Is it possible to set up a new account on the wiki, or does that require an administrator? I wanted to mark the page http://wiki.freeradius.org/PopTop as obsolete and applying only to the 1.x versions of freeradius. These are the instructions I was originally folowing, and they distinctly do not work with 2.1.8. If anybody has a working 2.1.8 setup for PopTop I would greatly appreciate your advice.
Is it possible to set up a new account on the wiki, or does that require an administrator?
I wanted to mark the page http://wiki.freeradius.org/PopTop as obsolete and applying only to the 1.x versions of freeradius. These are the instructions I was originally folowing, and they distinctly do not work with 2.1.8.
If anybody has a working 2.1.8 setup for PopTop I would greatly appreciate your advice.
Humm, I'm the one who wrote this page. I must admit I've never updated it, but to be honest I don't see what is so wrong about it and FR 2.1.8. Please can you explain why you think it is obsolete ? By the way, since I wrote this page, I have switched to 2.1.8 without pb. Thibault
On Monday 19 April 2010 07:16:52 pm Thibault Le Meur wrote:
Please can you explain why you think it is obsolete ?
It addresses the configuration in single-file format rather than the distributed file format that the current packaging (for Debian at least) uses.
By the way, since I wrote this page, I have switched to 2.1.8 without pb.
Arg! Were you able to continue using the same configuration, or did it require a full rebuild? I moved from a rather ancient Gentoo server that I believe was using an 1.x version to Debian Lenny 2.0.4, then upgraded to the 2.1.8 backport, and I can't get it to parse DOMAIN//user properly - it ignores the separator and comes up with a null "realm". Curiously, it later displays the username as DOMAIN/name. The current Debian packaging also requres that the mschap module file be edited, and that a sites-available file be linked to sites-enabled. Thanks for the reply. I think it's always harder to maintain/upgrade an existing configuration moved to a new platform than to build one from scratch.
----- Message de hutchins@tarcanfel.org --------- Date : Mon, 19 Apr 2010 19:41:44 -0500 De : Jonathan Hutchins <hutchins@tarcanfel.org> Répondre à : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: PopTop À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
On Monday 19 April 2010 07:16:52 pm Thibault Le Meur wrote:
Please can you explain why you think it is obsolete ?
It addresses the configuration in single-file format rather than the distributed file format that the current packaging (for Debian at least) uses.
Yes it is true, but this part seems easy once you've understood how to migrate from FR1 to FR2 which is required anyway to do a proper migration. In fact this would be only a 3 lines changes in the article, so this is easy to fix as most of this HowTo is related to setting other components that FR ;-)
By the way, since I wrote this page, I have switched to 2.1.8 without pb.
Arg! Were you able to continue using the same configuration, or did it require a full rebuild?
No of course, when I switched to FR2 I rewrite all my configuration because I wanted a clean setup. It was time for me to remove old tricks I used in FR1 and replace them by unlang. FR2 is so much more powerful.
I moved from a rather ancient Gentoo server that I believe was using an 1.x version to Debian Lenny 2.0.4, then upgraded to the 2.1.8 backport, and I can't get it to parse DOMAIN//user properly - it ignores the separator and comes up with a null "realm". Curiously, it later displays the username as DOMAIN/name.
I can't help here, because I'm not using realm for PopTop authentication. However I would check you modules/realm file and the ntdomain realm definition. Then I would double check that the ntodimain instance is enabled in your pre-acct and authorize section.
The current Debian packaging also requres that the mschap module file be edited, and that a sites-available file be linked to sites-enabled.
Yes this is the new approach.
Thanks for the reply. I think it's always harder to maintain/upgrade an existing configuration moved to a new platform than to build one from scratch.
Yes, especially this FR1 to FR2 migration requires some time, but it's worth it ;-) Regards, Thibault
On Tuesday 20 April 2010 03:27:19 am Thibault Le Meur wrote:
Yes it is true, but this part seems easy once you've understood how to migrate from FR1 to FR2 which is required anyway to do a proper migration.
Is there a doc that specifically addresses migration?
In fact this would be only a 3 lines changes in the article, so this is easy to fix as most of this HowTo is related to setting other components that FR ;-)
Can I help get those changes made, perhaps by testing the howto? The section on the Dictionary would seem to be unnnecessary for most packaged distributions.
I moved from a rather ancient Gentoo server that I believe was using an 1.x version to Debian Lenny 2.0.4, then upgraded to the 2.1.8 backport, and I can't get it to parse DOMAIN//user properly - it ignores the separator and comes up with a null "realm". Curiously, it later displays the username as DOMAIN/name.
I can't help here, because I'm not using realm for PopTop authentication.
I wasn't intending to either, I was following your PopTop doc exactly.
