Ivan,

 

Thanks for the catch on listing ntlm_auth in authorize.  I followed the deployingradius.com link.  I’m still not getting it.  I tried uncommenting the ntlm_auth = line in the mschap file.  I got the same result.

 

login as: root

root@172.18.134.36's password:

Last login: Thu May 14 12:58:01 2009 from fm-mo-406641.fm.kroger.com

[root@u701radius02 ~]#

[root@u701radius02 ~]#

[root@u701radius02 ~]# radiusd -X

FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec  8 2008 at 15:31:31

Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License v2.

Starting - reading configuration files ...

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/modules/

including configuration file /etc/raddb/modules/smbpasswd

including configuration file /etc/raddb/modules/inner-eap

including configuration file /etc/raddb/modules/etc_group

including configuration file /etc/raddb/modules/checkval

including configuration file /etc/raddb/modules/policy

including configuration file /etc/raddb/modules/logintime

including configuration file /etc/raddb/modules/preprocess

including configuration file /etc/raddb/modules/attr_filter

including configuration file /etc/raddb/modules/always

including configuration file /etc/raddb/modules/pam

including configuration file /etc/raddb/modules/sqlcounter_expire_on_login

including configuration file /etc/raddb/modules/mac2ip

including configuration file /etc/raddb/modules/acct_unique

including configuration file /etc/raddb/modules/expr

including configuration file /etc/raddb/modules/sradutmp

including configuration file /etc/raddb/modules/pap

including configuration file /etc/raddb/modules/exec

including configuration file /etc/raddb/modules/detail.example.com

including configuration file /etc/raddb/modules/attr_rewrite

including configuration file /etc/raddb/modules/detail.log

including configuration file /etc/raddb/modules/wimax

including configuration file /etc/raddb/modules/detail

including configuration file /etc/raddb/modules/radutmp

including configuration file /etc/raddb/modules/unix

including configuration file /etc/raddb/modules/files

including configuration file /etc/raddb/modules/expiration

including configuration file /etc/raddb/modules/sql_log

including configuration file /etc/raddb/modules/echo

including configuration file /etc/raddb/modules/realm

including configuration file /etc/raddb/modules/counter

including configuration file /etc/raddb/modules/mschap

including configuration file /etc/raddb/modules/digest

including configuration file /etc/raddb/modules/ippool

including configuration file /etc/raddb/modules/perl

including configuration file /etc/raddb/modules/mac2vlan

including configuration file /etc/raddb/modules/linelog

including configuration file /etc/raddb/modules/chap

including configuration file /etc/raddb/modules/passwd

including configuration file /etc/raddb/eap.conf

including configuration file /etc/raddb/policy.conf

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/control-socket

including configuration file /etc/raddb/sites-enabled/default

including configuration file /etc/raddb/sites-enabled/inner-tunnel

group = radiusd

user = radiusd

including dictionary file /etc/raddb/dictionary

main {

        prefix = "/usr"

        localstatedir = "/var"

        logdir = "/var/log/radius"

        libdir = "/usr/lib/freeradius"

        radacctdir = "/var/log/radius/radacct"

        hostname_lookups = no

        max_request_time = 30

        cleanup_delay = 5

        max_requests = 1024

        allow_core_dumps = no

        pidfile = "/var/run/radiusd/radiusd.pid"

        checkrad = "/usr/sbin/checkrad"

        debug_level = 0

        proxy_requests = yes

 log {

        stripped_names = no

        auth = no

        auth_badpass = no

        auth_goodpass = no

 }

 security {

        max_attributes = 200

        reject_delay = 1

        status_server = yes

 }

}

 client 172.18.134.248 {

        require_message_authenticator = no

        secret = "testing123"

        shortname = "172.18.134.248"

        nastype = "other"

