freeradius 3.0.4 CentOS 7.2 AD
Hello, we have freeradius 3.0.4 on a centos 7.2 machine with ldap authentication against edirectory running for a long time. Now we want to authenticate against AD. We followed the intructions on http://deployingradius.com/documents/configuration/active_directory.html ntlm_auth returns: NT_STATUS_OK: Success (0x0). Radiusd -X returns the following error: /etc/raddb/mods-config/files/authorize[1]: Parse error (check) for entry DEFAULT: Unknown value 'ntlm_auth' for attribute 'Auth-Type' What is the reason? Regards, Hubert
On Apr 8, 2016, at 4:15 AM, Hubert Kupper <kupper@uni-landau.de> wrote:
we have freeradius 3.0.4 on a centos 7.2 machine with ldap authentication against edirectory running for a long time. Now we want to authenticate against AD. We followed the intructions on http://deployingradius.com/documents/configuration/active_directory.html
ntlm_auth returns: NT_STATUS_OK: Success (0x0). Radiusd -X returns the following error:
/etc/raddb/mods-config/files/authorize[1]: Parse error (check) for entry DEFAULT: Unknown value 'ntlm_auth' for attribute 'Auth-Type'
What is the reason?
It means you're not following the guide. The error message is pretty clear. The DEFAULT entry you added at the start of the "authorize" file doesn't work. Why? Because you didn't add an ntlm_auth entry in the "authenticate" section, as documented in the guide. Follow the guide. Every step. Don't skip steps. Alan DeKok.
Am 08.04.2016 um 13:00 schrieb Alan DeKok:
On Apr 8, 2016, at 4:15 AM, Hubert Kupper <kupper@uni-landau.de> wrote:
we have freeradius 3.0.4 on a centos 7.2 machine with ldap authentication against edirectory running for a long time. Now we want to authenticate against AD. We followed the intructions on http://deployingradius.com/documents/configuration/active_directory.html
ntlm_auth returns: NT_STATUS_OK: Success (0x0). Radiusd -X returns the following error:
/etc/raddb/mods-config/files/authorize[1]: Parse error (check) for entry DEFAULT: Unknown value 'ntlm_auth' for attribute 'Auth-Type'
What is the reason? It means you're not following the guide.
The error message is pretty clear. The DEFAULT entry you added at the start of the "authorize" file doesn't work.
Why? Because you didn't add an ntlm_auth entry in the "authenticate" section, as documented in the guide.
Follow the guide. Every step. Don't skip steps.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello,
I had followed the guide and set a ntlm_auth entry in the "authenticate" section of "default" and "inner-tunnel". default: authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest # # Pluggable Authentication Modules. # pam # ntlm_auth # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # # We do NOT recommend using this. LDAP servers are databases. # They are NOT authentication servers. FreeRADIUS is an # authentication server, and knows what to do with authentication. # LDAP servers do not. # Auth-Type LDAP { ldap } # # Allow EAP authentication. eap # # The older configurations sent a number of attributes in # Access-Challenge packets, which wasn't strictly correct. # If you want to filter out these attributes, uncomment # the following lines. # # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } inner-tunnel: authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # Pluggable Authentication Modules. # pam # ntlm_auth # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # # We do NOT recommend using this. LDAP servers are databases. # They are NOT authentication servers. FreeRADIUS is an # authentication server, and knows what to do with authentication. # LDAP servers do not. # Auth-Type LDAP { ldap } # # Allow EAP authentication. eap } I hat tested it with Auth-Type { ntlm_auth } also.
Hi, what clients/method are you planning to use? I've never done that 'ntlm_auth' step - and just done the part thats in the docs as "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" alan
Am 11.04.2016 um 09:31 schrieb A.L.M.Buxey@lboro.ac.uk:
Hi,
what clients/method are you planning to use? I've never done that 'ntlm_auth' step - and just done the part thats in the docs as "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP"
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Alan,
I did the "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" steps and now it works. Thanks. Best regards, Hubert
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Hubert Kupper