I updated my RHEL FreeRadius package to what it calls version 3.0.13-8.el7_4 and now my original users file works again (thank you). However, I have a new problem. When I use radtest to test authentication, the policy filter_username is now failing. If I comment it out of 'default', authentication works correctly. My username looks okay according to the output. I tried commenting out the if statement that produces the 'Rejected: User-Name contains multiple ..s' but then another if statement fails later on. Ready to process requests (0) Received Access-Request Id 199 from 127.0.0.1:39414 to 127.0.0.1:1812 length 134 (0) User-Name = "guest002" (0) NAS-IP-Address = 192.168.199.163 (0) NAS-Port = 0 (0) Message-Authenticator = 0xfc43cddab6726d2fa73c3eb0bec5de4c (0) MS-CHAP-Challenge = 0x0945f6b315705436 (0) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000b2a5f6c47982e677afdfc2761d9e8c0aec2e32a9ff91600d (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> TRUE (0) if (&User-Name =~ /\.\./ ) { (0) update request { (0) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' (0) } # update request = noop (0) [reject] = reject (0) } # if (&User-Name =~ /\.\./ ) = reject (0) } # if (&User-Name) = reject (0) } # policy filter_username = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> guest002 (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 199 from 127.0.0.1:1812 to 127.0.0.1:39414 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 199 with timestamp +215 Ready to process requests -Mike -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+diggins=mcmaster.ca@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, August 7, 2017 3:21 AM To: FreeRadius users mailing list Subject: Re: FreeRadius 2 -> 3.04 ntlm_auth not working On Aug 7, 2017, at 1:41 AM, Diggins Mike <diggins@mcmaster.ca> wrote:
Some progress. With my users file (/mods-config/files/authorize) empty, authentication works according to radtest.
However, I need to return certain attributes along with specific userids that authenticate. The rest (default) can just authenticate normally.
In FR v2 I added this to the users file.
userid Auth-Type = ntlm_auth Reply-Message = "attr1","attr2",
DEFAULT Auth-Type = ntlm_auth
FR 3 doesn't like this (Unknown value 'ntlm_auth' for attribute 'Auth-Type'). I don't know what it wants to fix it. None of the samples in /mods-config/files/authorize look like this?
Use 3.0.15. This issue bas been fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html