Hi
I did my tests and after removing that custom block of authorize section the following is the output.
rad_recv: Access-Request packet from host 127.0.0.1 port 54347, id=2, length=57
User-Name = "01546"
User-Password = "xxxxxxxx"
NAS-IP-Address = 192.168.0.99
NAS-Port = 0
Sat Jan 21 19:21:08 2012 : Info: +- entering group authorize {...}
Sat Jan 21 19:21:08 2012 : Info: ++[preprocess] returns ok
Sat Jan 21 19:21:08 2012 : Info: ++[chap] returns noop
Sat Jan 21 19:21:08 2012 : Info: ++[mschap] returns noop
Sat Jan 21 19:21:08 2012 : Info: [suffix] No '@' in User-Name = "01546", looking up realm NULL
Sat Jan 21 19:21:08 2012 : Info: [suffix] No such realm "NULL"
Sat Jan 21 19:21:08 2012 : Info: ++[suffix] returns noop
Sat Jan 21 19:21:08 2012 : Info: [eap] No EAP-Message, not doing EAP
Sat Jan 21 19:21:08 2012 : Info: ++[eap] returns noop
Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=01546
Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=xxxxxxxxx
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0)
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program: returned: 0
Sat Jan 21 19:21:08 2012 : Info: ++[ntlm_auth] returns ok
Sat Jan 21 19:21:08 2012 : Info: ++[expiration] returns noop
Sat Jan 21 19:21:08 2012 : Info: ++[logintime] returns noop
Sat Jan 21 19:21:08 2012 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Sat Jan 21 19:21:08 2012 : Info: ++[pap] returns noop
Sat Jan 21 19:21:08 2012 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Sat Jan 21 19:21:08 2012 : Info: Failed to authenticate the user.
Sat Jan 21 19:21:08 2012 : Info: Using Post-Auth-Type Reject
Sat Jan 21 19:21:08 2012 : Info: +- entering group REJECT {...}
Sat Jan 21 19:21:08 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01546
Sat Jan 21 19:21:08 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11
---------------------------------------------------------
So means that ntlm_auth is still wokring good bt some access control triggers the Access-Reject.
I am still directionless as to where should I head next, I mean how to make tht EAP client and MSCHAP authentication work. Would appreciate if I could get some handy quick and dirty list of works to do next OR some URL/mailing list entry etc which explains the same.
I am reading a FreeRadius book (Packet Publishing) which just might help.
Regards
Dhiraj Gaur
Thanks ndk and alan I lll give it a fresh try to the testbed. I have already deleted the DEFAULT entry from the users file and updated mschap as indicated. I think what might be forcing NTLM_AUTH is an entry which i made to the authorize section of default file after which ntlm_auth strated to work for me
if(!control:Auth-Type) {
update control {
Auth-Type = "ntlm_auth"
}
}
I ll try removing the same and then need to see how mschap thing will work. Would appreciate if you may point me to a further howto on the same. I aim to connect and eap client through radius without the use of certificates for which MSCHAP seems to be an option.
I think I ll write a howto or add a wiki entry if I can make it work fine.
regards
Dhiraj GaurOn Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok <aland@deployingradius.com> wrote:
NdK wrote:Yeah, I've gone and fixed that. "git" is nice for updating web pages.
>> The radclient program has since been updated.
> Then it could be better to update that page, since it's the reference
> for all newbies that try to make it work.
If it doesn't work, the web pages explain which part to blame. 99% of
> "It *should* work" is more correct :(
> There still are many things that can go wrong.
the time, it's a bug in someone else's software.
Alan DeKok.
--RegardsDhiraj Gaur