I have finished all steps till "user Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html . With this command I get this error message at the end of "/usr/sbin/freeradius -X": /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users /etc/freeradius/modules/files[7]: Instantiation failed for module "files" /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files". /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part): authenticate { # # NTML_AUTH authentication. Auth-Type ntlm_auth { ntlm_auth } What is wrong and what can I do to solve the problem? Thanks in advance. Best regards, F. Niedernolte
Hi Frederik, 1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section. I hope it will solve your problem. SYED On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de>wrote:
I have finished all steps till „*user* Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html.
With this command I get this error message at the end of "/usr/sbin/freeradius –X":
/etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type
Errors reading /etc/freeradius/users
/etc/freeradius/modules/files[7]: Instantiation failed for module "files"
/etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files".
/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
}
}
Errors initializing modules
The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part):
authenticate {
#
# NTML_AUTH authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
What is wrong and what can I do to solve the problem?
Thanks in advance.
Best regards, F. Niedernolte
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks, now it works :) Now the last step: How can I test it? What tool/program etc. can/should I use to test it? "The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept <http://freeradius.org/rfc/rfc2865.html#Access-Accept> message as above." Mit freundlichen Grüßen / Kind regards Frederik Niedernolte ------------------------------------------------------- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de frederik.niedernolte@bertelsmann.de <mailto:frederik.niedernolte@bertelsmann.deTel> Tel.: +49 (0)5241 80-40554 arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Syed Anwarul Hasan Gesendet: Donnerstag, 9. Oktober 2008 11:44 An: FreeRadius users mailing list Betreff: Re: Problem with ntlm_auth Hi Frederik, 1) Put User entry on TOP of users file. 2) In default file, in authenticate section, add ntlm_auth. Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add ntlm_auth in Authenticate Section. I hope it will solve your problem. SYED On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de> wrote: I have finished all steps till "user Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html. With this command I get this error message at the end of "/usr/sbin/freeradius -X": /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users /etc/freeradius/modules/files[7]: Instantiation failed for module "files" /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files". /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part): authenticate { # # NTML_AUTH authentication. Auth-Type ntlm_auth { ntlm_auth } What is wrong and what can I do to solve the problem? Thanks in advance. Best regards, F. Niedernolte - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have) SYED On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte@bertelsmann.de>wrote:
Thanks, now it works :)
Now the last step: How can I test it? What tool/program etc. can/should I use to test it?
"The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above."
Mit freundlichen Grüßen / Kind regards
Frederik Niedernolte ------------------------------------------------------- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de frederik.niedernolte@bertelsmann.de<frederik.niedernolte@bertelsmann.deTel> Tel.: +49 (0)5241 80-40554
arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
Hi Frederik,
1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section.
I hope it will solve your problem. SYED
On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de> wrote:
I have finished all steps till „*user* Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html.
With this command I get this error message at the end of "/usr/sbin/freeradius –X":
/etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type
Errors reading /etc/freeradius/users
/etc/freeradius/modules/files[7]: Instantiation failed for module "files"
/etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files".
/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
}
}
Errors initializing modules
The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part):
authenticate {
#
# NTML_AUTH authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
What is wrong and what can I do to solve the problem?
Thanks in advance.
Best regards, F. Niedernolte
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" and this is what the server gave back: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58 User-Name = "MyUser" User-Password = "MyPassword" NAS-IP-Address = IP.OF.THE.SERVER NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "MyUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> MyUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 92 to 127.0.0.1 port 32793 Waking up in 4.9 seconds. Cleaning up request 0 ID 92 with timestamp +3710 Ready to process requests. Now what should I do? Thanks in advance. Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Syed Anwarul Hasan Gesendet: Donnerstag, 9. Oktober 2008 12:12 An: FreeRadius users mailing list Betreff: Re: Problem with ntlm_auth Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have) SYED On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte@bertelsmann.de> wrote: Thanks, now it works :) Now the last step: How can I test it? What tool/program etc. can/should I use to test it? "The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept <http://freeradius.org/rfc/rfc2865.html#Access-Accept> message as above." Mit freundlichen Grüßen / Kind regards Frederik Niedernolte ------------------------------------------------------- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de frederik.niedernolte@bertelsmann.de <mailto:frederik.niedernolte@bertelsmann.deTel> Tel.: +49 (0)5241 80-40554 arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte <mailto:freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] Im Auftrag von Syed Anwarul Hasan Gesendet: Donnerstag, 9. Oktober 2008 11:44 An: FreeRadius users mailing list Betreff: Re: Problem with ntlm_auth Hi Frederik, 1) Put User entry on TOP of users file. 2) In default file, in authenticate section, add ntlm_auth. Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add ntlm_auth in Authenticate Section. I hope it will solve your problem. SYED On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de> wrote: I have finished all steps till "user Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html. With this command I get this error message at the end of "/usr/sbin/freeradius -X": /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users /etc/freeradius/modules/files[7]: Instantiation failed for module "files" /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files". /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part): authenticate { # # NTML_AUTH authentication. Auth-Type ntlm_auth { ntlm_auth } What is wrong and what can I do to solve the problem? Thanks in advance. Best regards, F. Niedernolte - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol. For example: Users file: User Auth-Type :- ntlm_auth In Active Directory User should be a member. So, then ntlm_auth requests will be passed from your Server to Active Directory or LDAP Server. Otherwise you will not setup ntlm_auth. SYED On Thu, Oct 9, 2008 at 12:58 PM, <Frederik.Niedernolte@bertelsmann.de>wrote:
OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" and this is what the server gave back:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58
User-Name = "MyUser"
User-Password = "MyPassword"
NAS-IP-Address = IP.OF.THE.SERVER
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> MyUser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 92 to 127.0.0.1 port 32793
Waking up in 4.9 seconds.
