Greetings list, I am trying to configure PAM on my remote Linux servers to authenticate via FreeRADIUS to Active Directory. I have followed the instructions at http://deployingradius.com/documents/configuration/active_directory.html to the letter and am able to successfully run radtest against the FreeRADIUS server : running *radtest -t mschap jonathanv /mypassword/ localhost 0 testing123*, returns the following: rad_recv: Access-Request packet from host 127.0.0.1 port 57650, id=252, length=117 User-Name = "jonathanv" NAS-IP-Address = 172.16.132.254 NAS-Port = 0 MS-CHAP-Challenge = 0x3ab2e0ada92d1a3b MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000d868800a8540b1a1823945859c18d2596202279141f6daea # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "jonathanv", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=jonathanv [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-MSAD} -> --domain=MSAD [mschap] mschap1: 3a [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=3ab2e0ada92d1a3b [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=d868800a8540b1a1823945859c18d2596202279141f6daea Exec-Program output: NT_KEY: 74910D7B290EDE12A3926DCD2EA68453 Exec-Program-Wait: plaintext: NT_KEY: 74910D7B290EDE12A3926DCD2EA68453 Exec-Program: returned: 0 [mschap] adding MS-CHAPv1 MPPE keys ++[mschap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 252 to 127.0.0.1 port 57650 MS-CHAP-MPPE-Keys = 0x000000000000000074910d7b290ede12a3926dcd2ea684530000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 252 with timestamp +269 Ready to process requests. However, now, I would like to configure PAM on a test Linux (CentOS 6) box to authenticate Active Directory users (system-auth, password-auth and ssh) via the FreeRADIUS server. I have installed the *pam_radius* package from the EPEL repository on my test box and have configured */etc/pam_radius.conf* file like so: 172.16.132.254 /*mypassword*/*//* 3 ...172.16.132.254 being my FreeRADIUS server... To test SSH authentication I have added the following line to the */etc/pam.d/sshd* file: *auth required pam_radius_auth.so* On the FreeRADIUS server I have configured the following in clients.conf : * client 172.16.132.140 { secret = /mypassword/ shortname = jonathan-c6 nastype = other }* ...172.16.132.140 being the test box... When attempting to ssh to the test box as an Active Directory user I receive the following debug output: rad_recv: Access-Request packet from host 172.16.132.140 port 32768, id=12, length=95 User-Name = "jonathanv" User-Password = "\010\n\r\177INCORRECT" NAS-IP-Address = 172.16.132.140 NAS-Identifier = "sshd" NAS-Port = 4369 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "172.16.132.148" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "jonathanv", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop *ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user* Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jonathanv attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 12 to 172.16.132.140 port 32768 Waking up in 4.9 seconds. Cleaning up request 3 ID 12 with timestamp +1336 Ready to process requests. From this output it's clear to me that neither MSCHAP, or any other Auth-Type for that matter, are being used. I know I'm missing something here, but really not sure what. Some advice would be much appreciated! Greetings, Jonathan Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and automatically archived by Mimecast SA (Pty) Ltd, an innovator in Software as a Service (SaaS) for business. Mimecast Unified Email Management (UEM) offers email continuity, security, archiving and compliance with all current legislation. To find out more, visit http://www.mimecast.co.za/uem-ppc.