NTLM_auth active directory - what is wrong?
Hi all I follow the instructions of Alan : <http://deployingradius.com/documents/configuration/active_directory.html> to authenticate ntlm_auth with radius but appers the following message: " WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user." what is wrong? Please help. Santiago FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Sep 3 2008 at 15:55:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no log_stripped_names = no } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.100.16.11 { require_message_authenticator = no secret = "123" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm DOMAIN.LOC { authhost = LOCAL accthost = LOCAL } realm DOMAIN { authhost = LOCAL accthost = LOCAL } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating realmslash realm realmslash { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### bind_address = * WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.100.16.11 port 1308, id=0, length=217 Message-Authenticator = 0x92d1b860b93a1c6d28f08eaa37697101 Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1308 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.100.16.11 port 1310, id=0, length=217 Message-Authenticator = 0xf829fc414e9407ab04ede033d5a60941 Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1310 Finished request 1. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.100.16.11 port 1312, id=0, length=217 Message-Authenticator = 0xef8314925f34ccf891d91ca6fa18857d Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1312 Finished request 2. Going to the next request Waking up in 4.4 seconds. Cleaning up request 0 ID 0 with timestamp +113 Waking up in 0.2 seconds. Cleaning up request 1 ID 0 with timestamp +113 Waking up in 0.2 seconds. Cleaning up request 2 ID 0 with timestamp +114 Ready to process requests. Santiago Matiz (santimatiz@yahoo.com) Systems Engineer Bogotá, Colombia (South America)
Hi Santiago, I would suggest you to first try with radtest to see ntlm_auth BIND AS USER is working or not. Have a User entry in Users file with Auth-Type := ntlm_auth Add *ntlm_auth* in Authenticate section of default and inner-tunnel files in /sites-enabled directory. Then if radtest returns NT Success Ok or ntlm_auth is being done by Server. Then Try for RADIUS requests from actual NAS. I have done this way as of now to check ntlm_auth Bind. The Experts can show you more light in your problem. Regards, SYED On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V <santimatiz@yahoo.com>wrote:
Hi all I follow the instructions of Alan :
<http://deployingradius.com/documents/configuration/active_directory.html>
to authenticate ntlm_auth with radius but appers the following message:
" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user."
what is wrong?
Please help. Santiago
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Sep 3 2008 at 15:55:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no log_stripped_names = no } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.100.16.11 { require_message_authenticator = no secret = "123" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm DOMAIN.LOC { authhost = LOCAL accthost = LOCAL } realm DOMAIN { authhost = LOCAL accthost = LOCAL } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating realmslash realm realmslash { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### bind_address = * WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.100.16.11 port 1308, id=0, length=217 Message-Authenticator = 0x92d1b860b93a1c6d28f08eaa37697101 Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1308 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.100.16.11 port 1310, id=0, length=217 Message-Authenticator = 0xf829fc414e9407ab04ede033d5a60941 Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1310 Finished request 1. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.100.16.11 port 1312, id=0, length=217 Message-Authenticator = 0xef8314925f34ccf891d91ca6fa18857d Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1312 Finished request 2. Going to the next request Waking up in 4.4 seconds. Cleaning up request 0 ID 0 with timestamp +113 Waking up in 0.2 seconds. Cleaning up request 1 ID 0 with timestamp +113 Waking up in 0.2 seconds. Cleaning up request 2 ID 0 with timestamp +114 Ready to process requests.
Santiago Matiz (santimatiz@yahoo.com) Systems Engineer Bogotá, Colombia (South America)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Syed thanks for your answer, when i configure the file "users" with "ntlm_auth" appears the error : "/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users" thanks again... Santiago Matiz (santimatiz@yahoo.com) Systems Engineer Bogotá, Colombia (South America) --- On Tue, 10/7/08, Syed Anwarul Hasan <syedanwarulhasan2007@gmail.com> wrote:
From: Syed Anwarul Hasan <syedanwarulhasan2007@gmail.com> Subject: Re: NTLM_auth active directory - what is wrong? To: santimatiz@yahoo.com, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Tuesday, October 7, 2008, 2:20 PM Hi Santiago,
I would suggest you to first try with radtest to see ntlm_auth BIND AS USER is working or not.
Have a User entry in Users file with Auth-Type := ntlm_auth Add *ntlm_auth* in Authenticate section of default and inner-tunnel files in /sites-enabled directory.
Then if radtest returns NT Success Ok or ntlm_auth is being done by Server. Then Try for RADIUS requests from actual NAS.
I have done this way as of now to check ntlm_auth Bind.
The Experts can show you more light in your problem.
Regards, SYED
On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V <santimatiz@yahoo.com>wrote:
Hi all I follow the instructions of Alan :
<http://deployingradius.com/documents/configuration/active_directory.html>
to authenticate ntlm_auth with radius but appers the
following message:
" WARNING: Unknown value specified for Auth-Type.