Cleaning up request 0 ID 92 with timestamp +3710
Ready to process requests.
Now what should I do? Thanks in advance.
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
*An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have)
SYED
On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte@bertelsmann.de> wrote:
Thanks, now it works :)
Now the last step: How can I test it? What tool/program etc. can/should I use to test it?
"The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above."
Mit freundlichen Grüßen / Kind regards
Frederik Niedernolte ------------------------------------------------------- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de frederik.niedernolte@bertelsmann.de<frederik.niedernolte@bertelsmann.deTel> Tel.: +49 (0)5241 80-40554
arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
Hi Frederik,
1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section.
I hope it will solve your problem. SYED
On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de> wrote:
I have finished all steps till „*user* Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html.
With this command I get this error message at the end of "/usr/sbin/freeradius –X":
/etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type
Errors reading /etc/freeradius/users
/etc/freeradius/modules/files[7]: Instantiation failed for module "files"
/etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files".
/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
}
}
Errors initializing modules
The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part):
authenticate {
#
# NTML_AUTH authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
What is wrong and what can I do to solve the problem?
Thanks in advance.
Best regards, F. Niedernolte
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And also don't remove ntlm_auth from authenticate section of both default and inner-tunnel files. On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan < syedanwarulhasan2007@gmail.com> wrote:
Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol.
For example: Users file: User Auth-Type :- ntlm_auth
In Active Directory User should be a member.
So, then ntlm_auth requests will be passed from your Server to Active Directory or LDAP Server.
Otherwise you will not setup ntlm_auth.
SYED
On Thu, Oct 9, 2008 at 12:58 PM, <Frederik.Niedernolte@bertelsmann.de>wrote:
OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" and this is what the server gave back:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58
User-Name = "MyUser"
User-Password = "MyPassword"
NAS-IP-Address = IP.OF.THE.SERVER
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> MyUser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 92 to 127.0.0.1 port 32793
Waking up in 4.9 seconds.
Cleaning up request 0 ID 92 with timestamp +3710
Ready to process requests.
Now what should I do? Thanks in advance.
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto: freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
*An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have)
SYED
On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte@bertelsmann.de> wrote:
Thanks, now it works :)
Now the last step: How can I test it? What tool/program etc. can/should I use to test it?
"The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above."
Mit freundlichen Grüßen / Kind regards
Frederik Niedernolte ------------------------------------------------------- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de frederik.niedernolte@bertelsmann.de<frederik.niedernolte@bertelsmann.deTel> Tel.: +49 (0)5241 80-40554
arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto: freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
Hi Frederik,
1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section.
I hope it will solve your problem. SYED
On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de> wrote:
I have finished all steps till „*user* Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html.
With this command I get this error message at the end of "/usr/sbin/freeradius –X":
/etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type
Errors reading /etc/freeradius/users
/etc/freeradius/modules/files[7]: Instantiation failed for module "files"
/etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files".
/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
}
}
Errors initializing modules
The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part):
authenticate {
#
# NTML_AUTH authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
What is wrong and what can I do to solve the problem?
Thanks in advance.
