Hi, Thank you for your answer. Now i got an other issue : #radtest user@esiee.fr password localhost 0 testing123 #freeradius -X (0) Received Access-Request Id 174 from 127.0.0.1:58869 to 127.0.0.1:1812 length 87 (0) User-Name = "user@esiee.fr" (0) User-Password = "password" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) Message-Authenticator = 0xf6bf2c5fbe1b23a895a81494fbfbd709 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/eduroam (0) authorize { (0) if (!(User-Name =~ /@/)){ (0) if (!(User-Name =~ /@/)) -> FALSE (0) if (User-Name =~ /@$/){ (0) if (User-Name =~ /@$/) -> FALSE (0) if (User-Name =~ /@.+?@/){ (0) if (User-Name =~ /@.+?@/) -> FALSE (0) if (User-Name =~ /@.+?[^[:alnum:]\\.-]/){ (0) if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE (0) if (User-Name =~ /@[\\.-]/){ (0) if (User-Name =~ /@[\\.-]/) -> FALSE (0) if (User-Name =~ /@.+?[\\.-]$/){ (0) if (User-Name =~ /@.+?[\\.-]$/) -> FALSE (0) if (User-Name =~ /@[^\\.]+$/){ (0) if (User-Name =~ /@[^\\.]+$/) -> FALSE (0) if (User-Name =~ /@.+?\\.\\./){ (0) if (User-Name =~ /@.+?\\.\\./) -> FALSE (0) if (User-Name =~ /@myabc\\.com$/i){ (0) if (User-Name =~ /@myabc\\.com$/i) -> FALSE (0) if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i){ (0) if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE (0) if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){ (0) if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE (0) if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){ (0) if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE (0) if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){ (0) if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE (0) if (User-Name =~ /@\\.?ac\\.uk$/i){ (0) if (User-Name =~ /@\\.?ac\\.uk$/i) -> FALSE (0) if (User-Name =~ /@.+?\\.ax\\.uk$/i){ (0) if (User-Name =~ /@.+?\\.ax\\.uk$/i) -> FALSE (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/ 127.0.0.1/auth-detail-20180704 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20180704 (0) auth_log: EXPAND %t (0) auth_log: --> Wed Jul 4 10:19:14 2018 (0) [auth_log] = ok (0) policy operator-name.authorize { (0) if ("%{client:Operator-Name}") { (0) EXPAND %{client:Operator-Name} (0) --> (0) if ("%{client:Operator-Name}") -> FALSE (0) } # policy operator-name.authorize = ok (0) policy cui.authorize { (0) if ("%{client:add_cui}" == 'yes') { (0) EXPAND %{client:add_cui} (0) --> (0) if ("%{client:add_cui}" == 'yes') -> FALSE (0) } # policy cui.authorize = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "esiee.fr" for User-Name = "user@esiee.fr" (0) suffix: Found realm "esiee.fr" (0) suffix: Adding Stripped-User-Name = "user" (0) suffix: Adding Realm = "esiee.fr" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 1 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = ntlm_auth (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam (0) authenticate { *(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=lan.esiee.fr <http://lan.esiee.fr> --username=%{mschap:User-Name} --password=%{User-Password}:(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}(0) ntlm_auth: --> --username=user@esiee.fr <user@esiee.fr>(0) ntlm_auth: EXPAND --password=%{User-Password}(0) ntlm_auth: --> --password=password(0) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)'(0) [ntlm_auth] = reject* (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> user@esiee.fr (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 174 from 127.0.0.1:1812 to 127.0.0.1:58869 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 174 with timestamp +6 The lines in bold shows that it try to authenticate via ntlm_auth by sending "user@esiee.fr" instead of "user". I try to use the "strip" option in the "esiee.fr" realm of proxy.conf but i still got the same error message : *realm esiee.fr <http://esiee.fr> { strip}* Thanks in advance for your suggestions. Regards, *Benjamin Dupalut* Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr Le mar. 3 juil. 2018 à 18:34, Alan DeKok <aland@deployingradius.com> a écrit :
On Jul 3, 2018, at 11:49 AM, Benjamin DUPALUT <benjamin.dupalut@esiee.fr> wrote:,
First of all, sorry for my english if there is some mistakes.
It's fine.
I'm trying to set up an authentication between a freeradius 3.0 server and a Samba 4 AD using ntlm_auth.
I apply the configuration from deployingradius.com/documents/configuration/active_directory.html
See the section titles "Configuring FreeRADIUS to use ntlm_auth"
but i got an error when testing with the "radtest -t mschap user passwd 127.0.0.1 0 testing123" command.
Here is the issue of the freeradius -X debug :
(11) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (11) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(11) mschap: Client is using MS-CHAPv1 with NT-Password (11) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (11) mschap: ERROR: MS-CHAP2-Response is incorrect
It's still trying to use Cleartext-Password. You need to configure it to use ntlm_auth.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html