On 08/21/2013 05:11 AM, Chris Parker wrote:
Log output: rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114, length=57 User-Name = "wyse1" User-Password = "K503D" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "wyse1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1 [ntlm_auth] expand: --password=%{User-Password} -> --password=K503D Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok
You're running ntlm_auth in the "authorize" section, and then:
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
...nothing in the "authenticate" section. You either want: authorize { ... ntlm_auth if (ok) { update control { Auth-Type := Accept } } ... } ...or: authorize { ... # don't run ntlm_auth here, and right at the bottom if (User-Password) { # PAP request, tell ntlm_auth to run in authenticate update control { Auth-Type = ntlm_auth } } } authenticate { Auth-Type ntlm_auth { ntlm_auth } } HOWEVER - you should note that the (EXTREMELY unfortunately named) "ntlm_auth" module instance is usually not what you want for wireless. Wireless is typically 802.1x with PEAP/MSCHAP, which will entail setting up the "ntlm_auth" configuration *item* of the mschap module. Read the extensive docs, wiki, and walkthrough on deployingradius.com for more info.
Failed to authenticate the user. Login incorrect: [wyse1/K503D] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 114 to 127.0.0.1 port 35826 Waking up in 4.9 seconds. Cleaning up request 7 ID 114 with timestamp +843 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html