Best regards, F. Niedernolte
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So to understand you right: Every user that should be authenticated has to be an entry in the users file? Isn't it possible to add an forwarding for every user so that all requests are just forwarded and checked? If not I must add all users from the AD to the users file, mustn't I? Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Syed Anwarul Hasan Gesendet: Donnerstag, 9. Oktober 2008 13:16 An: FreeRadius users mailing list Betreff: Re: Problem with ntlm_auth And also don't remove ntlm_auth from authenticate section of both default and inner-tunnel files. On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <syedanwarulhasan2007@gmail.com> wrote: Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol. For example: Users file: User Auth-Type :- ntlm_auth In Active Directory User should be a member. So, then ntlm_auth requests will be passed from your Server to Active Directory or LDAP Server. Otherwise you will not setup ntlm_auth. SYED On Thu, Oct 9, 2008 at 12:58 PM, <Frederik.Niedernolte@bertelsmann.de> wrote: OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" and this is what the server gave back: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58 User-Name = "MyUser" User-Password = "MyPassword" NAS-IP-Address = IP.OF.THE.SERVER NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "MyUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> MyUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 92 to 127.0.0.1 port 32793 Waking up in 4.9 seconds. Cleaning up request 0 ID 92 with timestamp +3710 Ready to process requests. Now what should I do? Thanks in advance. Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte <mailto:freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] Im Auftrag von Syed Anwarul Hasan Gesendet: Donnerstag, 9. Oktober 2008 12:12 An: FreeRadius users mailing list Betreff: Re: Problem with ntlm_auth Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have) SYED On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte@bertelsmann.de> wrote: Thanks, now it works :) Now the last step: How can I test it? What tool/program etc. can/should I use to test it? "The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept <http://freeradius.org/rfc/rfc2865.html#Access-Accept> message as above." Mit freundlichen Grüßen / Kind regards Frederik Niedernolte ------------------------------------------------------- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de frederik.niedernolte@bertelsmann.de <mailto:frederik.niedernolte@bertelsmann.deTel> Tel.: +49 (0)5241 80-40554 arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte <mailto:freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] Im Auftrag von Syed Anwarul Hasan Gesendet: Donnerstag, 9. Oktober 2008 11:44 An: FreeRadius users mailing list Betreff: Re: Problem with ntlm_auth Hi Frederik, 1) Put User entry on TOP of users file. 2) In default file, in authenticate section, add ntlm_auth. Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add ntlm_auth in Authenticate Section. I hope it will solve your problem. SYED On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de> wrote: I have finished all steps till "user Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html. With this command I get this error message at the end of "/usr/sbin/freeradius -X": /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users /etc/freeradius/modules/files[7]: Instantiation failed for module "files" /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files". /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part): authenticate { # # NTML_AUTH authentication. Auth-Type ntlm_auth { ntlm_auth } What is wrong and what can I do to solve the problem? Thanks in advance. Best regards, F. Niedernolte - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Every user that should be authenticated has to be an entry in the users file?
Isn't it possible to add an forwarding for every user so that all requests are just forwarded and checked?
If not I must add all users from the AD to the users file, mustn't I?
DEFAULT Auth-Type := ntlm_auth Ivan Kalik Kalik Informatika ISP
OK, thanks. Now it works. Is this the way it should look right? Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=97, length=59 User-Name = "MyUser" User-Password = "MyPassword" NAS-IP-Address = IP.ADDRESS.OF.SERVER NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "MyUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=MyUser [ntlm_auth] expand: --password=%{User-Password} -> --password=MyPassword Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 97 to 127.0.0.1 port 32793 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 97 with timestamp +16 Ready to process requests. F. Niedernolte -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von tnt@kalik.net Gesendet: Donnerstag, 9. Oktober 2008 13:28 An: FreeRadius users mailing list Betreff: Re: AW: Problem with ntlm_auth
Every user that should be authenticated has to be an entry in the users file?
Isn't it possible to add an forwarding for every user so that all requests are just forwarded and checked?
If not I must add all users from the AD to the users file, mustn't I?
DEFAULT Auth-Type := ntlm_auth Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK, thanks. Now it works. Is this the way it should look right?
Yes. that's OK. ..
[files] users: Matched entry DEFAULT at line 2 ++[files] returns ok
Entry setting Auth-Type. ..
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
That's because the password is not given to radius server but is checked in AD.
++[pap] returns noop Found Auth-Type = ntlm_auth
This was forced in users file.
+- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=MyUser [ntlm_auth] expand: --password=%{User-Password} -> --password=MyPassword Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok
And user is authenticated in AD. Ivan Kalik Kalik Informatika ISP
Is is possible to use only one freeRADIUS server (the just configured one) for a bunch of different domains in my active directory network? How? F. Niedernolte -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von tnt@kalik.net Gesendet: Donnerstag, 9. Oktober 2008 14:05 An: FreeRadius users mailing list Betreff: Re: AW: AW: Problem with ntlm_auth
OK, thanks. Now it works. Is this the way it should look right?