Cannot perform requested
action. auth: Failed to validate the user."
what is wrong?
Please help. Santiago
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Sep 3 2008 at 15:55:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no log_stripped_names = no } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.100.16.11 { require_message_authenticator = no secret = "123" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm DOMAIN.LOC { authhost = LOCAL accthost = LOCAL } realm DOMAIN { authhost = LOCAL accthost = LOCAL } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
} Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating realmslash realm realmslash { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to
load
Module: Checking post-proxy {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### bind_address = * WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.100.16.11 port 1308, id=0, length=217 Message-Authenticator = 0x92d1b860b93a1c6d28f08eaa37697101 Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1308 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.100.16.11 port 1310, id=0, length=217 Message-Authenticator = 0xf829fc414e9407ab04ede033d5a60941 Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1310 Finished request 1. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.100.16.11 port 1312, id=0, length=217 Message-Authenticator = 0xef8314925f34ccf891d91ca6fa18857d Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1312 Finished request 2. Going to the next request Waking up in 4.4 seconds. Cleaning up request 0 ID 0 with timestamp +113 Waking up in 0.2 seconds. Cleaning up request 1 ID 0 with timestamp +113 Waking up in 0.2 seconds. Cleaning up request 2 ID 0 with timestamp +114 Ready to process requests.
Santiago Matiz (santimatiz@yahoo.com) Systems Engineer Bogotá, Colombia (South America)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Santiago Matiz V wrote:
Syed thanks for your answer, when i configure the file "users" with "ntlm_auth" appears the error :
"/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users"
If it does that, it's because you haven't followed the guide. Among other things, the guide says to add the entry at the TOP of the "users" file. And you obviously haven't done that. Which files have you edited, and why? Alan DeKok.
Hi Alan, thank for your help I configured my users file with your direction : user Auth-Type := ntlm_auth DEFAULT Auth-Type = MSCHAP Fall-Through = 1, Reply-Message = "MsChap user" but when i run radiusd -X appears : "/usr/local/etc/raddb/users[1]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type" Santiago Matiz (santimatiz@yahoo.com) Systems Engineer Pontificia Universidad Javeriana http://www.javeriana.edu.co Bogotá, Colombia (South America) --- On Tue, 10/7/08, Alan DeKok <aland@deployingradius.com> wrote:
From: Alan DeKok <aland@deployingradius.com> Subject: Re: NTLM_auth active directory - what is wrong? To: santimatiz@yahoo.com, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Tuesday, October 7, 2008, 3:24 PM Santiago Matiz V wrote:
Syed thanks for your answer, when i configure the file "users" with "ntlm_auth" appears the error :
"/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users"
If it does that, it's because you haven't followed the guide. Among other things, the guide says to add the entry at the TOP of the "users" file. And you obviously haven't done that.
Which files have you edited, and why?
Alan DeKok.
Santiago Matiz V wrote:
Hi Alan, thank for your help
I configured my users file with your direction :
Hmm... no.
user Auth-Type := ntlm_auth
That's supposed to be at the TOP of the "users" file. You didn't do that.
DEFAULT Auth-Type = MSCHAP Fall-Through = 1, Reply-Message = "MsChap user"
I have no idea why you added that. The documentation doesn't say to add that.
but when i run radiusd -X appears :
Which you've already said many times. Stop repeating that information on the list. It's useless. Instead, follow the directions. Edit the "authenticate" section as described in the documentation. Really, it's not hard. The guide says WHICH files to edit, WHERE in the files the edits should take place, and WHAT to change. There are a series of steps to follow, with examples. You are not following the directions. Why? If you don't follow the directions, there's no reason for anyone to keep answering your questions on this list. I've already written the documentation that you need to follow. Duplicating it here is useless. Especially if you make it clear that you have no intention of reading the documentation on the web site, or of following the instructions on the web site. Alan DeKok.
For some reason some systems process inner-tunnel virtual server before default. Since that server knows nothing about ntlm_auth this error occurs. Best solution is probably to add ntlm_auth to instatiate section of radiusd.conf as well. Just in case. And add that step to configuration instructions in the HOWTO. Ivan Kalik Kalik Informatika ISP Dana 7/10/2008, "Santiago Matiz V" <santimatiz@yahoo.com> piše:
Hi Alan, thank for your help
I configured my users file with your direction :
user Auth-Type := ntlm_auth
DEFAULT Auth-Type = MSCHAP Fall-Through = 1, Reply-Message = "MsChap user"
but when i run radiusd -X appears :
"/usr/local/etc/raddb/users[1]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type"
Santiago Matiz (santimatiz@yahoo.com) Systems Engineer Pontificia Universidad Javeriana http://www.javeriana.edu.co Bogotá, Colombia (South America)
--- On Tue, 10/7/08, Alan DeKok <aland@deployingradius.com> wrote:
From: Alan DeKok <aland@deployingradius.com> Subject: Re: NTLM_auth active directory - what is wrong? To: santimatiz@yahoo.com, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Tuesday, October 7, 2008, 3:24 PM Santiago Matiz V wrote:
Syed thanks for your answer, when i configure the file "users" with "ntlm_auth" appears the error :
"/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users"
If it does that, it's because you haven't followed the guide. Among other things, the guide says to add the entry at the TOP of the "users" file. And you obviously haven't done that.
