ntlm_auth works on commandline but not in radiusd.conf
Please forgive me as I'm a newbie to Radius. I've been reading FAQs and archived mail list for three days and haven't seen a problem similar to mine. ntlm_auth works as expected on the command line, however it does not work in radius. In radius it ALWAYS returns a status ok and authenticates the user, even the the password is incorrect. Below are log snippets from issuing radiusd -X I'm using the latest version, FreeRadius 2.1.1, compiled from source. Very specifically, I followed the (out of date) guide by Alan DeKok called "Deploying Radius" http://deployingradius.com/documents/configuration/active_directory.html Everything works ok in the guide up to the point of the first radtest command. I can put ANY password for the user in the radtest command and it works. Again issuing ntml_auth from the command line gives predictable results. Here's the real work example demonstrating that I have ntlm_auth properly working. These are the expected results. Is there a better way to debug the exec module to see what is really happening when exec called ntlm_auth from within freeradius? [root@marauder ~]# ntlm_auth --domain=GTDEV --request-nt-key --username=ntlmtest --password=radpw NT_STATUS_OK: Success (0x0) [root@marauder ~]# ntlm_auth --domain=GTDEV --request-nt-key --username=ntlmtest --password=radpwnogood NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Radtest is issued from the command line and this is the debug output from radiusd -X [root@marauder ~]# radtest ntlmtest radpw localhost 0 testing123 Sending Access-Request of id 103 to 127.0.0.1 port 1812 User-Name = "ntlmtest" User-Password = "radpw" NAS-IP-Address = 10.10.3.5 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=103, length=20 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60006, id=103, length=60 User-Name = "ntlmtest" User-Password = "radpw" NAS-IP-Address = 10.10.3.5 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ntlmtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry ntlmtest at line 96 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=ntlmtest [ntlm_auth] expand: --password=%{User-Password} -> --password=radpw ++[ntlm_auth] returns ok Login OK: [ntlmtest/radpw] (from client localhost port 0) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 103 to 127.0.0.1 port 60006 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 103 with timestamp +3 Ready to process requests. OK now here's the same radtest with a bad password. It works but it shouldnt! Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 58940, id=87, length=60 User-Name = "ntlmtest" User-Password = "radpwnogood" NAS-IP-Address = 10.10.3.5 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ntlmtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry ntlmtest at line 96 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=ntlmtest [ntlm_auth] expand: --password=%{User-Password} -> --password=radpwnogood ++[ntlm_auth] returns ok Login OK: [ntlmtest/radpwnogood] (from client localhost port 0) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 87 to 127.0.0.1 port 58940 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 87 with timestamp +7 Ready to process requests. And for those of you who must see the ntlm_auth config portion, here it is: (it's the same as the deployment guide) $INCLUDE ${confdir}/modules/ # # put exec ntlm_auth AFTER the exec module is defined # exec ntlm_auth { wait = no program = "/usr/bin/ntlm_auth --request-nt-key --domain=GTDEV --username=%{mschap:User-Name} --password=%{User-Password}"
radius@illiana.net wrote:
Very specifically, I followed the (out of date) guide by Alan DeKok called "Deploying Radius"
Hmm... OK. I've updated the instructions for 2.x.
exec ntlm_auth { wait = no
That's the issue. It should say "wait = yes". Sorry. I've updated the web site to fix this. Alan DeKok.
--- El mié, 1/10/08, Alan DeKok <aland@deployingradius.com> escribió: De: Alan DeKok <aland@deployingradius.com> Asunto: Re: ntlm_auth works on commandline but not in radiusd.conf Para: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Fecha: miércoles, 1 octubre, 2008 2:38 radius@illiana.net wrote:
Very specifically, I followed the (out of date) guide by Alan DeKok called "Deploying Radius"
Hmm... OK. I've updated the instructions for 2.x.
exec ntlm_auth { wait = no
That's the issue. It should say "wait = yes". Sorry. I've updated the web site to fix this. Alan DeKok. i believe that you saw the images that i sent to you to see :) well im still stuck in the config . /etc/radb/radiusd.conf exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" } ---------- /etc/radb/sites-enabled/default authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } } authenticate { ntlm_auth } radtest luis ..4wr123,,todoloco 127.0.0.1 0 testing123 Sending Access-Request of id 137 to 127.0.0.1 port 1812 User-Name = "luis" User-Password = "test" NAS-IP-Address = xx.xx.xx.xx NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=137, length=20 what them ??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
luis a wrote:
i believe that you saw the images that i sent to you to see :)
As a general rule, I ignore most private email asking for free help. That's what the list is for.
radtest luis ..4wr123,,todoloco 127.0.0.1 0 testing123 Sending Access-Request of id 137 to 127.0.0.1 port 1812
<sigh> Can you explain why you're not following the instructions for posting debug output to the list? Alan DeKok.
http://hotjobs.mycasacorp.com/images there are the images step by step setting up freeradius against AD and its not working for me in the config in the command line everything work okay but in the config he does not check it there pals greetings --- El mié, 1/10/08, Alan DeKok <aland@deployingradius.com> escribió: De: Alan DeKok <aland@deployingradius.com> Asunto: Re: ntlm_auth works on commandline but not in radiusd.conf Para: luis.azunet@yahoo.es, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Fecha: miércoles, 1 octubre, 2008 4:42 luis a wrote:
i believe that you saw the images that i sent to you to see :)
As a general rule, I ignore most private email asking for free help. That's what the list is for.
radtest luis ..4wr123,,todoloco 127.0.0.1 0 testing123 Sending Access-Request of id 137 to 127.0.0.1 port 1812
<sigh> Can you explain why you're not following the instructions for posting debug output to the list? Alan DeKok.
I was under impression I answered this already, but I don't see it on the list, so here we go again: 1. Your ntlm_auth users file entry is wrong. There is no username or DEFAULT in it. 2. Instructions clearly say to put the entry at the beginning of the users file. What did you do - you put that entry at the end. Follow instructions. If you can't manage that - find someone who can. Ivan Kalik Kalik Informatika ISP Dana 1/10/2008, "luis a" <luis.azunet@yahoo.es> piše:
http://hotjobs.mycasacorp.com/images
there are the images step by step setting up freeradius against AD
and its not working for me in the config
in the command line everything work okay but in the config he does not
check it there pals
greetings --- El miĂŠ, 1/10/08, Alan DeKok <aland@deployingradius.com> escribiĂł: De: Alan DeKok <aland@deployingradius.com> Asunto: Re: ntlm_auth works on commandline but not in radiusd.conf Para: luis.azunet@yahoo.es, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Fecha: miĂŠrcoles, 1 octubre, 2008 4:42
luis a wrote:
i believe that you saw the images that i sent to you to see :)
As a general rule, I ignore most private email asking for free help. That's what the list is for.
radtest luis ..4wr123,,todoloco 127.0.0.1 0 testing123 Sending Access-Request of id 137 to 127.0.0.1 port 1812
<sigh>
Can you explain why you're not following the instructions for posting debug output to the list?
Alan DeKok.
participants (4)
-
Alan DeKok -
luis a -
radius@illiana.net -
tnt@kalik.net