Dear Alan, I'm following your guide "Configuring Authentication with Active Directory" (http://deployingradius.com/documents/configuration/active_ directory.html) in order to analyze my configurations issues. Please I will show you the most important parts of the tutorial, and I will tell you what I put or what I get from the tests, so you can comment below if you can: *1) Configuring Freeradius to use ntlm_auth, in /etc/freeradius/modules/ntlm_**auth:* exec ntlm_auth { wait = yes program = "*/usr/bin/ntlm_auth* --request-nt-key --domain=*DOMAIN.COM <http://DOMAIN.COM>* --username=%{mschap:User-Name} --password=%{User-Password}" } But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not the following authenticate sections at all: authenticate { ... ntlm_auth ... } If I have to put them, what do I have to add in the "..." lines you don't specify??? *2) After that, you recommend to use the testing command:* $ radtest *user* *password* localhost 0 testing123 This user correspond to my domain "DOMAIN.COM", or is a local user in order to test the config ??? *3) Configuring Freeradius to use ntlm_auth for MSCHAP* In /etc/freeradius/modules/mschap file I put: ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-*DOMAIN.COM <http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" After that I start the Freeradius service in debug mode, and I use radtest command to send a MSCHAP authentication request. I have Freeradius 2.2.5, so I execute: $ radtest -t mschap bob hello localhost 0 testing123 Is bob/hello a username/password from DOMAIN.COM ??? If I execute this in this way: Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>" NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0xdb6688ffc58b6208 MS-CHAP-Response = 0x0001000000000000000000000000 0000000000000000000000007cf9df3af3b49e1fa7eb2697b78da21f1e9dde3f44a6493a r ad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=220, length=38 MS-CHAP-Error = "\000E=691 R=1" Please I'll be waiting for your feedback, special thanks !!! Alejandro 2017-06-15 14:05 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi users from cell phones and notebooks.
In the case of cell phones, the users type the corresponding usernames and passwords and after that Freeradius passes it to the AD and everything works OK.
That's good.
In the case of the notebooks, the Windows users are logged into our DC domain, then they type the username or username@domain or domain\username with the corresponding passwords but in theses cases they can't authenticate against the AD (there is a reject message in the Freradius log).
So... what is the reject message?
Please post the full debug output as suggested in the FAQ, "man" pages, wiki, and daily on this list.
In case they are not logged into the domain, and they are local users in the notebooks, if they type just their usernames (without domain) they authenticate OK.
That's good.
So how can I authenticate Windows users against the AD when they are logged into the domain??? Do I have to define a special directive in a config file from freeradius, winbind or samba?
It's not magic. But it DOES require that you read the debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro //