Backslash issue during AD authetication
HI I'd like to autheticate cisco vpn clients against the freeradius and AD Prompt for the vpn client should be domainame\username. In my smb.conf is as the delimiter: winbind separator = \\ ( because backslash is special character, I had to use twice ) This command works: /usr/bin/ntlm_auth --request-nt-key --username=domainame\\username --password=password NT_STATUS_OK: Success (0x0) When i test through radtest it doesn't work : neither radtest domainame\\username password localhost 0 testing123 , or radtest domainame\\\username password localhost 0 testing123, or radtest domainame\username password localhost 0 testing123 However, when i tried to autheticate through vpn cisco client , the string domainame\\username will pass. How can I force freradius to authenticate through domainame\username Thanks Pet
Jevos, Peter wrote:
When i test through radtest it doesn’t work : neither
radtest domainame\\username password localhost 0 testing123 ,
or radtest domainame\\\username password localhost 0 testing123,
or radtest domainame\username password localhost 0 testing123
And... what does debug mode say?
However, when i tried to autheticate through vpn cisco client , the string domainame\\username will pass.
Because it's not being parsed by the Unix shell.
How can I force freradius to authenticate through domainame\username
Get radtest to send the same data as sent by the Cisco client. See the server debug output in order to compare the two user names. Alan DeKok.
How can I force freradius to authenticate through domainame\username
Get radtest to send the same data as sent by the Cisco client. See the server debug output in order to compare the two user names. Alan DeKok. Hi Alan, I forced radtest to pass, with this syntax: 1. radtest domainame\\\\\\\username password localhost 0 testing123 Debug is: ++[mschap] returns noop [suffix] No '@' in User-Name = "domainname\\username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Found Auth-Type = ntlm_auth2 +- entering group authenticate {...} [ntlm_auth2] expand: --username=%{mschap:User-Name} -> --username=\username [ntlm_auth2] expand: --password=%{User-Password} -> --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth2] returns ok Login OK: [domainame\\\\username] (from client localhost port 0) 2. Debug, when I use vpn cisco client with domainname\\username is the same 3. Radtest doesn't pass with less backslahes then 7 : ) ( \\\\\\\ ) radtest domainame\\\\\\username password localhost 0 testing123 [suffix] No '@' in User-Name = "domainame\username", looking up realm NULL ........ [ntlm_auth2] expand: --username=%{mschap:User-Name} -> --username=username [ntlm_auth2] expand: --password=%{User-Password} -> --password=password Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) Exec-Program: returned: 1 ++[ntlm_auth2] returns reject Failed to authenticate the user. Login incorrect: [domainname\\username/password] (from client localhost port 0) 4. When I use only 2 backslashes: radtest domainame\\username password localhost 0 testing123 [suffix] No '@' in User-Name = "domainnameusername", looking up realm NULL .............. [ntlm_auth2] expand: --username=%{mschap:User-Name} -> --username=domainnameusername [ntlm_auth2] expand: --password=%{User-Password} -> --password=password Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) Exec-Program: returned: 1 ++[ntlm_auth2] returns reject Failed to authenticate the user. Login incorrect: [domainnameusername/password] (from client localhost port 0) I don’t have a problem with radtest if vpn client would authenticate with domainname\username Thank you
participants (2)
-
Alan DeKok -
Jevos, Peter