freeradius and ntlm_auth howto
All, I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto. Can someone of the users look at the ouput below and point me to the correct solution/howto? I setup smb.conf,krb5.conf and freeradius. I joined the server to the domain and tested the connection with ntlm_auth: [root@belx11ke ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --domain=KMT-EU.KMTG.NET password: NT_STATUS_OK: Success (0x0) [root@belx11ke ~]# rights of the winbind pipe: ls -l /var/cache/samba/winbindd_privileged total 0 srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe below is the debug output of freeradius Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with a4 c3 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "KMT-EU.KMTG.NET\\sstruyf" State = 0xa4c337a92357e8d90a5f8c64b37d2df1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 95 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challeng e=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972 Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 7 Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551
Stieven.Struyf@komatsu.eu wrote:
I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto.
What's missing from any of the HOWTO's? There's some on the Wiki, and one on my site.
Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
You're running the server as non-root, and the programs it executes don't run as root, so they don't have permissions to read that directory. Make the server run as root, or fix the permissions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi, my freeradius 1.1.1 with CentOS 4.4 have a big problem with more than 6 concurrencies requests... Is possible this? How to increase or caching input requests? Italo Morellato...
"Italo Morellato" <italo@witel.it> wrote:
my freeradius 1.1.1 with CentOS 4.4 have a big problem with more than 6 concurrencies requests...
What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
When I deselect more than 6 user in my Mikrotik PPPoE HotSpot I see this situation: - user send accounting request correctly vs radius server - radius reply with OK (sql database) - in mikrotik log I see "radius timeout" I try to increase timeout up to 3000ms (300ms is the default timeout) but problem persist... sunday I install 1.1.3 but I think is not depend from different release... Any idea? Many Thanks ----- Original Message ----- From: Alan DeKok To: FreeRadius users mailing list Sent: Thursday, October 26, 2006 8:41 PM Subject: Re: Number of concurrencies requests "Italo Morellato" <italo@witel.it> wrote:
my freeradius 1.1.1 with CentOS 4.4 have a big problem with more than 6 concurrencies requests...
What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Italo Morellato" <italo@witel.it> wrote:
When I deselect more than 6 user in my Mikrotik PPPoE HotSpot I see this = situation: - user send accounting request correctly vs radius server - radius reply with OK (sql database) - in mikrotik log I see "radius timeout"
Does the RADIUS server *respond* with a packet? What does tcpdump say? What does "radiusd -X" say? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
in radiusd -X I see: Going to the next request rad_recv: Accounting-Request packet from host 10.10.0.50:4216, id=84, length=153 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1788 NAS-Port-Type = Ethernet User-Name = "cesar.paredes" Calling-Station-Id = "00:15:D6:02:34:94" Called-Station-Id = "pppoe-Cimarani" NAS-Port-Id = "hotspot" Acct-Session-Id = "81f00366" Framed-IP-Address = 10.0.6.245 Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Identifier = "Cimarani" NAS-IP-Address = 10.10.0.50 Acct-Delay-Time = 0 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 3 modcall[preacct]: module "preprocess" returns noop for request 3 rlm_acct_unique: Hashing 'NAS-Port = 1788,Client-IP-Address = 10.10.0.50,NAS-IP-Address = 10.10.0.50,Acct-Session-Id = "81f00366",User-Name = "cesar.paredes"' rlm_acct_unique: Acct-Unique-Session-ID = "8a2b71e9b25570c2". modcall[preacct]: module "acct_unique" returns ok for request 3 rlm_realm: No '@' in User-Name = "cesar.paredes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 3 modcall: leaving group preacct (returns ok) for request 3 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 3 radius_xlat: '/usr/local/var/log/radius/radacct/10.10.0.50/detail-20061027' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.0.50/detail-20061027 modcall[accounting]: module "detail" returns ok for request 3 radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: 'cesar.paredes' modcall[accounting]: module "radutmp" returns ok for request 3 radius_xlat: 'cesar.paredes' rlm_sql (sql): sql_set_user escaped user --> 'cesar.paredes' radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81f00366', '8a2b71e9b25570c2', 'cesar.paredes', '', '10.10.0.50', '1788', 'Ethernet', '2006-10-27 01:03:02', '0', '0', 'RADIUS', '', '', '0', '0', 'pppoe-Cimarani', '00:15:D6:02:34:94', '', 'Framed-User', 'PPP', '10.0.6.245', '0', '0')' rlm_sql (sql): Reserving sql socket id: 1 at this point radius stop to work for few time.... ----- Original Message ----- From: Alan DeKok To: FreeRadius users mailing list Sent: Friday, October 27, 2006 12:01 AM Subject: Re: Number of concurrencies requests "Italo Morellato" <italo@witel.it> wrote:
When I deselect more than 6 user in my Mikrotik PPPoE HotSpot I see this = situation: - user send accounting request correctly vs radius server - radius reply with OK (sql database) - in mikrotik log I see "radius timeout"
Does the RADIUS server *respond* with a packet? What does tcpdump say? What does "radiusd -X" say? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
All, I finally got it working, but not yet as i want. The trick that made it work is settings auth-type := MSCHAPv2 for the user(s) and i also started radiusd as root(changed the rights without success to radiusd, but once everything is working i will try to run again with radiusd user) If i connect my user(s)s with username@realm it works, but if i use realm\userame the realm is found but no ntlm is used(and authentication fails). Below you find an extract from the debug where you can see that the correct realm is found. Do i need some options? (btw i need this to work because automatic logon to the wifi from windows xp with windows credentials is in this format) modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 69 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/26/2006 05:05:44 PM:
Stieven.Struyf@komatsu.eu wrote:
I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto.
