Re: Configuring FreeRADIUS to use ntlm_auth
Ok, Alan: Thanks ... It works ... Now I am trying to "Configuring my FreeRadius to use ntlm_auth for MS-CHAP" to authenticate my NT users, ok ? After that I configure the radiusd.conf file with the necessary changes (about ntlm_auth), I am trying to test the authenticate with a valid user of my NT Domain (by radtest) and the FreeRadius reject it. The output of my FreeRadius´s console: [root@FreeRADIUS /usr/local/etc/raddb]# radtest copel\charles password localhost 0 testfreeradius Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = "copelcharles" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=123, length=20 The complete output of Radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:52444, id=67, length=64 User-Name = "copelcharles" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "copelcharles", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 67 to 127.0.0.1 port 52444 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 67 with timestamp 46ea9900 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:50643, id=123, length=64 User-Name = "copelcharles" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "copelcharles", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 123 to 127.0.0.1 port 50643 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 123 with timestamp 46ea9dec Nothing to do. Sleeping until we see a request. My samba is ok , I get to authenticate this user by "ntlm_auth" command line. Any Idea ? Thanks, Charles. Alan DeKok <aland@deployingradius.com> Enviado Por: freeradius-users-bounces@lists.freeradius.org 14/09/2007 10:32 Favor responder a FreeRadius users mailing list Para: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc: cco: Charles Alcantara Borba/COPEL Assunto: Re: Configuring FreeRADIUS to use ntlm_auth charles@copel.com wrote:
After I configure the users file with "user Auth-Type := ntlm_auth" (for testing purposes only), my FreeRadius don´t start and show the followings errors:
/usr/local/etc/raddb/users[1]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type
You also have to list "ntlm_auth" in the "authenticate" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
charles@copel.com wrote:
Now I am trying to "Configuring my FreeRadius to use ntlm_auth for MS-CHAP" to authenticate my NT users, ok ?
The page does document that.
After that I configure the radiusd.conf file with the necessary changes (about ntlm_auth), I am trying to test the authenticate with a valid user of my NT Domain (by radtest) and the FreeRadius reject it.
radtest doesn't do MS-CHAP. The page tries to make this clear.
The output of my FreeRadius´s console: ... rad_check_password: Found Auth-Type System
You've done rather a lot more than just add "ntlm_auth" to the "authenticate" section. This means that the config that previously worked... now doesn't work. Go back to using the working configuration, and use a client that does MS-CHAP. This usually means trying a real login, without using "radtest" or "radclient". Alan DeKok.
Radtest doesn't do MSCHAP. Use different client: http://jradius.org/wiki/index.php/JRadiusSimulator Ivan Kalik Kalik Informatika ISP Dana 14/9/2007, "charles@copel.com" <charles@copel.com> piše:
Ok, Alan:
Thanks ... It works ...
Now I am trying to "Configuring my FreeRadius to use ntlm_auth for MS-CHAP" to authenticate my NT users, ok ?
After that I configure the radiusd.conf file with the necessary changes (about ntlm_auth), I am trying to test the authenticate with a valid user of my NT Domain (by radtest) and the FreeRadius reject it.
The output of my FreeRadius´s console:
[root@FreeRADIUS /usr/local/etc/raddb]# radtest copel\charles password localhost 0 testfreeradius Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = "copelcharles" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=123, length=20
The complete output of Radiusd -X:
Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:52444, id=67, length=64 User-Name = "copelcharles" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "copelcharles", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 67 to 127.0.0.1 port 52444 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 67 with timestamp 46ea9900 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:50643, id=123, length=64 User-Name = "copelcharles" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "copelcharles", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 123 to 127.0.0.1 port 50643 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 123 with timestamp 46ea9dec Nothing to do. Sleeping until we see a request.
My samba is ok , I get to authenticate this user by "ntlm_auth" command line.
Any Idea ? Thanks, Charles.
