On 16/06/16 15:54, Matthew Newton wrote:
On Thu, Jun 16, 2016 at 03:25:12PM +0100, lejeczek via Freeradius-Users wrote:
Now I have $ radtest -t mschap ... working, but I don't quite grasp why one has to test with "-t". When I now test without "-t" it still fails with: Well, "-t mschap" sends an MSCHAP auth request, which is what you've configured.
Without -t you're sending a PAP request, which you haven't configured (see mods-available/ntlm_auth if you need to do this; most people likely don't).
So the first works and the second doesn't.
Matthew what I don't get is - this is radtest but how does it matter to a radius clients, say a net switch? Do all the clients have to specify auth method? I thought we configure this different "backends" so radius server will traverse them all in search of a user account of which client has to know none. One more thing - having mschap/ntlm I do not need to configure radius server to lookup AD's ldap at the same time, do I? Would there be a case when one would have both ntlm & ldap go to the same on AD?
(3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Checking for suffix after "@" (3) suffix : Looking up realm "my.domain.local" for User-Name = "pe243@my.domain.local" (3) suffix : Found realm "my.domain.local" (3) suffix : Adding Stripped-User-Name = "pe243" (3) suffix : Adding Realm = "my.domain.local" (3) suffix : Authentication realm is LOCAL (3) [suffix] = ok (3) eap : No EAP-Message, not doing EAP (3) [eap] = noop (3) [unix] = notfound (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (3) WARNING: pap : Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = ok (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject : EXPAND %{User-Name} (3) attr_filter.access_reject : --> pe243@my.domain.local (3) attr_filter.access_reject : Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (3) [eap] = noop (3) remove_reply_message_if_eap remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else else { (3) [noop] = noop (3) } # else else = noop (3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated