Nice catch on the hyphen but that did not fix the problem (probably left out after changing the line several times testing different configurations). I realize the problem is in the creation of the response for the user/password/challenge combination however it is just a question of why. I have tried using with_ntdomain_hack = yes and using with_ntdomain_hack = no but neither combination works, it seems to ignore that value. It may possibly be helpful if someone could give me a valid user, pass, challenge, and response so that I can test ntlm with known good values. my radiusd.conf follows Thanks, Neal ___________________________________________________ radiusd.conf ___________________________________________________ prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid #user = nobody #group = nobody max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { #use_mppe = yes #require_encryption = yes #require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} #passwd etc_group { # filename = /etc/group # format = "=Group-Name:::*,User-Name" # hashsize = 50 # ignorenislike = yes # allowmultiplekeys = yes # delimiter = ":" #} realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } #attr_rewrite sanecallerid { # attribute = Called-Station-Id # may be "packet", "reply", "proxy", "proxy_reply" or "config" # searchin = packet # searchfor = "[+ ]" # replacewith = "" # ignore_case = no # new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended to the original string # append = no #} preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 #with_ntdomain_hack = yes with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply #packet_type = Access-Accept } ippool main_pool { #this section isnt used is it? } } instantiate { exec expr # daily } authorize { preprocess auth_log # attr_filter # chap mschap # digest # IPASS #suffix # ntdomain eap # files # sql # etc_smbpasswd # ldap # daily # checkval } # Authentication. authenticate { #Auth-Type PAP { #pap #} #Auth-Type CHAP { #chap #} Auth-Type MS-CHAP { mschap } # digest # pam #unix # Auth-Type LDAP { # ldap # } eap } preacct { preprocess acct_unique # IPASS # suffix #ntdomain #files } accounting { detail # daily unix radutmp # sradutmp # main_pool sql # pgsql-voip } session { radutmp # sql } post-auth { # Get an address from the IP Pool. # main_pool reply_log # sql # ldap # Post-Auth-Type REJECT { # insert-module-name-here # } } pre-proxy { } post-proxy { eap } James J J Hooper wrote:
On 21 Nov 2006, at 10:34, Phil Mayers wrote:
Neal Bullins wrote:
/usr/bin/ntlm_auth --request-nt-key --domain=MyDom --username=radtest And then I enter the correct password and the result is “NT_STATUS_OK: Success (0x0)”.
Well, that's a plaintext auth, so not really relevant to the next bit...
The debug output from freeradius is: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MyDom --username=radtest --challenge=3bdc9461e268b957 --ntresponse=d618ee49ab97f0ea5cc9c491904dbbbea5a56eb5c9cc0608 Exec-Program output: Logon failure (0xc000006d)
This is a challenge-response auth. The logical conclusion is that the response is not correct for that user/password/challenge combination. ... or you have made a typo in the command.... there should be a hyphen between nt and response in --nt-response
-James
-- James J J Hooper Information Services University of Bristol --
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html