /etc/raddb/modules/mschap

including configuration file /etc/raddb/modules/digest

including configuration file /etc/raddb/modules/ippool

including configuration file /etc/raddb/modules/perl

including configuration file /etc/raddb/modules/mac2vlan

including configuration file /etc/raddb/modules/linelog

including configuration file /etc/raddb/modules/chap

including configuration file /etc/raddb/modules/passwd

including configuration file /etc/raddb/eap.conf

including configuration file /etc/raddb/policy.conf

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/control-socket

including configuration file /etc/raddb/sites-enabled/default

including configuration file /etc/raddb/sites-enabled/inner-tunnel

group = radiusd

user = radiusd

including dictionary file /etc/raddb/dictionary

main {

  prefix = "/usr"

  localstatedir = "/var"

  logdir = "/var/log/radius"

  libdir = "/usr/lib/freeradius"

  radacctdir = "/var/log/radius/radacct"

  hostname_lookups = no

  max_request_time = 30

  cleanup_delay = 5

  max_requests = 1024

  allow_core_dumps = no

  pidfile = "/var/run/radiusd/radiusd.pid"

  checkrad = "/usr/sbin/checkrad"

  debug_level = 0

  proxy_requests = yes

 log {

  stripped_names = no

  auth = no

  auth_badpass = no

  auth_goodpass = no

 }

 security {

  max_attributes = 200

  reject_delay = 1

  status_server = yes

 }

}

 client 172.18.134.248 {

  require_message_authenticator = no

  secret = "testing123"

  shortname = "172.18.134.248"

  nastype = "other"

 }

 client localhost {

  ipaddr = 127.0.0.1

  require_message_authenticator = no

  secret = "testing123"

  nastype = "other"

 }

radiusd: #### Loading Realms and Home Servers ####

 proxy server {

  retry_delay = 5

  retry_count = 3

  default_fallback = no

  dead_time = 120

  wake_all_if_all_dead = no

 }

 home_server localhost {

  ipaddr = 127.0.0.1

  port = 1812

  type = "auth"

  secret = "testing123"

  response_window = 20

  max_outstanding = 65536

  zombie_period = 40

  status_check = "status-server"

  ping_interval = 30

  check_interval = 30

  num_answers_to_alive = 3

  num_pings_to_alive = 3

  revive_interval = 120

  status_check_timeout = 4

 }

 home_server_pool my_auth_failover {

  type = fail-over

  home_server = localhost

 }

 realm example.com {

  auth_pool = my_auth_failover

 }

 realm LOCAL {

 }

radiusd: #### Instantiating modules ####

 instantiate {

 Module: Linked to module rlm_exec

 Module: Instantiating exec

  exec {

  wait = no

  input_pairs = "request"

  shell_escape = yes

  }

 Module: Linked to module rlm_expr

 Module: Instantiating expr

 Module: Linked to module rlm_expiration

 Module: Instantiating expiration

  expiration {

  reply-message = "Password Has Expired  "

  }

 Module: Linked to module rlm_logintime

 Module: Instantiating logintime

  logintime {

  reply-message = "You are calling outside your allowed timespan  "

  minimum-timeout = 60

  }

 }

radiusd: #### Loading Virtual Servers ####

server inner-tunnel {

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Linked to module rlm_chap

 Module: Instantiating chap

 Module: Instantiating ntlm_auth

  exec ntlm_auth {

  wait = yes

  program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOM002 --username=%{mschap:User-Name} --password=%{User-Password}"

  input_pairs = "request"

  shell_escape = yes

  }

 Module: Linked to module rlm_mschap

 Module: Instantiating mschap

  mschap {

  use_mppe = yes

  require_encryption = yes

  require_strong = yes

  with_ntdomain_hack = yes

  }

 Module: Linked to module rlm_unix

 Module: Instantiating unix

  unix {

  radwtmp = "/var/log/radius/radwtmp"

  }

 Module: Linked to module rlm_eap

 Module: Instantiating eap

  eap {

  default_eap_type = "peap"

  timer_expire = 60

  ignore_unknown_eap_types = no

  cisco_accounting_username_bug = no

  max_sessions = 2048

  }

 Module: Linked to sub-module rlm_eap_md5

 Module: Instantiating eap-md5

 Module: Linked to sub-module rlm_eap_leap

 Module: Instantiating eap-leap

 Module: Linked to sub-module rlm_eap_gtc

 Module: Instantiating eap-gtc

   gtc {

  challenge = "Password: "

  auth_type = "PAP"

   }

 Module: Linked to sub-module rlm_eap_tls

 Module: Instantiating eap-tls

   tls {

  rsa_key_exchange = no

  dh_key_exchange = yes

  rsa_key_length = 512

  dh_key_length = 512

  verify_depth = 0

  pem_file_type = yes

  private_key_file = "/etc/raddb/certs/server.pem"

  certificate_file = "/etc/raddb/certs/server.pem"

  CA_file = "/etc/raddb/certs/ca.pem"

  private_key_password = "whatever"

  dh_file = "/etc/raddb/certs/dh"

  random_file = "/etc/raddb/certs/random"

  fragment_size = 1024

  include_length = yes

  check_crl = no

  cipher_list = "DEFAULT"

  make_cert_command = "/etc/raddb/certs/bootstrap"

    cache {

  enable = no

  lifetime = 24

  max_entries = 255

    }

   }

 Module: Linked to sub-module rlm_eap_ttls

 Module: Instantiating eap-ttls

   ttls {

  default_eap_type = "md5"

  copy_request_to_tunnel = no

  use_tunneled_reply = no

  virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_peap

 Module: Instantiating eap-peap

   peap {

  default_eap_type = "mschapv2"

  copy_request_to_tunnel = no

  use_tunneled_reply = no

  proxy_tunneled_request_as_eap = yes

  virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_mschapv2

 Module: Instantiating eap-mschapv2

   mschapv2 {

  with_ntdomain_hack = no

   }

 Module: Checking authorize {...} for more modules to load

 Module: Linked to module rlm_realm

 Module: Instantiating suffix

  realm suffix {

  format = "suffix"

  delimiter = "@"

  ignore_default = no

  ignore_null = no

  }

 Module: Linked to module rlm_files

 Module: Instantiating files

  files {

  usersfile = "/etc/raddb/users"

  acctusersfile = "/etc/raddb/acct_users"

  preproxy_usersfile = "/etc/raddb/preproxy_users"

  compat = "no"

  }

 Module: Checking session {...} for more modules to load

 Module: Linked to module rlm_radutmp

 Module: Instantiating radutmp

  radutmp {

  filename = "/var/log/radius/radutmp"

  username = "%{User-Name}"

  case_sensitive = yes

  check_with_nas = yes

  perm = 384

  callerid = yes

  }

 Module: Checking post-proxy {...} for more modules to load

 Module: Checking post-auth {...} for more modules to load

 Module: Linked to module rlm_attr_filter

 Module: Instantiating attr_filter.access_reject

  attr_filter attr_filter.access_reject {

  attrsfile = "/etc/raddb/attrs.access_reject"

  key = "%{User-Name}"

  }

 }

}

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Checking authorize {...} for more modules to load

 Module: Linked to module rlm_preprocess

 Module: Instantiating preprocess

  preprocess {

  huntgroups = "/etc/raddb/huntgroups"

  hints = "/etc/raddb/hints"

  with_ascend_hack = no

  ascend_channels_per_line = 23

  with_ntdomain_hack = no

  with_specialix_jetstream_hack = no

  with_cisco_vsa_hack = no

  with_alvarion_vsa_hack = no

  }

 Module: Checking preacct {...} for more modules to load

 Module: Linked to module rlm_acct_unique

 Module: Instantiating acct_unique

  acct_unique {

  key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"

  }

 Module: Checking accounting {...} for more modules to load

 Module: Linked to module rlm_detail

 Module: Instantiating detail

  detail {

  detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"

  header = "%t"

  detailperm = 384

  dirperm = 493

  locking = no

  log_packet_header = no

  }

 Module: Instantiating attr_filter.accounting_response

  attr_filter attr_filter.accounting_response {

  attrsfile = "/etc/raddb/attrs.accounting_response"

  key = "%{User-Name}"

  }

 Module: Checking session {...} for more modules to load

 Module: Checking post-proxy {...} for more modules to load

 Module: Checking post-auth {...} for more modules to load

 }

radiusd: #### Opening IP addresses and Ports ####

listen {

  type = "auth"

  ipaddr = 172.18.134.36

  port = 0

}

listen {

  type = "acct"

  ipaddr = 172.18.134.36

  port = 0

}

listen {

  type = "control"

 listen {

  socket = "/var/run/radiusd/radiusd.sock"

 }

}

Listening on authentication address 172.18.134.36 port 1812

Listening on accounting address 172.18.134.36 port 1813

Listening on command file /var/run/radiusd/radiusd.sock

Listening on proxy address 172.18.134.36 port 1814

Ready to process requests.

 

rad_recv: Access-Request packet from host 172.18.134.248 port 1025, id=216, length=227

  Framed-MTU = 1466

  NAS-IP-Address = 172.18.134.248

  NAS-Identifier = "Puyallup_5412a"

  User-Name = "DOM002\\DW68406A"

  Service-Type = Framed-User

  Framed-Protocol = PPP

  NAS-Port = 9

  NAS-Port-Type = Ethernet

  NAS-Port-Id = "A9"

  Called-Station-Id = "00-1f-28-39-c5-00"

  Calling-Station-Id = "00-1e-4f-b0-27-10"

  Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"

  Tunnel-Type:0 = VLAN

  Tunnel-Medium-Type:0 = IEEE-802

  Tunnel-Private-Group-Id:0 = "999"

  EAP-Message = 0x0201001401444f4d3030325c4457363834303641

  Message-Authenticator = 0xb3953b3cb40087233b51cc35bde7b183

+- entering group authorize {...}

++[preprocess] returns ok

[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=DW68406A

[ntlm_auth]     expand: --password=%{User-Password} -> --password=

Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Exec-Program: returned: 1

++[ntlm_auth] returns reject

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> DOM002\DW68406A

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 216 to 172.18.134.248 port 1025

Waking up in 4.9 seconds.

Cleaning up request 0 ID 216 with timestamp +20

Ready to process requests.

^C

 [root@u701radius02 raddb]#

 

Thanks,

Mike Davies

Network Engineer

Fred Meyer

503-797-7753

 



This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.