However I would check you modules/realm file and the ntdomain realm definition. Then I would double check that the ntodimain instance is enabled in your pre-acct and authorize section.
Searching for where to enable this now. I wonder if there is any different handling for the "\\" vs "\". Since I don't have a working config yet, I would be happy to strip it back to defaults and test your howto.
I was able to get ntlm-auth working with AD integration. But unfortunately this stops the existing users in the users' file from being check. Whenever I have the "ntlm_auth =" line configured in modules/mschap, my users file is not check. If I comment out "ntlm_auth" the users file works again. Is there any possibility to getting both the files and the ntlm_auth methods functional inside MSCHAP? -Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Jonathan Hutchins Sent: Tuesday, April 20, 2010 11:42 AM To: Thibault Le Meur Cc: FreeRadius users mailing list Subject: Re: PopTop
On Tuesday 20 April 2010 03:27:19 am Thibault Le Meur wrote:
Yes it is true, but this part seems easy once you've understood how to migrate from FR1 to FR2 which is required anyway to do a proper migration.
Is there a doc that specifically addresses migration?
In fact this would be only a 3 lines changes in the article, so this is easy to fix as most of this HowTo is related to setting other components that FR ;-)
Can I help get those changes made, perhaps by testing the howto? The section on the Dictionary would seem to be unnnecessary for most packaged distributions.
I moved from a rather ancient Gentoo server that I believe was using an 1.x version to Debian Lenny 2.0.4, then upgraded to the 2.1.8 backport, and I can't get it to parse DOMAIN//user properly - it ignores the separator and comes up with a null "realm". Curiously, it later displays the username as DOMAIN/name.
I can't help here, because I'm not using realm for PopTop authentication.
I wasn't intending to either, I was following your PopTop doc exactly.
However I would check you modules/realm file and the ntdomain realm definition. Then I would double check that the ntodimain instance is enabled in your pre-acct and authorize section.
Searching for where to enable this now. I wonder if there is any different handling for the "\\" vs "\".
Since I don't have a working config yet, I would be happy to strip it back to defaults and test your howto. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yeah, there's a way. I had / have similar requirements. I *think* with some unlang and maybe a "fall-through" here or there... I haven't quite figured this out, but I'm pretty sure it can be done. From what I've gathered so far FR allows one to do pretty much anything, it's usually the other hardware / software / protocols that are the limiting factors. G PS: LMK the answer when you figure this out! ;) -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Tuesday, April 20, 2010 3:25 PM To: 'FreeRadius users mailing list' Subject: Users File co-existing with NTLM-Auth I was able to get ntlm-auth working with AD integration. But unfortunately this stops the existing users in the users' file from being check. Whenever I have the "ntlm_auth =" line configured in modules/mschap, my users file is not check. If I comment out "ntlm_auth" the users file works again. Is there any possibility to getting both the files and the ntlm_auth methods functional inside MSCHAP? -Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Jonathan Hutchins Sent: Tuesday, April 20, 2010 11:42 AM To: Thibault Le Meur Cc: FreeRadius users mailing list Subject: Re: PopTop
On Tuesday 20 April 2010 03:27:19 am Thibault Le Meur wrote:
Yes it is true, but this part seems easy once you've understood how to migrate from FR1 to FR2 which is required anyway to do a proper migration.
Is there a doc that specifically addresses migration?
In fact this would be only a 3 lines changes in the article, so this is easy to fix as most of this HowTo is related to setting other components that FR ;-)
Can I help get those changes made, perhaps by testing the howto? The section on the Dictionary would seem to be unnnecessary for most packaged distributions.
I moved from a rather ancient Gentoo server that I believe was using an 1.x version to Debian Lenny 2.0.4, then upgraded to the 2.1.8 backport, and I can't get it to parse DOMAIN//user properly - it ignores the separator and comes up with a null "realm". Curiously, it later displays the username as DOMAIN/name.
I can't help here, because I'm not using realm for PopTop authentication.
I wasn't intending to either, I was following your PopTop doc exactly.
However I would check you modules/realm file and the ntdomain realm definition. Then I would double check that the ntodimain instance is enabled in your pre-acct and authorize section.
Searching for where to enable this now. I wonder if there is any different handling for the "\\" vs "\".
Since I don't have a working config yet, I would be happy to strip it back to defaults and test your howto. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Crap. Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Tuesday, April 20, 2010 5:11 PM To: 'FreeRadius users mailing list' Subject: RE: Users File co-existing with NTLM-Auth
Yeah, there's a way. I had / have similar requirements. I *think* with some unlang and maybe a "fall-through" here or there... I haven't quite figured this out, but I'm pretty sure it can be done. From what I've gathered so far FR allows one to do pretty much anything, it's usually the other hardware / software / protocols that are the limiting factors.
