Hi Ivan, Firstly, Thanks for taking time to look at the problems I am facing. I have followed your instructions, and set the following in the users file: DEFAULT Auth-Type = ntlm_auth After doing that, I ran radiusd -X The configuration was fine at the beginning, but as it reaches an abrupt stop with the following errors in the debug: /usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module "files" /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module "files". /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules It seems like it require an external ntlm_auth to execute, rather than one that is embedded in MSCHAP module. I pick and match certain items from the URLS that I have previously attached. Just want to make it work at the minimum first, before I proceed expand it. Thanks! Regards, Andy tnt-4 wrote:
I am implementing Freeradius 2.0 to be integrated with Microsoft Activedirectory and has encountered problems. All are being run in Virtual Environment (VMware Server 1.07) RADIUS OS: CentOS5.2 Freeradius Server 2.1.1 PAM radius 1.3.17
Active Directory OS: Windows 2003 Server
I refer to a number of URLS: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html
I have successfully been able to join the RADIUS server to the AD, and is able to have output for "wbinfo -u", and NTLM works well: [root@RADIUS tmp]# ntlm_auth --request-nt-key --domain=TEST
--username=test
password: NT_STATUS_OK: Success (0x0)
I used freeradius with it's default settings, but modifying MSCHAP module, enabling ntlm_auth: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Installed pam_radius 1.3.17, and configured sshd for pam to authenticate from pam_radius first: #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
I ran "radiusd -X", and opened another SSH session, using "test" account, that I tried with ntlm_auth previously, and got the following as in the debug output: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71, length=86 User-Name = "test" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "sshd" NAS-Port = 26171 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.0.0.151"
You have to go back to the step where you force Auth-Type ntlm_auth.
DEAFAULT Auth-Type = ntlm_auth
Put that in users file (just = not :=). If you send mschap request mschap in authorize will set the Auth-Type and this will have no effect; it will set Auth-Type for pap requests.
Integration document describes how to make it work for mschap (PEAP) request.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed... Sent from the FreeRadius - User mailing list archive at Nabble.com.