What's missing from any of the HOWTO's? There's some on the Wiki, and one on my site.
Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
You're running the server as non-root, and the programs it executes don't run as root, so they don't have permissions to read that directory. Make the server run as root, or fix the permissions.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stieven.Struyf@komatsu.eu wrote:
All, I finally got it working, but not yet as i want. The trick that made it work is settings auth-type := MSCHAPv2 for the
You should not do that, and should not *have* to do that. Most likely you have not put the mschap module in the authorize section, *or* you have put another module higher up that it setting the auth-type first e.g. LDAP. You should have: authorize { preprocess mschap # other modules, maybe files? } authenticate { Auth-Type MS-CHAP { mschap } }
user(s) and i also started radiusd as root(changed the rights without success to radiusd, but once everything is working i will try to run again with radiusd user)
That's probably permissions on the winbind socket - see [pjm3@wildfire var]$ ls -ld /var/cache/samba/winbindd_privileged/ drwxr-x--- 2 root root 4096 Jul 24 21:36 /var/cache/samba/winbindd_privileged/ ...radius will need to be able to get into that directory and access the unix socket inside. Many distributions have the unix group "squid" setup to be able to read it for the purposes of Squid+ntlm. If so, just add the "radiusd" user to the "squid" group. Or, create an "ntlmauth" group and set permissions appropriately. If you are on an SELinux distribution, watch for that.
If i connect my user(s)s with username@realm it works, but if i use realm\userame the realm is found but no ntlm is used(and authentication fails).
Below you find an extract from the debug where you can see that the
An extract is no use. Please show the full debug output for a failing session. HOWEVER, first you may want to check your mschap module definition: modules { mschap { ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-None} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}" ...all on one line of course. Note the use of the "mschap:User-Name" and "mschap:NT-Domain" values.
Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645, id=67, length=259 User-Name = "KMT-EU.KMTG.NET\\sstruyf" Framed-MTU = 1400 Called-Station-Id = "0016.469b.7cd0" Calling-Station-Id = "0011.851a.cc37" Service-Type = Login-User Message-Authenticator = 0xfeb711c4400f8f34b9fef7c2be7f77bc EAP-Message = 0x020900691900170301005e5971fff2b46b2f81e88ed248772a59c1860abf0ebe40379c9e20c0ac6edd9cb19abe8ebfe82595c54bc12a979c51182f9b58d130708870f1b6bb17c1cd8249a64ddae5750e9411d4e337bd0876f393e83f2015b4c783ee35db02041bad3 NAS-Port-Type = Wireless-802.11 NAS-Port = 2936 State = 0x5d8298849858ea61aec0380c81af200d NAS-IP-Address = 10.104.254.73 NAS-Identifier = "WAP07KE" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 105 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f136800000000000000001af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with 46 61 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f136800000000000000001af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "KMT-EU.KMTG.NET\\sstruyf" State = 0x4661e4398678b434bf08ae113a631207 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 27 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=decc4450c3b83d2c --nt-response=1af36673f68ff26b4cc76bf8cd9f440d0c36396981ad345' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=decc4450c3b83d2c --nt-response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 7 hpidm: entered hpidm_post_auth rlm_hpidm: request does not contain NAS-Port, cannot process this reply modcall[post-auth]: module "hpidm" returns ok for request 7 modcall: group Post-Auth-Type returns ok for request 7 PEAP: Got tunneled reply RADIUS code 3 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = "3" MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81c8538 3 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = "3" MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 67 to 10.104.254.73:1645 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = "3" EAP-Message = 0x010a00261900170301001bbea51b60bcb4566d7ef538deab44475ff7bea343dbeb8600663c15 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x53366a955095f03c779d1b7ef5a01e38 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645, id=68, length=192 User-Name = "KMT-EU.KMTG.NET\\sstruyf" Framed-MTU = 1400 Called-Station-Id = "0016.469b.7cd0" Calling-Station-Id = "0011.851a.cc37" Service-Type = Login-User Message-Authenticator = 0x19198f9e13690ff3237353e66c498924 EAP-Message = 0x020a00261900170301001b723ec3fbfe48e768422325cbd73602c757a16c7c650e39a86cfcf5 NAS-Port-Type = Wireless-802.11 NAS-Port = 2936 State = 0x53366a955095f03c779d1b7ef5a01e38 NAS-IP-Address = 10.104.254.73 NAS-Identifier = "WAP07KE" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 8 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>] (from client WAP07KE port 2936 cli 0011.851a.cc37) Processing the post-auth section of radiusd.conf Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551 freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/27/2006 12:26:09 PM:
HOWEVER, first you may want to check your mschap module definition:
modules { mschap { ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-None} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}"
...all on one line of course. Note the use of the "mschap:User-Name" and
"mschap:NT-Domain" values. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I checked it and changed the userline value(it was stripped-username something, but without success.)
Let's see if we can get this solved...
-----Original Message----- Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645,
This is NOT the full log. The full log would have started with the line /path/to/radiusd -X Some important stuff is printed out there, it helps us help you.
rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?
Did you enable Ntdomain Hack in the MSCHAP module? (See below) Including your radius.conf file would help.
HOWEVER, first you may want to check your mschap module definition:
modules { mschap { ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-None} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}"
...all on one line of course. Note the use of the "mschap:User-Name" and "mschap:NT-Domain" values.
Mine radiusd.conf file's mschap section looks like this: NOTE that I do NOT have the :-00 and the :-None statements, and I DO have with_ntdomain_hack=yes # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge} \ --nt-response=%{mschap:NT-Response} }
participants (5)
-
Alan DeKok -
Italo Morellato -
King, Michael -
Phil Mayers -
Stieven.Struyf@komatsu.eu