G
PS: LMK the answer when you figure this out! ;)
-----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users- bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Tuesday, April 20, 2010 3:25 PM To: 'FreeRadius users mailing list' Subject: Users File co-existing with NTLM-Auth
I was able to get ntlm-auth working with AD integration. But unfortunately this stops the existing users in the users' file from being check. Whenever I have the "ntlm_auth =" line configured in modules/mschap, my users file is not check. If I comment out "ntlm_auth" the users file works again.
Is there any possibility to getting both the files and the ntlm_auth methods functional inside MSCHAP?
-Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Jonathan Hutchins Sent: Tuesday, April 20, 2010 11:42 AM To: Thibault Le Meur Cc: FreeRadius users mailing list Subject: Re: PopTop
On Tuesday 20 April 2010 03:27:19 am Thibault Le Meur wrote:
Yes it is true, but this part seems easy once you've understood how to migrate from FR1 to FR2 which is required anyway to do a proper migration.
Is there a doc that specifically addresses migration?
In fact this would be only a 3 lines changes in the article, so this is easy to fix as most of this HowTo is related to setting other components that FR ;-)
Can I help get those changes made, perhaps by testing the howto? The section on the Dictionary would seem to be unnnecessary for most packaged distributions.
I moved from a rather ancient Gentoo server that I believe was using an 1.x version to Debian Lenny 2.0.4, then upgraded to the 2.1.8 backport, and I can't get it to parse DOMAIN//user properly - it ignores the separator and comes up with a null "realm". Curiously, it later displays the username as DOMAIN/name.
I can't help here, because I'm not using realm for PopTop authentication.
I wasn't intending to either, I was following your PopTop doc exactly.
However I would check you modules/realm file and the ntdomain realm definition. Then I would double check that the ntodimain instance is enabled in your pre-acct and authorize section.
Searching for where to enable this now. I wonder if there is any different handling for the "\\" vs "\".
Since I don't have a working config yet, I would be happy to strip it back to defaults and test your howto. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can someone maybe describe exactly what's happening internally? From my understanding it should be checking "files" as per the setup in "inner-tunnel" which is what mschap uses. I made sure that "files" appeared before mschap in "inner-tunnel" but it has no effect; ntlm_auths still work and "files" aren't. Past that I'm not sure what I can do. Since files work without ntlm_auth, I have no reason to believe I have to insert "files" anyplace new, and I'm not certain what it is I should disable. It should just check files before ntlm_auth. If I implemented anything using unlang it would be checking files before ntlm_auth. Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Wednesday, April 21, 2010 9:22 AM To: 'FreeRadius users mailing list' Subject: RE: Users File co-existing with NTLM-Auth
Crap.
Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Tuesday, April 20, 2010 5:11 PM To: 'FreeRadius users mailing list' Subject: RE: Users File co-existing with NTLM-Auth
Yeah, there's a way. I had / have similar requirements. I *think* with some unlang and maybe a "fall-through" here or there... I haven't quite figured this out, but I'm pretty sure it can be done. From what I've gathered so far FR allows one to do pretty much anything, it's usually the other hardware / software / protocols that are the limiting factors.
G
PS: LMK the answer when you figure this out! ;)
-----Original Message----- From: freeradius-users- bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users- bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Tuesday, April 20, 2010 3:25 PM To: 'FreeRadius users mailing list' Subject: Users File co-existing with NTLM-Auth
I was able to get ntlm-auth working with AD integration. But unfortunately this stops the existing users in the users' file from being check. Whenever I have the "ntlm_auth =" line configured in modules/mschap, my users file is not check. If I comment out "ntlm_auth" the users file works again.
Is there any possibility to getting both the files and the ntlm_auth methods functional inside MSCHAP?
-Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Jonathan Hutchins Sent: Tuesday, April 20, 2010 11:42 AM To: Thibault Le Meur Cc: FreeRadius users mailing list Subject: Re: PopTop
On Tuesday 20 April 2010 03:27:19 am Thibault Le Meur wrote:
Yes it is true, but this part seems easy once you've understood how to migrate from FR1 to FR2 which is required anyway to do a proper migration.
Is there a doc that specifically addresses migration?
In fact this would be only a 3 lines changes in the article, so this is easy to fix as most of this HowTo is related to setting other components that FR ;-)
Can I help get those changes made, perhaps by testing the howto? The section on the Dictionary would seem to be unnnecessary for most packaged distributions.
I moved from a rather ancient Gentoo server that I believe was using an 1.x version to Debian Lenny 2.0.4, then upgraded to the 2.1.8 backport, and I can't get it to parse DOMAIN//user properly - it ignores the separator and comes up with a null "realm". Curiously, it later displays the username as DOMAIN/name.
