Sorry I forgot to attach the radiusd.conf and debug results *************************************************************** .......... prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log libdir = /usr/local/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 # max_requests = 1024 # bind_address = * # port = 0 # hostname_lookups = no # allow_core_dumps = no # Regular expressions # regular_expressions = yes extended_expressions = yes # Log the full User-Name attribute, as it was found in the request. # log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = no # Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no usercollide = no # lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad # security { max_attributes = 200 reject_delay = 1 status_server = no } $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 # min_spare_servers = 3 max_spare_servers = 10 # There may be memory leaks or resource allocation problems with max_requests_per_server = 0 } # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { exec ntlm_auth { wait = no program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.ORG --username=%{mschap:User-Name} --password=%{User-Password}" } # pap { encryption_scheme = crypt } chap { authtype = CHAP } $INCLUDE ${confdir}/eap.conf mschap { # authtype = MS-CHAP # ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-MYDOMAIN.ORG} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no #notfound-reject = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } expr { } exec { wait = yes input_pairs = request } exec echo { # wait = yes # program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } } # Instantiation instantiate { expr } authorize { preprocess chap mschap suffix eap files } authenticate { ntlm_auth } preacct { preprocess acct_unique suffix files } accounting { detail } session { radutmp } post-auth { } pre-proxy { } post-proxy { } *********************************************************************** rad_recv: Access-Request packet from host 127.0.0.1:32783, id=159, length=57 User-Name = "raduser" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 154 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ntlm_auth auth: type "ntlm_auth" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 radius_xlat: Running registered xlat function of module mschap for string 'User- Name' radius_xlat: '--username=raduser' radius_xlat: '--password=test123' modcall[authenticate]: module "ntlm_auth" returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Sending Access-Accept of id 159 to 127.0.0.1 port 32783 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 159 with timestamp 463879cf Nothing to do. Sleeping until we see a request. ***************************************************************************** On 5/2/07, shrikant Bhat <shrikabhat@gmail.com> wrote:
Hello All, Could some one please tell me why ntlm_auth resurning OK with out looking up the ADS . I couldnt understand the debug.
On 5/1/07, shrikant Bhat <shrikabhat@gmail.com> wrote:
Alan, My intention is not argue, since I coudnt understand the debug I posted the messege.
On 4/30/07, Alan DeKok <aland@deployingradius.com> wrote:
shrikant Bhat wrote:
I dont have the user in Active directory, yet free radius sends a accept packet.
I did read the debug output, unlike you. It shows why. I told you why. Stop arguing and read the debug output again, and my responses.
It's not FreeRADIUS. You have configured FreeRADIUS to reply with an Access-Accept if the ntlm_auth module returns OK. For some reason, the ntlm_auth is returning OK. Go find out why that's happening, and fix it.
Do NOT reply with "but freeradius sends an access accept". That reply indicates that you're not reading the messages here. If you're not going to read the answers to your questions, I suggest you stop asking the questions. You're wasting your time, and ours.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html