Yes. that's OK. ..
[files] users: Matched entry DEFAULT at line 2 ++[files] returns ok
Entry setting Auth-Type. ..
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
That's because the password is not given to radius server but is checked in AD.
++[pap] returns noop Found Auth-Type = ntlm_auth
This was forced in users file.
+- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=MyUser [ntlm_auth] expand: --password=%{User-Password} -> --password=MyPassword Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok
And user is authenticated in AD. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Frederik.Niedernolte@Bertelsmann.de wrote:
Is is possible to use only one freeRADIUS server (the just configured one) for a bunch of different domains in my active directory network?
Configure Samba to join all of the domains. Point FreeRADIUS at Samba, via ntlm_auth. Alan DeKok.
And how can I do that? I cannot find something like that via Google :( -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Donnerstag, 9. Oktober 2008 14:59 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Problem with ntlm_auth Frederik.Niedernolte@Bertelsmann.de wrote:
Is is possible to use only one freeRADIUS server (the just configured one) for a bunch of different domains in my active directory network?
Configure Samba to join all of the domains. Point FreeRADIUS at Samba, via ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
There are too many pages to check. Perhaps you can give me a specific link? I want to do it on my own but with no information it is impossible. F. Niedernolte -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Donnerstag, 9. Oktober 2008 16:46 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Problem with ntlm_auth Frederik.Niedernolte@Bertelsmann.de wrote:
And how can I do that? I cannot find something like that via Google :(
See the Samba documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oh, you would like us to read the documentation for you!?! Sorry, no can do! Samba also has a support list. Ask there. Ivan Kalik Kalik Informatika ISP Dana 9/10/2008, "Frederik.Niedernolte@bertelsmann.de" <Frederik.Niedernolte@bertelsmann.de> piše:
There are too many pages to check. Perhaps you can give me a specific link? I want to do it on my own but with no information it is impossible.
F. Niedernolte
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Donnerstag, 9. Oktober 2008 16:46 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Problem with ntlm_auth
Frederik.Niedernolte@Bertelsmann.de wrote:
And how can I do that? I cannot find something like that via Google :(
See the Samba documentation?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I didn't mean that. I thought you would know a link or site for this but if noone knows I will ask the samba people. Thanks. Frederik Niedernolte -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von tnt@kalik.net Gesendet: Donnerstag, 9. Oktober 2008 17:03 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: AW: Problem with ntlm_auth Oh, you would like us to read the documentation for you!?! Sorry, no can do! Samba also has a support list. Ask there. Ivan Kalik Kalik Informatika ISP Dana 9/10/2008, "Frederik.Niedernolte@bertelsmann.de" <Frederik.Niedernolte@bertelsmann.de> piše:
There are too many pages to check. Perhaps you can give me a specific link? I want to do it on my own but with no information it is impossible.
F. Niedernolte
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Donnerstag, 9. Oktober 2008 16:46 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Problem with ntlm_auth
Frederik.Niedernolte@Bertelsmann.de wrote:
And how can I do that? I cannot find something like that via Google :(
See the Samba documentation?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You have misunderstood what this list is about. This is a support list for Freeradius users. You will be provided the details of basic configuration for other projects/devices (Open Source/Cisco/Microsoft etc.) wich will enable server to cooperate with them in some common applications. If you need advanced configuartion for those projects/applications don't look for answers here. Ivan Kalik Kalik Informatika ISP Dana 9/10/2008, "Frederik.Niedernolte@bertelsmann.de" <Frederik.Niedernolte@bertelsmann.de> piše:
I didn't mean that. I thought you would know a link or site for this but if noone knows I will ask the samba people. Thanks.
Frederik Niedernolte
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von tnt@kalik.net Gesendet: Donnerstag, 9. Oktober 2008 17:03 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: AW: Problem with ntlm_auth
Oh, you would like us to read the documentation for you!?! Sorry, no can do!
Samba also has a support list. Ask there.
Ivan Kalik Kalik Informatika ISP
Dana 9/10/2008, "Frederik.Niedernolte@bertelsmann.de" <Frederik.Niedernolte@bertelsmann.de> piše:
There are too many pages to check. Perhaps you can give me a specific link? I want to do it on my own but with no information it is impossible.