I can't help here, because I'm not using realm for PopTop authentication.
I wasn't intending to either, I was following your PopTop doc exactly.
However I would check you modules/realm file and the ntdomain realm definition. Then I would double check that the ntodimain instance is enabled in your pre-acct and authorize section.
Searching for where to enable this now. I wonder if there is any different handling for the "\\" vs "\".
Since I don't have a working config yet, I would be happy to strip it back to defaults and test your howto. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nathan,
From what little understanding I've gained during this ordeal, it should be possible to use two different authentication methods, and in fact to have one fail through to the next using the "Fall-Through" = Yes parameter.
I'm having trouble locating it again this morning, but there was a page, possibly at http://deployingradius.com that discussed using two auth methods for two different NT domains, having one auth to the local Samba server and the other auth to a proxy on an AD server. If you can seperate your users by some characteristic - IP range, Domain/realm, then you can use that to direct to different look-ups. Otherwise I think I would try to use "files" with a fall-through to "NTLM".
Nathan McDavit-Van Fleet wrote:
Can someone maybe describe exactly what's happening internally?
The debug output shows exactly what it is doing, and often also shows why.
From my understanding it should be checking "files" as per the setup in "inner-tunnel" which is what mschap uses. I made sure that "files" appeared before mschap in "inner-tunnel" but it has no effect; ntlm_auths still work and "files" aren't.
See the FAQ for "it doesn't work". You've also confused authorization with authentication. They're different.
Past that I'm not sure what I can do. Since files work without ntlm_auth, I have no reason to believe I have to insert "files" anyplace new, and I'm not certain what it is I should disable. It should just check files before ntlm_auth.
You've confused two independent things. The "files" module does things like "set the 'known good' password". Any "ntlm_auth" module involves checking the password in the packet against Active Directory. They are *completely* different operations. For Active Directory instructions, see: http://deployingradius.com/documents/configuration/active_directory.html
If I implemented anything using unlang it would be checking files before ntlm_auth.
It already does that in the default configuration. You are stuck because you are focussed on a particular implementation: "files before ntlm_auth". The statement (and question behind it) are wrong. Instead, state what you want to do. The rest should be relatively simple. Alan DeKok.
I have a users file with name and password. I would like Freeradius to check if there is a good username/password in the users file before failing using ntlm_auth. As I said I currently have a good working copy of Freeradius with ntlm_auth configuration. However, when I have ntlm_auth in inner-tunnel->"authenticate" section, the username/password in the users file no longer works. So if I disable the entry "ntlm_auth" from the authenticate the users file works again. I know that the username is unique to my users file (it doesn't exist on AD). I just need it so when ntlm_auth fails, it checks the known password from the users file. So is this a case of me having to see if there is a known good password before trying ntlm_auth? Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, April 21, 2010 11:46 AM To: FreeRadius users mailing list Subject: Re: Users File co-existing with NTLM-Auth
Nathan McDavit-Van Fleet wrote:
Can someone maybe describe exactly what's happening internally?
The debug output shows exactly what it is doing, and often also shows why.
From my understanding it should be checking "files" as per the setup in "inner-tunnel" which is what mschap uses. I made sure that "files" appeared before mschap in "inner-tunnel" but it has no effect; ntlm_auths still work and "files" aren't.
See the FAQ for "it doesn't work".
You've also confused authorization with authentication. They're different.
Past that I'm not sure what I can do. Since files work without ntlm_auth, I have no reason to believe I have to insert "files" anyplace new, and I'm not certain what it is I should disable. It should just check files before ntlm_auth.
You've confused two independent things. The "files" module does things like "set the 'known good' password". Any "ntlm_auth" module involves checking the password in the packet against Active Directory.
They are *completely* different operations.
For Active Directory instructions, see:
http://deployingradius.com/documents/configuration/active_directory.htm l
If I implemented anything using unlang it would be checking files before ntlm_auth.
It already does that in the default configuration.
You are stuck because you are focussed on a particular implementation: "files before ntlm_auth". The statement (and question behind it) are wrong. Instead, state what you want to do. The rest should be relatively simple.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nathan McDavit-Van Fleet wrote:
I have a users file with name and password. I would like Freeradius to check if there is a good username/password in the users file before failing using ntlm_auth.
That's not quite it... the "users" file *sets* the "known good" password in the "authorize" stage of the server. The "pap" or "chap" module *checks* the password.
As I said I currently have a good working copy of Freeradius with ntlm_auth configuration. However, when I have ntlm_auth in inner-tunnel->"authenticate" section, the username/password in the users file no longer works. So if I disable the entry "ntlm_auth" from the authenticate the users file works again.
