I am trying to get exec ntlm_auth to work so I can use ms-chap authentication but I am having a problem. Trying to use the radtest tool I sent a valid username but an incorrect password but yet FreeRadius still sends back an access-accept. Why? --------------------------- Log ----------------------------------------------------- Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32770, id=205, length=56 User-Name = "9430" User-Password = "hello" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "9430", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ntlm_auth auth: type "ntlm_auth" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "ntlm_auth" returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Sending Access-Accept of id 205 to 127.0.0.1 port 32770 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 205 with timestamp 474ea5b4 Nothing to do. Sleeping until we see a request. --------------------------- Radiusd.conf ----------------------------------------- modules { exec ntlm_auth { wait = no program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --username=9430 --password=aaa" } ...... } authenticate { ntlm_auth ...... } -- View this message in context: http://www.nabble.com/exec-ntlm_auth-doesn%27t-fail-tf4896518.html#a14023756 Sent from the FreeRadius - User mailing list archive at Nabble.com.
I am trying to get exec ntlm_auth to work so I can use ms-chap authentication
Something wrong with ntlm_auth call from the mschap {} module?
but I am having a problem. Trying to use the radtest tool I sent a valid username but an incorrect password but yet FreeRadius still sends back an access-accept. Why?
You hardcoded the correct password in ntlm_auth call. Since you hardcoded the real username as well, you can use a wrong username and it will still pass.
program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --username=9430 --password=aaa"
Ivan Kalik Kalik Informatika ISP
I wasn't using the mschap module for ntlm_auth yet as I wanted to use radtest and ntlm_auth wasn't being called at all from the exec modules. I fixed that now. I hard coded the incorrect password but correct username but the auth failed still. Instead I reverted back to the old configuration files, changed the Default Auth-Type in the users file to "echo" and changed the "echo" program call and it works. Humph! tnt wrote:
I am trying to get exec ntlm_auth to work so I can use ms-chap
authentication
Something wrong with ntlm_auth call from the mschap {} module?
but I am having a problem. Trying to use the radtest tool I sent a valid username but an incorrect password but yet FreeRadius still sends back an access-accept. Why?
You hardcoded the correct password in ntlm_auth call. Since you hardcoded the real username as well, you can use a wrong username and it will still pass.
program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --username=9430 --password=aaa"
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/exec-ntlm_auth-doesn%27t-fail-tf4896518.html#a14027901 Sent from the FreeRadius - User mailing list archive at Nabble.com.
Dead6re wrote:
I hard coded the incorrect password but correct username but the auth failed still. Instead I reverted back to the old configuration files, changed the Default Auth-Type in the users file to "echo" and changed the "echo" program call and it works. Humph!
You have "wait = no". This means "fire and forget", i.e. don't bother waiting for the program to exit... and therefore don't look at it's return code. Alan DeKok.
participants (3)
-
Alan DeKok -
Dead6re -
tnt@kalik.co.yu