Freeradius vs NT Domain Authentication
Hi, I know that's possible to configure Freeradius to authenticate Windows NT Domain users, but I just can't find a good/complete documentation about it... Is it possible for anyone on this forum to provide such documentation (files/links/instructions) to me? Thanks, -- Richard Bortolucci
Richard Bortolucci <richardbortolucci@gmail.com> wrote:
I know that's possible to configure Freeradius to authenticate Windows NT Domain users, but I just can't find a good/complete documentation about it... Is it possible for anyone on this forum to provide such documentation (files/links/instructions) to me?
Read radiusd.conf. Look for "windows domain" Alan DeKok.
Alan, I'm already reading the confs files, but I still can't make this work. Can you check the log bellow? Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc//raddb/proxy.conf Config: including file: /etc//raddb/clients.conf Config: including file: /etc//raddb/snmp.conf Config: including file: /etc//raddb/eap.conf Config: including file: /etc//raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded SMB smb: server = "server.domain.com" smb: backup = "server.domain.com" smb: domain = "DOMAIN" Module: Instantiated smb (smb) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc//raddb/huntgroups" preprocess: hints = "/etc//raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc//raddb/users" files: acctusersfile = "/etc//raddb/acct_users" files: preproxy_usersfile = "/etc//raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.11:1908, id=79, length=116 Message-Authenticator = 0x56ff757650fcd24b98701dfa7c982bbc User-Name = "DOMAIN\\USER" NAS-IP-Address = 10.10.10.10 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-01-f4-75-32-73" EAP-Message = 0x020100120153504244415c5a534143343432 Framed-MTU = 1000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\USER" rlm_realm: No such realm "DOMAIN" modcall[authorize]: module "ntdomain" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "DOMAIN\USER", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 79 to 10.101.10.11:1908 EAP-Message = 0x01020016041046e8a6236258580edc4320cc8c260e3d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x391b75c4909630195719ef84e0861775 Finished request 0 Going to the next request On 12/28/05, Alan DeKok <aland@ox.org> wrote:
Richard Bortolucci <richardbortolucci@gmail.com> wrote:
I know that's possible to configure Freeradius to authenticate Windows NT Domain users, but I just can't find a good/complete documentation about it... Is it possible for anyone on this forum to provide such documentation (files/links/instructions) to me?
Read radiusd.conf. Look for "windows domain"
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Richard Bortolucci
Richard Bortolucci <richardbortolucci@gmail.com> wrote:
I'm already reading the confs files, but I still can't make this work. Can you check the log bellow?
First, nothing in the debug log shows anything going wrong, or a user being rejected. Could you PLEASE explain why what you expect, and say WHY the debug log isn't doing what you expect? Saying "it doesn't work", and relying on someone else to do all of the work to figure it out is annoying.
rlm_eap: processing type md5
You won't be able to authenticate against an NT domain when using EAP-MD5. Alan DeKok.
participants (2)
-
Alan DeKok -
Richard Bortolucci