Again... that is confusing authentication with authorization.
I know that the username is unique to my users file (it doesn't exist on AD).
I just need it so when ntlm_auth fails, it checks the known password from the users file.
So is this a case of me having to see if there is a known good password before trying ntlm_auth?
Possibly. However, I have *no idea* what you've configured. The default configuration doesn't have an "ntlm_auth" entry in sites-available/inner-tunnel, and none of the "howtos" I've written would result in this behavior. Please post a sample of your configuration. How does it know to run ntlm_auth in the authenticate method? Odds are you've configured it to *force* ntlm_auth authentication, even when there's an entry in the "users" file. The simple answer is "don't do that". Alan DeKok.
Hi Alan, I followed the configuration off of deployingfreeradius.com http://deployingradius.com/documents/configuration/active_directory.html I diff'ed my configuration with the original files. And the only changes I've made is adding ntlm_auth to authenticate of both "default" and "inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap. Other than minor configurations to do with LDAP, which I protect with an "if" statement, it's a regular FR install. Can you tell me what configs you want to know? Attached are mschap and inner-tunnel since I think those would be most relevant. Note that ntlm->AD works, and so do files. It's just that files don't work while ntlm_auth is enabled. Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, April 21, 2010 1:25 PM To: FreeRadius users mailing list Subject: Re: Users File co-existing with NTLM-Auth
Nathan McDavit-Van Fleet wrote:
I have a users file with name and password. I would like Freeradius to check if there is a good username/password in the users file before failing using ntlm_auth.
That's not quite it... the "users" file *sets* the "known good" password in the "authorize" stage of the server. The "pap" or "chap" module *checks* the password.
As I said I currently have a good working copy of Freeradius with ntlm_auth configuration. However, when I have ntlm_auth in inner-tunnel->"authenticate" section, the username/password in the users file no longer works. So if I disable the entry "ntlm_auth" from the authenticate the users file works again.
Again... that is confusing authentication with authorization.
I know that the username is unique to my users file (it doesn't exist on AD).
I just need it so when ntlm_auth fails, it checks the known password from the users file.
So is this a case of me having to see if there is a known good password before trying ntlm_auth?
Possibly. However, I have *no idea* what you've configured. The default configuration doesn't have an "ntlm_auth" entry in sites-available/inner-tunnel, and none of the "howtos" I've written would result in this behavior.
Please post a sample of your configuration. How does it know to run ntlm_auth in the authenticate method? Odds are you've configured it to *force* ntlm_auth authentication, even when there's an entry in the "users" file.
The simple answer is "don't do that".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nathan McDavit-Van Fleet wrote:
I followed the configuration off of deployingfreeradius.com
http://deployingradius.com/documents/configuration/active_directory.html
That's a good start. :)
I diff'ed my configuration with the original files. And the only changes I've made is adding ntlm_auth to authenticate of both "default" and "inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap.
OK... that should use ntlm_auth for MS-CHAP, and only for MS-CHAP. So are you using MS-CHAP, or PEAP?
Other than minor configurations to do with LDAP, which I protect with an "if" statement, it's a regular FR install. Can you tell me what configs you want to know?
Attached are mschap and inner-tunnel since I think those would be most relevant. Note that ntlm->AD works, and so do files. It's just that files don't work while ntlm_auth is enabled.
I'm not sure what you mean by "when ntlm_auth is enabled". There are a few places where it could be enabled... which ones? My *guess* is that you're using PEAP, and enabling ntlm_auth in modules/mschap. If so, then change the "authorize" section by adding this at the end: if (control:Cleartext-Password) { update control { MS-CHAP-Use-NTLM-Auth = No } } The "MS-CHAP-Use-NTLM-Auth" attribute is documented in the comments in the modules/mschap file. Alan DeKok.
You sir, are awesome Alan DeKok. Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, April 21, 2010 2:04 PM To: FreeRadius users mailing list Subject: Re: Users File co-existing with NTLM-Auth
Nathan McDavit-Van Fleet wrote:
I followed the configuration off of deployingfreeradius.com
http://deployingradius.com/documents/configuration/active_directory.htm l
That's a good start. :)
I diff'ed my configuration with the original files. And the only changes I've made is adding ntlm_auth to authenticate of both "default" and "inner-tunnel" as well as the "ntlm_auth =" line in modules/mschap.
OK... that should use ntlm_auth for MS-CHAP, and only for MS-CHAP. So are you using MS-CHAP, or PEAP?
Other than minor configurations to do with LDAP, which I protect with an "if" statement, it's a regular FR install. Can you tell me what configs you want to know?
