Hello, I have problem that looks strange to me and probably is obvious but I can't find the solution. I try to authenticate freeradius against AD using ntlm auth : [root@localhost] /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain WEBANGEL --username=test --password=abcd123! NT_STATUS_OK: Success (0x0) debug log : [root@localhost raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) exec: wait = yes exec: program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain WEBANGEL --username=%{mschap:User-Name} --password=%{User-Password} " exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (ntlm_auth) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:58984, id=180, length=56 User-Name = "test" User-Password = "abcd123!" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 64 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ntlm_auth auth: type "ntlm_auth" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain WEBANGEL --username=test --password=abcd123! ' Exec-Program: /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain WEBANGEL --username=test --password=abcd123! Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 rlm_exec (ntlm_auth): External script failed modcall[authenticate]: module "ntlm_auth" returns fail for request 0 modcall: leaving group authenticate (returns fail) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 180 to 127.0.0.1 port 58984 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 180 with timestamp 4ae8c52e Nothing to do. Sleeping until we see a request. So I am puzzled a little bit because even if I copy the ntlm_auth line from debug output it returns access granted and it gives wrong password from within radius Any help would be appreciated. Thank You. Paul Ryszka
Hello, Sorry for that the problem was simple I just forgot to put " on the end of the line. I guess I spent too much time going over it yesterday. Anyway I am also looking at implementing MSSQL authentication back-end and I was looking at this guide http://it.reinhardt.edu/dave/radius-mssql-howto.html however I remember reading that I shoudl not use Auth-Type unless absolutely necessary, would somebody be able to tell me how to replace that one ? I am new to freeradius so probably there are some obvious things that I just cannot grasp. On Wed, 2009-10-28 at 22:29 +0000, Paul Ryszka wrote:
Hello,
I have problem that looks strange to me and probably is obvious but I can't find the solution. I try to authenticate freeradius against AD using ntlm auth :
Paul Ryszka wrote:
Hello,
Sorry for that the problem was simple I just forgot to put " on the end of the line. I guess I spent too much time going over it yesterday. Anyway I am also looking at implementing MSSQL authentication back-end
Ugh, do you *have* to use MSSQL. Can't you use PostgrSQL (preferably) or MySQL?
and I was looking at this guide http://it.reinhardt.edu/dave/radius-mssql-howto.html
Seriously outdated.
however I remember reading that I shoudl not use Auth-Type unless absolutely necessary, would somebody be able to tell me how to replace that one ?
Don't use Auth-Type in radgroupcheck at all. Replace Password and == with Cleartext-Password and := and things will work. Ivan Kalik Kalik Informatika ISP
Database is not my choice either and I had to learn quite a lot about MSSQL in last two days and didn't like a bit about it :) is there any better guide that I should be following ? I read the SQL from wiki but it does not mention MSSQL so I tried to find something else ... On Thu, 2009-10-29 at 13:19 +0000, Ivan Kalik wrote:
Paul Ryszka wrote:
Hello,
Sorry for that the problem was simple I just forgot to put " on the end of the line. I guess I spent too much time going over it yesterday. Anyway I am also looking at implementing MSSQL authentication back-end
Ugh, do you *have* to use MSSQL. Can't you use PostgrSQL (preferably) or MySQL?
and I was looking at this guide http://it.reinhardt.edu/dave/radius-mssql-howto.html
Seriously outdated.
however I remember reading that I shoudl not use Auth-Type unless absolutely necessary, would somebody be able to tell me how to replace that one ?
Don't use Auth-Type in radgroupcheck at all. Replace Password and == with Cleartext-Password and := and things will work.
Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Paul Ryszka wrote:
Database is not my choice either and I had to learn quite a lot about MSSQL in last two days and didn't like a bit about it :) is there any better guide that I should be following ? I read the SQL from wiki but it does not mention MSSQL so I tried to find something else ...
There is no difference in using any sql server. All that is different is what you put as database in sql.conf. Everything else is the same whichever database server you use. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ivan Kalik -
Paul Ryszka