Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol. For example: Users file: User Auth-Type :- ntlm_auth In Active Directory User should be a member. So, then ntlm_auth requests will be passed from your Server to Active Directory or LDAP Server. Otherwise you will not setup ntlm_auth. SYED On Thu, Oct 9, 2008 at 12:58 PM, <Frederik.Niedernolte@bertelsmann.de>wrote:
OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" and this is what the server gave back:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58
User-Name = "MyUser"
User-Password = "MyPassword"
NAS-IP-Address = IP.OF.THE.SERVER
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> MyUser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 92 to 127.0.0.1 port 32793
Waking up in 4.9 seconds.
Cleaning up request 0 ID 92 with timestamp +3710
Ready to process requests.
Now what should I do? Thanks in advance.
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
*An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have)
SYED
On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte@bertelsmann.de> wrote:
Thanks, now it works :)
Now the last step: How can I test it? What tool/program etc. can/should I use to test it?
"The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above."
Mit freundlichen Grüßen / Kind regards
Frederik Niedernolte ------------------------------------------------------- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de frederik.niedernolte@bertelsmann.de<frederik.niedernolte@bertelsmann.deTel> Tel.: +49 (0)5241 80-40554
arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
Hi Frederik,
1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section.
I hope it will solve your problem. SYED
On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de> wrote:
I have finished all steps till „*user* Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html.
With this command I get this error message at the end of "/usr/sbin/freeradius –X":
/etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type
Errors reading /etc/freeradius/users
/etc/freeradius/modules/files[7]: Instantiation failed for module "files"
/etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files".
/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
}
}
Errors initializing modules
The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part):
authenticate {
#
# NTML_AUTH authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
What is wrong and what can I do to solve the problem?
Thanks in advance.
Best regards, F. Niedernolte
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html