Attached are mschap and inner-tunnel since I think those would be most relevant. Note that ntlm->AD works, and so do files. It's just that files don't work while ntlm_auth is enabled.
I'm not sure what you mean by "when ntlm_auth is enabled". There are a few places where it could be enabled... which ones?
My *guess* is that you're using PEAP, and enabling ntlm_auth in modules/mschap. If so, then change the "authorize" section by adding this at the end:
if (control:Cleartext-Password) { update control { MS-CHAP-Use-NTLM-Auth = No } }
The "MS-CHAP-Use-NTLM-Auth" attribute is documented in the comments in the modules/mschap file.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
In your configuration, to the remote XP users have a domain configured? Do you have nt_domainhack enabled?
Ok, I've completely removed and reinstalled everything for a clean start. Following http://wiki.freeradius.org/PopTop, I get the following output. I believe my next step, according to what Josip Rodin has been kind enough to point out, is to enable the ntdomain parsing section, which is configured but commented out in /etc/freeradius/sites-denabled/default. (It occurrs twice, if I understand correctly the second one is for accounting, which I don't use, but I'll start by enabling both.) FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 3 2010 at 15:51:52 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.10.1 { require_message_authenticator = no secret = "pearietnogide" shortname = "firewall" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = no require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.1 port 3120, id=66, length=145 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "AABENSON\\jonathan" MS-CHAP-Challenge = 0xaf27e179d42da51c05b1495e156a280b MS-CHAP2-Response = 0x01006e8af1f500f19facf729b630de8fae4b0000000000000000bb9bdef764599784aee9bff5c9a704864b64ec3dfff32c14 NAS-IP-Address = 24.123.100.82 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "AABENSON\jonathan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for AABENSON\jonathan with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> AABENSON\jonathan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 66 to 192.168.10.1 port 3120 Waking up in 4.9 seconds. Cleaning up request 0 ID 66 with timestamp +8 Ready to process requests.
The log messages are pretty clear and informative: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. [mschap] No Cleartext-Password configured. Cannot create LM-Password. You have to either have a Cleartext password for the user or an ntlm hash if you're going to use ntlm_auth, apparently you don't have either defined for the user "jonathan" -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On Tuesday 20 April 2010 01:00:42 pm John Dennis wrote:
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. [mschap] No Cleartext-Password configured. Cannot create LM-Password.
You have to either have a Cleartext password for the user or an ntlm hash if you're going to use ntlm_auth, apparently you don't have either defined for the user "jonathan"
According to http://wiki.freeradius.org/PopTop though, I shouldn't need to define a user. The 1.x configuration does not appear to have required this either. Did it default to using local /etc/passwd or PAM? Did the old mschap module know to use samba? Thibault, how does your configuration actually authorize the user? Is it against /etc/passwd or against a local Samba server?
Jonathan Hutchins a écrit :
On Tuesday 20 April 2010 01:00:42 pm John Dennis wrote:
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. [mschap] No Cleartext-Password configured. Cannot create LM-Password.
You have to either have a Cleartext password for the user or an ntlm hash if you're going to use ntlm_auth, apparently you don't have either defined for the user "jonathan"
According to http://wiki.freeradius.org/PopTop though, I shouldn't need to define a user. The 1.x configuration does not appear to have required this either. Did it default to using local /etc/passwd or PAM? Did the old mschap module know to use samba?
Oh, of course the PopTop howto supposes that you have a working FR setup, and that you're able to authenticate your user using MSCHAP ! Where ado you plan to manage your users account ? Thibault
On Tuesday 20 April 2010 02:44:33 pm you wrote:
Oh, of course the PopTop howto supposes that you have a working FR setup, and that you're able to authenticate your user using MSCHAP !
Ok, maybe a mention of that in the howto.
Where do you plan to manage your users account ?
I'd like to keep this as simple as possible, while still being able to authenticate to the Samba/NT domain. If I recall my NT stuff correctly, the XP client should authenticate to the Samba server when a service is requested, so it shouldn't matter whether I authorize to the Samba domain or to the unix user account (users and passwords _should_ be synced). Digging for evidence in the old 1.x files it looks like the auth may have been "system", the following from the old proxy.conf: DEFAULT Auth-Type = System Fall-Through = Yes In fact, let me post the old configuration, maybe someone can help me figure out what I'm missing.
