Hi All,

I'm trying to configure Freeradius Active Directory Authentication using ntlm_auth.
When I run from the shell I could get the positive response.

ntlm_auth --username shyju --password
Password:
NT_STATUS_OK: Success (0x0)

But when I test with the radtest authentication does not work. Please Find below the logs.



Client - Side
radtest  shyju password localhost 0 testing123

Sending Access-Request of id 125 to 127.0.0.1 port 1812
        User-Name = "shyju"
        User-Password = "password"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=125, length=20


Server-Side

rad_recv: Access-Request packet from host 127.0.0.1 port 60581, id=253, length=131
        User-Name = "shyju"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x0156cd3b06a063bf8c9dee41dca40c37
        MS-CHAP-Challenge = 0x3b41e041947f5126
        MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003d43a50a42ac1c73b4beeab62bfba628013e7764d8651047
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "shyju", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]        expand: %{Stripped-User-Name} ->
[mschap]        ... expanding second conditional
[mschap]        expand: %{User-Name} -> shyju
[mschap]        expand: %{%{User-Name}:-None} -> shyju
[mschap]        expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=shyju
[mschap] No NT-Domain was found in the User-Name.
[mschap]        expand: %{mschap:NT-Domain} ->
[mschap]        ... expanding second conditional
[mschap]        expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.LOCAL} -> --domain=DOMAIN.LOCAL
[mschap]  mschap1: 3b
[mschap]        expand: %{mschap:Challenge} -> 3b41e041947f5126
[mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=3b41e041947f5126
[mschap]        expand: %{mschap:NT-Response} -> 3d43a50a42ac1c73b4beeab62bfba628013e7764d8651047
[mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=3d43a50a42ac1c73b4beeab62bfba628013e7764d8651047
Exec-Program output: Reading winbind reply failed! (0xc0000001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> shyju
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.8 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 253 to 127.0.0.1 port 60581
        MS-CHAP-Error = "\000E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 2 ID 253 with timestamp +73
Ready to process requests.



_______
Regards,
Shyju