F. Niedernolte
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Donnerstag, 9. Oktober 2008 16:46 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Problem with ntlm_auth
Frederik.Niedernolte@Bertelsmann.de wrote:
And how can I do that? I cannot find something like that via Google :(
See the Samba documentation?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Frederik.Niedernolte@Bertelsmann.de wrote:
There are too many pages to check.
Maybe I should go read the pages, and point you to specific ones?
Perhaps you can give me a specific link?
This isn't a Samba help list. We are not Samba experts. I suggest asking on the Samba list how to configure Samba for multiple domains. Alan DeKok.
HEY PAL CHEK THIS OUT thanks to everyone in the list o yes!! in user file i added users Auth-Type := ntlm_auth an also DEFAULT Auth-Type := ntlm_auth and restart freeradius and in the output istening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 33818, id=145, length=72 User-Name = "luis" User-Password = "test" NAS-IP-Address = 172.16.1.11 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "luis", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry DEFAULT at line 4 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=luis [ntlm_auth] expand: --password=%{User-Password} -> --password=test Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 145 to 127.0.0.1 port 33818 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 145 with timestamp +23 Ready to process requests. now im going to follow the next steps the modems :-) hugs and many thanks for everyone read my questions brb , now im going to find out how to connect the 16 modems to my linux server Luis --- El jue, 9/10/08, tnt@kalik.net <tnt@kalik.net> escribió: De: tnt@kalik.net <tnt@kalik.net> Asunto: Re: AW: Problem with ntlm_auth Para: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Fecha: jueves, 9 octubre, 2008 11:27
Every user that should be authenticated has to be an entry in the users file?
Isn't it possible to add an forwarding for every user so that all requests are just forwarded and checked?
If not I must add all users from the AD to the users file, mustn't I?
DEFAULT Auth-Type := ntlm_auth Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
That was example,to check with different Users,DEFAULT should be used as rightly said by Ivan. On Thu, Oct 9, 2008 at 1:22 PM, <Frederik.Niedernolte@bertelsmann.de> wrote:
So to understand you right:
Every user that should be authenticated has to be an entry in the users file?
Isn't it possible to add an forwarding for every user so that all requests are just forwarded and checked?
If not I must add all users from the AD to the users file, mustn't I?
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 13:16
*An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
And also don't remove ntlm_auth from authenticate section of both default and inner-tunnel files.
On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan < syedanwarulhasan2007@gmail.com> wrote:
Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol.
For example: Users file: User Auth-Type :- ntlm_auth
In Active Directory User should be a member.
So, then ntlm_auth requests will be passed from your Server to Active Directory or LDAP Server.
Otherwise you will not setup ntlm_auth.
SYED
On Thu, Oct 9, 2008 at 12:58 PM, <Frederik.Niedernolte@bertelsmann.de> wrote:
OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" and this is what the server gave back:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58
User-Name = "MyUser"
User-Password = "MyPassword"
NAS-IP-Address = IP.OF.THE.SERVER
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> MyUser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 92 to 127.0.0.1 port 32793
Waking up in 4.9 seconds.
Cleaning up request 0 ID 92 with timestamp +3710
Ready to process requests.
Now what should I do? Thanks in advance.
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
*An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have)
SYED
On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte@bertelsmann.de> wrote:
Thanks, now it works :)
Now the last step: How can I test it? What tool/program etc. can/should I use to test it?
"The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above."
Mit freundlichen Grüßen / Kind regards
Frederik Niedernolte ------------------------------------------------------- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de frederik.niedernolte@bertelsmann.de<frederik.niedernolte@bertelsmann.deTel> Tel.: +49 (0)5241 80-40554
arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen
*Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte> =bertelsmann.de@lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth
Hi Frederik,
1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section.
I hope it will solve your problem. SYED
On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte@bertelsmann.de> wrote:
I have finished all steps till „*user* Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html.
With this command I get this error message at the end of "/usr/sbin/freeradius –X":
/etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type
Errors reading /etc/freeradius/users
/etc/freeradius/modules/files[7]: Instantiation failed for module "files"
/etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files".
/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
}
}
Errors initializing modules
The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part):
authenticate {
#
# NTML_AUTH authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
What is wrong and what can I do to solve the problem?
Thanks in advance.
Best regards, F. Niedernolte
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" and this is what the server gave back:
..
++[files] returns noop
So, where is the user file entry setting Auth-Type ntlm_auth? It didn't match. Something is wrong with it. Ivan Kalik Kalik Informatika ISP
participants (6)
-
Alan DeKok -
Frederik.Niedernolte@Bertelsmann.de -
luis a -
Stephen Bowman -
Syed Anwarul Hasan -
tnt@kalik.net