Old radiusd.conf (stripped): prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd Auth-Type } eap { md5 { } } mschap { passwd = /etc/samba/private/smbpasswd authtype = MS-CHAP use_mppe = yes } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no tls_mode = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } passwd etc_smbpasswd { filename = /etc/samba/private/smbpasswd format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } realm suffix { format = suffix delimiter = "@" } realm realmslash { format = prefix delimiter = "/" } realm realmpercent { format = suffix delimiter = "%" } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = yes with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } radutmp { filename = ${logdir}/radutmp perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter { filename = ${raddbdir}/db.counter key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } } instantiate { expr } authorize { preprocess suffix mschap files } authenticate { authtype PAP { pap pam } authtype MS-CHAP { mschap } pap pam } preacct { preprocess suffix files } accounting { acct_unique detail radutmp } session { radutmp } post-auth { } Old users file: DEFAULT Auth-Type = System Fall-Through = Yes DEFAULT Service-Type == Framed-User, Huntgroup-Name == "mainoffice" Framed-IP-Address = 192.168.10.40+, Fall-Through = Yes DEFAULT Service-Type == Framed-User, Huntgroup-Name == "vpnoffice" Framed-IP-Address = 192.168.10.50+, Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Those appear to be the only files that were changed. Trying to figure out where radiusd is being started from, it's not in init.d. If I figure it out I'll post a log.
Jonathan Hutchins wrote:
According to http://wiki.freeradius.org/PopTop though, I shouldn't need to define a user.
No. It defines how to configure PPTP. It doesn't define how to configure users. By the same "logic", you could say "BUT my poptop users can't access the network! The document doesn't say I need network access! I should be able to reach google after following the guide! You mean I need to buy *network* access? What a rip-off!" A *large* part of the problems you're having is your insistence on not understanding what's going on.
The 1.x configuration does not appear to have required this either. Did it default to using local /etc/passwd or PAM? Did the old mschap module know to use samba?
Maybe 1.x was magic. Or, maybe you don't understand how it worked. Alan DeKok.
Hi,
According to http://wiki.freeradius.org/PopTop though, I shouldn't need to define a user. The 1.x configuration does not appear to have required this either. Did it default to using local /etc/passwd or PAM? Did the old mschap module know to use samba?
Thibault, how does your configuration actually authorize the user? Is it against /etc/passwd or against a local Samba server?
of course you need a user....but its up to you where they are. see your logs, it says ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ie, it couldnt find a user in the system (/etc/passwd) and it hit the DEFAULT entry in your users file (line 172) read the modules/mschap file to see how to use smbpasswd you should be able to use smbpasswd in the authenticate section of the default virtual server alan
I really appreciate the help and patience: On Tuesday 20 April 2010 03:38:53 pm Alan Buxey wrote:
see your logs, it says
++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172
That worries me a bit, but I think at that point it's treating <username> as <DOMAIN>/<user>, and _that's_ what it's not finding in the unix system. That or the password is hashed incorrectly for unix.
read the modules/mschap file to see how to use smbpasswd you should be able to use smbpasswd in the authenticate section of the default virtual server
Will do.
On Tue, Apr 20, 2010 at 03:49:59PM -0500, Jonathan Hutchins wrote:
I really appreciate the help and patience:
On Tuesday 20 April 2010 03:38:53 pm Alan Buxey wrote:
see your logs, it says
++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172
That worries me a bit, but I think at that point it's treating <username> as <DOMAIN>/<user>, and _that's_ what it's not finding in the unix system. That or the password is hashed incorrectly for unix.
Yes. You still didn't invoke the 'ntdomain' instance of the realm module, so the DOMAIN\ part didn't get split off before the user name got into the unix module instance. Just have a look at a few lines above unix: [suffix] No '@' in User-Name = "AABENSON\jonathan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 That means you still had the 'suffix' instance running, rather than ntdomain. Right at the place where you now have suffix enabled, enable ntdomain, and you'll get your username without the domain, and you'll probably move forward in trying to authenticate the user 'jonathan', whether he be local (module unix) or somehow remote (samba, ldap, ...). -- 2. That which causes joy or happiness.
I think I see that I do not have an authentication backend configured. /etc/freeradius/modules/smbpasswd exists, but it isn't called by anything. I found a commented authorisation method "smb_passwd" in /etc/freeradius/sites-enabled/default and uncommented it. This fails, the module is actually "smbpasswd", changed that, still fails. It appears to be using username DOMAIN/user, which of course doesn't exist in the smbpasswd file, so I tried configuring the client to do just username, as the old server seemed to be failing to parse the domain and using NULL. Different error: FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 3 2010 at 15:51:52 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.10.1 { require_message_authenticator = no secret = "pearietnogide" shortname = "firewall" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = no require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_passwd Module: Instantiating smbpasswd passwd smbpasswd { filename = "/etc/smbpasswd" format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" delimiter = ":" ignorenislike = no ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.1 port 3128, id=91, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "jonathan" MS-CHAP-Challenge = 0x0e7576fbc39001c8e564cf956cddc78d MS-CHAP2-Response = 0x0100db3ad4f3d5eccbe9e324541a9df22e1e00000000000000006534b37dd90c5059b61afebe996c671fe8072c1595847708 NAS-IP-Address = 24.123.100.82 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "jonathan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "jonathan", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry DEFAULT at line 170 [files] users: Matched entry DEFAULT at line 185 ++[files] returns ok [smbpasswd] Added LM-Password: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' to config_items [smbpasswd] Added NT-Password: '9BEE78C36DF95176A4D1975E05BAC7E1' to config_items [smbpasswd] Added SMB-Account-CTRL-TEXT: '[U ]' to config_items ++[smbpasswd] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing LM-Password from base64 encoding [pap] Normalizing NT-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Invalid LM-Password [mschap] Found NT-Password [mschap] Told to do MS-CHAPv2 for jonathan with NT-Password ++[mschap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 91 to 192.168.10.1 port 3128 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x01533d33424144444635303544383143384131363542433844363442304534333134334530313534364541 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 91 with timestamp +6 Ready to process requests. This _looks_ like it succeeds, but the connection is not established because it didn't actually do CHAP: pppd[31503]: MPPE required, but keys are not available. Possible plugin problem? Apr 20 16:22:18 firewall pppd[31503]: CHAP peer authentication succeeded for jonathan Apr 20 16:22:18 firewall pppd[31503]: Connection terminated.
Hi,
I believe my next step, according to what Josip Rodin has been kind enough to point out, is to enable the ntdomain parsing section, which is configured but commented out in /etc/freeradius/sites-denabled/default. (It occurrs twice, if I understand correctly the second one is for accounting, which I don't use, but I'll start by enabling both.)
the output you posted also gives some useful debug info - you could see it talk about the nt_domain_hack thing...then read modules/preprocess at which point you read that its not a good idea and look at realms module as it says and then see the 'ntdomain' option - but yes, enable ntdomain function in the 'default' virtual server. alan
Progress, of a sort! In additition to the instructions in the PopTop doc, I have enabled ntdomain on lines 119 and 345 of /etc/freeradius/sites-enabled/default, and I have enabled nt_domainhack on line 37 of /etc/freeradius/modules/mschap. Now we move on to the following error: [ntdomain] Looking up realm "AABENSON" for User-Name = "AABENSON\jonathan" [ntdomain] No such realm "AABENSON" It's parsing it correctly, I just need to configure either a default realm or an actual NT Domain realm. The goal is for users to be able to access samba shares on this server. I really appreciate everybody's patience. FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 3 2010 at 15:51:52 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.10.1 { require_message_authenticator = no secret = "pearietnogide" shortname = "firewall" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = no require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.1 port 3120, id=69, length=145 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "AABENSON\\jonathan" MS-CHAP-Challenge = 0xd0d7d91fd9811334bca058fd65a0d52a MS-CHAP2-Response = 0x0100280b8adbdfa85f253bc4814545cc1ee100000000000000002371c2e14a185a7f504c13b6e09998a6a58e1d159b2f68c0 NAS-IP-Address = 24.123.100.82 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "AABENSON\jonathan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "AABENSON" for User-Name = "AABENSON\jonathan" [ntdomain] No such realm "AABENSON" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for jonathan with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> AABENSON\jonathan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 69 to 192.168.10.1 port 3120 Waking up in 4.9 seconds.
On Tue, Apr 20, 2010 at 12:27:18PM -0500, Jonathan Hutchins wrote:
Progress, of a sort!
In additition to the instructions in the PopTop doc, I have enabled ntdomain on lines 119 and 345 of /etc/freeradius/sites-enabled/default, and I have enabled nt_domainhack on line 37 of /etc/freeradius/modules/mschap.
Now we move on to the following error:
[ntdomain] Looking up realm "AABENSON" for User-Name = "AABENSON\jonathan" [ntdomain] No such realm "AABENSON"
It's parsing it correctly, I just need to configure either a default realm or an actual NT Domain realm.
Yes. Notice that you don't actually have to do anything in it. This might not be explained too well in the inline examples. proxy.conf shows an example that says this implicitly: realm LOCAL { # If we do not specify a server pool, the realm is LOCAL, and # requests are not proxied to it. } There is nothing (except for comments) in such a realm definition. But it allows the modules that look up realms to proceed. Such as your ntdomain realm instance, which will then create a stripped user name that you probably want. -- 2. That which causes joy or happiness.
participants (8)
-
Alan Buxey -
Alan DeKok -
Gary Gatten -
John Dennis -
Jonathan Hutchins -
Josip Rodin -
Nathan McDavit-Van Fleet -
Thibault Le Meur