And I also change eap.conf (default - PEAP and added my certificates) eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = /etc/ssl/private/friradius.key certificate_file = /etc/ssl/certs/friradius.cer CA_file = /etc/ssl/certs/cert.cer dh_file = ${certdir}/dh random_file = /dev/urandom CA_path = ${cadir} cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } ttls { copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } mschapv2 { } } 2014-04-10 13:57 GMT+02:00 Rado Matisko <rado.matisko2@gmail.com>:
Hi I want to set up my FR to connect to AD, which is on another host. I was following this tutorial : http://deployingradius.com/documents/configuration/active_directory.html
I configured smb.conf and then krb5.conf and then this works great : ntlm_auth --request-nt-key --domain=*MYDOMAIN* --username=*user* --password=*password*
* root@friradius:/# ntlm_auth --request-nt-key --domain=FRI --username=hajtmanek --password=<password> NT_STATUS_OK: Success (0x0)* Then I configured FR :
commented "files" in sites-available/default and inner-tunnel and added ntlm_auth in authorize section changed /modules/ntlm_auth
After running *radtest* I get this debug : # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "eduroam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [eduroam] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> eduroam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated
Apparently I'm missing something but tried to follow tutorial.