 }

 client localhost {

        ipaddr = 127.0.0.1

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

 }

radiusd: #### Loading Realms and Home Servers ####

 proxy server {

        retry_delay = 5

        retry_count = 3

        default_fallback = no

        dead_time = 120

        wake_all_if_all_dead = no

 }

 home_server localhost {

        ipaddr = 127.0.0.1

        port = 1812

        type = "auth"

        secret = "testing123"

        response_window = 20

        max_outstanding = 65536

        zombie_period = 40

        status_check = "status-server"

        ping_interval = 30

        check_interval = 30

        num_answers_to_alive = 3

        num_pings_to_alive = 3

        revive_interval = 120

        status_check_timeout = 4

 }

 home_server_pool my_auth_failover {

        type = fail-over

        home_server = localhost

 }

 realm example.com {

        auth_pool = my_auth_failover

 }

 realm LOCAL {

 }

radiusd: #### Instantiating modules ####

 instantiate {

 Module: Linked to module rlm_exec

 Module: Instantiating exec

  exec {

        wait = no

        input_pairs = "request"

        shell_escape = yes

  }

 Module: Linked to module rlm_expr

 Module: Instantiating expr

 Module: Linked to module rlm_expiration

 Module: Instantiating expiration

  expiration {

        reply-message = "Password Has Expired  "

  }

 Module: Linked to module rlm_logintime

 Module: Instantiating logintime

  logintime {

        reply-message = "You are calling outside your allowed timespan  "

        minimum-timeout = 60

  }

 }

radiusd: #### Loading Virtual Servers ####

server inner-tunnel {

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Linked to module rlm_chap

 Module: Instantiating chap

 Module: Instantiating ntlm_auth

  exec ntlm_auth {

        wait = yes

        program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOM002 --username=%{mschap:User-Name} --password=%{User-Password}"

        input_pairs = "request"

        shell_escape = yes

  }

 Module: Linked to module rlm_mschap

 Module: Instantiating mschap

  mschap {

        use_mppe = yes

        require_encryption = yes

        require_strong = yes

        with_ntdomain_hack = yes

  }

 Module: Linked to module rlm_unix

 Module: Instantiating unix

  unix {

        radwtmp = "/var/log/radius/radwtmp"

  }

 Module: Linked to module rlm_eap

 Module: Instantiating eap

  eap {

        default_eap_type = "peap"

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = 2048

  }

 Module: Linked to sub-module rlm_eap_md5

 Module: Instantiating eap-md5

 Module: Linked to sub-module rlm_eap_leap

 Module: Instantiating eap-leap

 Module: Linked to sub-module rlm_eap_gtc

 Module: Instantiating eap-gtc

   gtc {

        challenge = "Password: "

        auth_type = "PAP"

   }

 Module: Linked to sub-module rlm_eap_tls

 Module: Instantiating eap-tls

   tls {

        rsa_key_exchange = no

        dh_key_exchange = yes

        rsa_key_length = 512

        dh_key_length = 512

        verify_depth = 0

        pem_file_type = yes

        private_key_file = "/etc/raddb/certs/server.pem"

        certificate_file = "/etc/raddb/certs/server.pem"

        CA_file = "/etc/raddb/certs/ca.pem"

        private_key_password = "whatever"

        dh_file = "/etc/raddb/certs/dh"

        random_file = "/etc/raddb/certs/random"

        fragment_size = 1024

        include_length = yes

        check_crl = no

        cipher_list = "DEFAULT"

        make_cert_command = "/etc/raddb/certs/bootstrap"

    cache {

        enable = no

        lifetime = 24

        max_entries = 255

    }

   }

 Module: Linked to sub-module rlm_eap_ttls

 Module: Instantiating eap-ttls

   ttls {

        default_eap_type = "md5"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_peap

 Module: Instantiating eap-peap

   peap {

        default_eap_type = "mschapv2"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        proxy_tunneled_request_as_eap = yes

        virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_mschapv2

 Module: Instantiating eap-mschapv2

   mschapv2 {

        with_ntdomain_hack = no

   }

 Module: Checking authorize {...} for more modules to load

 Module: Linked to module rlm_realm

 Module: Instantiating suffix

  realm suffix {

        format = "suffix"

        delimiter = "@"

        ignore_default = no

        ignore_null = no

  }

 Module: Linked to module rlm_files

 Module: Instantiating files

  files {

        usersfile = "/etc/raddb/users"

        acctusersfile = "/etc/raddb/acct_users"

        preproxy_usersfile = "/etc/raddb/preproxy_users"

        compat = "no"