Which files have you edited, and why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tnt@kalik.net wrote:
For some reason some systems process inner-tunnel virtual server before default.
That can (and likely should) be fixed.
Since that server knows nothing about ntlm_auth this error occurs. Best solution is probably to add ntlm_auth to instatiate section of radiusd.conf as well. Just in case. And add that step to configuration instructions in the HOWTO.
I don't think that will work here. It needs to have an "auth-type" defined dynamically, and adding it to the instantiate section won't do that. The default configuration should also be updated to define an "inner" users file, and an "outer" one. That would help address this issue, too. Alan DeKok.
Add ntlm_auth to inner-tunnel virtual server as well. Or add it to instatiate section of radiusd.conf. Ivan Kalik Kalik Informatika ISP Dana 7/10/2008, "Santiago Matiz V" <santimatiz@yahoo.com> piše:
Syed thanks for your answer, when i configure the file "users" with "ntlm_auth" appears the error :
"/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users"
thanks again...
Santiago Matiz (santimatiz@yahoo.com) Systems Engineer Bogotá, Colombia (South America)
--- On Tue, 10/7/08, Syed Anwarul Hasan <syedanwarulhasan2007@gmail.com> wrote:
From: Syed Anwarul Hasan <syedanwarulhasan2007@gmail.com> Subject: Re: NTLM_auth active directory - what is wrong? To: santimatiz@yahoo.com, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Tuesday, October 7, 2008, 2:20 PM Hi Santiago,
I would suggest you to first try with radtest to see ntlm_auth BIND AS USER is working or not.
Have a User entry in Users file with Auth-Type := ntlm_auth Add *ntlm_auth* in Authenticate section of default and inner-tunnel files in /sites-enabled directory.
Then if radtest returns NT Success Ok or ntlm_auth is being done by Server. Then Try for RADIUS requests from actual NAS.
I have done this way as of now to check ntlm_auth Bind.
The Experts can show you more light in your problem.
Regards, SYED
On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V <santimatiz@yahoo.com>wrote:
Hi all I follow the instructions of Alan :
<http://deployingradius.com/documents/configuration/active_directory.html>
to authenticate ntlm_auth with radius but appers the
following message:
" WARNING: Unknown value specified for Auth-Type.
Cannot perform requested
action. auth: Failed to validate the user."
what is wrong?
Please help. Santiago
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Sep 3 2008 at 15:55:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no log_stripped_names = no } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.100.16.11 { require_message_authenticator = no secret = "123" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm DOMAIN.LOC { authhost = LOCAL accthost = LOCAL } realm DOMAIN { authhost = LOCAL accthost = LOCAL } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
} Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating realmslash realm realmslash { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to
load
Module: Checking post-proxy {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### bind_address = * WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.100.16.11 port 1308, id=0, length=217 Message-Authenticator = 0x92d1b860b93a1c6d28f08eaa37697101 Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1308 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.100.16.11 port 1310, id=0, length=217 Message-Authenticator = 0xf829fc414e9407ab04ede033d5a60941 Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1310 Finished request 1. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.100.16.11 port 1312, id=0, length=217 Message-Authenticator = 0xef8314925f34ccf891d91ca6fa18857d Service-Type = Framed-User User-Name = "DOMAIN\\user\000" Framed-MTU = 1488 Called-Station-Id = "00-16-E0-04-FE-44:pcountry" Calling-Station-Id = "00-1B-77-4D-1A-74" NAS-Identifier = "PISO 7 UG SISTEMAS" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001601434c49434f554e5452595c736d6174697a NAS-IP-Address = 192.100.16.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\user" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. ++[realmslash] returns ok rlm_realm: Request already proxied. Ignoring. ++[suffix] returns ok rlm_eap: EAP packet type response id 0 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 178 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [DOMAIN\\user\000] (from client 192.100.16.11 port 1 cli 00-1B-77-4D-1A-74) Sending Access-Reject of id 0 to 192.100.16.11 port 1312 Finished request 2. Going to the next request Waking up in 4.4 seconds. Cleaning up request 0 ID 0 with timestamp +113 Waking up in 0.2 seconds. Cleaning up request 1 ID 0 with timestamp +113 Waking up in 0.2 seconds. Cleaning up request 2 ID 0 with timestamp +114 Ready to process requests.
Santiago Matiz (santimatiz@yahoo.com) Systems Engineer Bogotá, Colombia (South America)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Santiago Matiz V -
Syed Anwarul Hasan -
tnt@kalik.net