Re: PAP / ntlm_auth fails unless "DEFAULT Auth-Type = ntlm_auth" in users.
I've been jacking around trying to fix this for several hours - but no go. I've RTFM several times, and read several docs such as: http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28nt lm_auth%29_with_accounts_stored_elsewhere
When I say "fix" - it's always been "broken" - it's never worked without the DEFAULT entry in users. Most all my accounts are in AD so the DEFAULT works for me, but I'm using this issue as a learning opportunity, but instead it's just a frustration opportunity.
I'll post all my confs (2.1.6) and -X output if needed, but just looking for some hints to help determine why when the process fails through to PAP, it won't use ntlm_auth - it will only use "files"
Post the debug. Ivan Kalik Kalik Informatika ISP
Working, uses DEFAULT Auth-Type = ntlm_auth in users file: rad_recv: Access-Request packet from host 10.1.x.y port 1645, id=217, length=85 User-Name = "myname" User-Password = "myt0p$3cr3tP@$$W0rd" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.x.y" NAS-IP-Address = 10.x.y.z +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "myname", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{User-Name} -> --username=myname [ntlm_auth] expand: --password=%{Password} -> --password=myt0p$3cr3tP@$$W0rd Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok Login OK: [myname] (from client Ci$coSwitch port 1 cli 192.168.x.y) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 217 to 10.x.y.z port 1645 Finished request 28. Going to the next request Waking up in 4.9 seconds. NOT WORKING: rad_recv: Access-Request packet from host 10.x.y.z port 1645, id=218, length=85 User-Name = "myname" User-Password = "myt0p$3cr3tP@$$W0rd" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.x.y" NAS-IP-Address = 10.x.y.z +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "myname", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "myt0p$3cr3tP@$$W0rd" [pap] Using CRYPT encryption. [pap] Passwords don't match ### I have local unix account with a pw different than my AD password ### ### If I use local PW it auths me correctly ### ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CRYPT password check failed): [myname] (from client Ci$coSwitch port 1 cli 192.168.x.y) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> myname attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 38 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 38 Sending Access-Reject of id 218 to 10.x.y.z port 1645 Waking up in 4.9 seconds. Cleaning up request 38 ID 218 with timestamp +3237 Ready to process requests. -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.or g] On Behalf Of Ivan Kalik Sent: Thursday, October 15, 2009 10:30 AM To: FreeRadius users mailing list Subject: Re: PAP / ntlm_auth fails unless "DEFAULT Auth-Type = ntlm_auth" in users.
I've been jacking around trying to fix this for several hours - but no go. I've RTFM several times, and read several docs such as:
http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28nt
lm_auth%29_with_accounts_stored_elsewhere
When I say "fix" - it's always been "broken" - it's never worked without the DEFAULT entry in users. Most all my accounts are in AD so the DEFAULT works for me, but I'm using this issue as a learning opportunity, but instead it's just a frustration opportunity.
I'll post all my confs (2.1.6) and -X output if needed, but just looking for some hints to help determine why when the process fails through to PAP, it won't use ntlm_auth - it will only use "files"
Post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
participants (2)
-
Gary Gatten -
Ivan Kalik