Talking to Windows 2003 AD
Firstly I am new to FreeRadius and am configuring my first radius server to talk to our Windows 2003 AD. I have intalled and configured FreeRadius 2.1.8 to talk to the AD as documented in various tutorials on the internet. Initially I had configured the connection between the Freeradius server and our Windows 2003 Active directory using ntlm_auth. Using the command line ntlm_auth --request-nt-key --domain=<your domain> --username= <your username> comes back with NT_STATUS_OK : Success (0x0) Which is what i would expect as a valid username and password. Now when I go to the next step and enable this in /etc/raddb/modules/mschap ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username==%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-OURDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Our active directory server does comes back with an error. When I look at the server log on our AD it shows Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 680 Date: 17/03/2010 Time: 13:35:51 User: NT AUTHORITY\SYSTEM Computer: DCB Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: =<radius_user> Source Workstation: \\<radius_server> Error Code: 0xC0000064 When I google the windows error code I get Error code: 0xC0000064 - This error code can occur if a server is configured to Require NTLMv2 Session Security and the client either is configured to not use it or is unable to negotiate it (e.g., Altiris DOS network boot stuff). I know our server is configured for NTLMv2 and not V1. Any ideas on how I can resolve this issue ? I cannot understand why running the command works and using the line in MSCHAP fails ? ______________________________________________________ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmaster@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). ______________________________________________________
Hi,
Now when I go to the next step and enable this in /etc/raddb/modules/mschap
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username==%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-OURDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
radiusd -X and show us at least that bit where that command is called. you have 2 == is your command. is that intentional? you are allowing usernames that havent been sanitised or are blank (none) - is that intentional? alan
participants (2)
-
Alan Buxey -
Iain Grant