Alan DeKok <aland@deployingradius.com> Enviado Por: freeradius-users-bounces@lists.freeradius.org 14/09/2007 10:32 Favor responder a FreeRadius users mailing list
Para: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc: cco: Charles Alcantara Borba/COPEL Assunto: Re: Configuring FreeRADIUS to use ntlm_auth
charles@copel.com wrote:
After I configure the users file with "user Auth-Type := ntlm_auth" (for testing purposes only), my FreeRadius don´t start and show the followings errors:
/usr/local/etc/raddb/users[1]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type
You also have to list "ntlm_auth" in the "authenticate" section.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I configure freeradius on basic autentication mode (using file /etc/freeradius/users) paperino Auth-Type := Local, User-Password == "paperino" topolino Auth-Type := EAP, User-Password == "topolino" in local mode and in wired network freerarius test (with user local paperino) is ok in WI mode test failed (i not insert any directive in /etc/freeradius/EAP) using paperino and topolino ( freeradius debug mode) ….. auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [paperino/<no User-Password attribute>] (from client dlink port 1 cli 00-15-E9-2B-D2-10) rlm_eap: No such EAP type peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: leaving group authenticate (returns invalid) for request 1 auth: Failed to validate the user. Login incorrect: [topolino/<no User-Password attribute>] (from client dlink port 1 cli 00-15-E9-2B-D2-10)This This is the AP configuration I want use autentication without certificate HOW TO configuration WIFI (cliente xp) and freeradius using EAP/PEAP ??? grazie
riky.none wrote:
I configure freeradius on basic autentication mode (using file /etc/freeradius/users)
paperino Auth-Type := Local, User-Password == "paperino"
topolino Auth-Type := EAP, User-Password == "topolino"
(1) DO NOT SET AUTH-TYPE (2) Use Cleartext-Password := ... NOT User-Password ==
rlm_eap: No such EAP type peap
Read eap.conf.
I want use autentication without certificate
If you're using PEAP, you need a server certificate.
HOW TO configuration WIFI (cliente xp) and freeradius using EAP/PEAP ???
See the Wiki. This is covered there. Alan DeKok.
Alan DeKok ha scritto:
riky.none wrote:
I configure freeradius on basic autentication mode (using file /etc/freeradius/users)
paperino Auth-Type := Local, User-Password == "paperino"
topolino Auth-Type := EAP, User-Password == "topolino"
(1) DO NOT SET AUTH-TYPE (2) Use Cleartext-Password := ... NOT User-Password ==
rlm_eap: No such EAP type peap
Read eap.conf.
I want use autentication without certificate
If you're using PEAP, you need a server certificate.
HOW TO configuration WIFI (cliente xp) and freeradius using EAP/PEAP ???
See the Wiki. This is covered there.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
not hangry Alan I feel really stupid now... i insert in users file: myuser Cleartext-Password := "somepass" run freeradius -X /etc/freeradius/users[219]: Parse error (check) for entry myuser: Unknown attribute "Cleartext-Password" eap config is not easy to read (for newbie) There is one basic howto to configure freeradius using TTLS??? in wiki i not find one basic howto EAP-TTSL
Hi,
I feel really stupid now...
i insert in users file:
myuser Cleartext-Password := "somepass"
run freeradius -X
/etc/freeradius/users[219]: Parse error (check) for entry myuser: Unknown attribute "Cleartext-Password"
sounds like you are running an ol dversion. you will not get full support from most folk unless you are running a recent release - eg 1.1.6/1.1.7 or 2.0pre2 alan
riky.none wrote:
run freeradius -X /etc/freeradius/users[219]: Parse error (check) for entry myuser: Unknown attribute "Cleartext-Password"
You aren't using the latest version. Why not?
eap config is not easy to read (for newbie)
Do you have a question about something?
There is one basic howto to configure freeradius using TTLS???
1) Configure EAP-TLS 2) uncomment the "ttls" section in eap.conf.
in wiki i not find one basic howto EAP-TTSL
There is very little effort needed to get EAP-TTLS to work. In 2.0-pre2, all you have to do is start the server as root. PEAP will work, EAP-TLS will work, and EAP-TTLS will work. Alan DeKok.
Alan DeKok ha scritto:
riky.none wrote:
run freeradius -X /etc/freeradius/users[219]: Parse error (check) for entry myuser: Unknown attribute "Cleartext-Password"
eap config is not easy to read (for newbie)
Do you have a question about something?
There is one basic howto to configure freeradius using TTLS???
1) Configure EAP-TLS 2) uncomment the "ttls" section in eap.conf.
in wiki i not find one basic howto EAP-TTSL
There is very little effort needed to get EAP-TTLS to work.
In 2.0-pre2, all you have to do is start the server as root. PEAP will work, EAP-TLS will work, and EAP-TTLS will work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
ubuntu freeradius deb: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Mar 30 2007 at 22:44:3 i will install the 2.0 pre for testing....(i m play with freeradius ) grazie p.s. you are very patient with newbie
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
charles@copel.com -
riky.none -
tnt@kalik.co.yu