  }

 Module: Checking session {...} for more modules to load

 Module: Linked to module rlm_radutmp

 Module: Instantiating radutmp

  radutmp {

        filename = "/var/log/radius/radutmp"

        username = "%{User-Name}"

        case_sensitive = yes

        check_with_nas = yes

        perm = 384

        callerid = yes

  }

 Module: Checking post-proxy {...} for more modules to load

 Module: Checking post-auth {...} for more modules to load

 Module: Linked to module rlm_attr_filter

 Module: Instantiating attr_filter.access_reject

  attr_filter attr_filter.access_reject {

        attrsfile = "/etc/raddb/attrs.access_reject"

        key = "%{User-Name}"

  }

 }

}

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Checking authorize {...} for more modules to load

 Module: Linked to module rlm_preprocess

 Module: Instantiating preprocess

  preprocess {

        huntgroups = "/etc/raddb/huntgroups"

        hints = "/etc/raddb/hints"

        with_ascend_hack = no

        ascend_channels_per_line = 23

        with_ntdomain_hack = no

        with_specialix_jetstream_hack = no

        with_cisco_vsa_hack = no

        with_alvarion_vsa_hack = no

  }

 Module: Checking preacct {...} for more modules to load

 Module: Linked to module rlm_acct_unique

 Module: Instantiating acct_unique

  acct_unique {

        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"

  }

 Module: Checking accounting {...} for more modules to load

 Module: Linked to module rlm_detail

 Module: Instantiating detail

  detail {

        detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"

        header = "%t"

        detailperm = 384

        dirperm = 493

        locking = no

        log_packet_header = no

  }

 Module: Instantiating attr_filter.accounting_response

  attr_filter attr_filter.accounting_response {

        attrsfile = "/etc/raddb/attrs.accounting_response"

        key = "%{User-Name}"

  }

 Module: Checking session {...} for more modules to load

 Module: Checking post-proxy {...} for more modules to load

 Module: Checking post-auth {...} for more modules to load

 }

radiusd: #### Opening IP addresses and Ports ####

listen {

        type = "auth"

        ipaddr = 172.18.134.36

        port = 0

}

listen {

        type = "acct"

        ipaddr = 172.18.134.36

        port = 0

}

listen {

        type = "control"

 listen {

        socket = "/var/run/radiusd/radiusd.sock"

 }

}

Listening on authentication address 172.18.134.36 port 1812

Listening on accounting address 172.18.134.36 port 1813

Listening on command file /var/run/radiusd/radiusd.sock

Listening on proxy address 172.18.134.36 port 1814

Ready to process requests.

 

rad_recv: Access-Request packet from host 172.18.134.248 port 1025, id=91, length=225

        Framed-MTU = 1466

        NAS-IP-Address = 172.18.134.248

        NAS-Identifier = "Puyallup_5412a"

        User-Name = "DOM002\\MD90345"

        Service-Type = Framed-User

        Framed-Protocol = PPP

        NAS-Port = 7

        NAS-Port-Type = Ethernet

        NAS-Port-Id = "A7"

        Called-Station-Id = "00-1f-28-39-c5-00"

        Calling-Station-Id = "00-1e-4f-b0-27-10"

        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"

        Tunnel-Type:0 = VLAN

        Tunnel-Medium-Type:0 = IEEE-802

        Tunnel-Private-Group-Id:0 = "999"

        EAP-Message = 0x020c001301444f4d3030325c4d443930333435

        Message-Authenticator = 0x4b7beab2c1c1ff79d37076c08cb8cbcc

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "DOM002\MD90345", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

++[unix] returns notfound

[files] users: Matched entry DEFAULT at line 174

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=MD90345

[ntlm_auth]     expand: --password=%{User-Password} -> --password=

Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Exec-Program: returned: 1

++[ntlm_auth] returns reject

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> DOM002\MD90345

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 91 to 172.18.134.248 port 1025

Waking up in 4.9 seconds.

^C

[root@u701radius02 ~]#

 

Thanks,

Mike Davies

 



This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.