ignore the ntlm_auth module.... you need to just use the mschap method - enure you have configured the ntlm_auth string in the mschap module (or, with latest versions of freeRADIUS, dont use ntlm_auth at all, use the native direct winbindd method - much much faster) - then, to test, dnt use radtest - as thats basic, use eg eapol_test instead as that will behave like a real client (EAP method) - your error suggests incorrect password (or rather user/pass combination issue) - suggest that your AD doesnt like getting a domain in the username - so just add your domain to the proxy.conf as a local realm eg realm domain.com { } then ensure that 'Stripped-User-Name' is being used in the ntlm_auth or winbindd call rather than mschap:User-Name alan On 21 June 2017 at 19:12, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Dear Alan, I'm following your guide "Configuring Authentication with Active Directory" (http://deployingradius.com/documents/configuration/active_ directory.html) in order to analyze my configurations issues.
Please I will show you the most important parts of the tutorial, and I will tell you what I put or what I get from the tests, so you can comment below if you can:
*1) Configuring Freeradius to use ntlm_auth, in /etc/freeradius/modules/ntlm_**auth:*
exec ntlm_auth { wait = yes program = "*/usr/bin/ntlm_auth* --request-nt-key --domain=*DOMAIN.COM <http://DOMAIN.COM>* --username=%{mschap:User-Name} --password=%{User-Password}" }
But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not the following authenticate sections at all:
authenticate { ... ntlm_auth ... }
If I have to put them, what do I have to add in the "..." lines you don't specify???
*2) After that, you recommend to use the testing command:*
$ radtest *user* *password* localhost 0 testing123
This user correspond to my domain "DOMAIN.COM", or is a local user in order to test the config ???
*3) Configuring Freeradius to use ntlm_auth for MSCHAP*
In /etc/freeradius/modules/mschap file I put:
ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-*DOMAIN.COM <http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
After that I start the Freeradius service in debug mode, and I use radtest command to send a MSCHAP authentication request. I have Freeradius 2.2.5, so I execute:
$ radtest -t mschap bob hello localhost 0 testing123
Is bob/hello a username/password from DOMAIN.COM ???
If I execute this in this way:
Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "alejandro@domain.com <alcabrera@g-bapro.net>" NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0xdb6688ffc58b6208 MS-CHAP-Response = 0x0001000000000000000000000000 0000000000000000000000007cf9df3af3b49e1fa7eb2697b78da21f1e9dde3f44a6493a r ad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=220, length=38 MS-CHAP-Error = "\000E=691 R=1"
Please I'll be waiting for your feedback, special thanks !!!
Alejandro
2017-06-15 14:05 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi users from cell phones and notebooks.
In the case of cell phones, the users type the corresponding usernames and passwords and after that Freeradius passes it to the AD and everything works OK.
That's good.
In the case of the notebooks, the Windows users are logged into our DC domain, then they type the username or username@domain or domain\username with the corresponding passwords but in theses cases they can't authenticate against the AD (there is a reject message in the Freradius log).
So... what is the reject message?
Please post the full debug output as suggested in the FAQ, "man" pages, wiki, and daily on this list.
In case they are not logged into the domain, and they are local users in the notebooks, if they type just their usernames (without domain) they authenticate OK.
That's good.
So how can I authenticate Windows users against the AD when they are logged into the domain??? Do I have to define a special directive in a config file from freeradius, winbind or samba?
It's not magic. But it DOES require that you read the debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro // - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html