Hello I want to authenticate users against Active Directory for EAP-MSCHAPv2 and PAP. PAP is for a wireless web authentication redirection service that authenticates using PAP and its PAP I'm trying to debug not MSCHAP at present. I've been following http://deployingradius.com/documents/configuration/active_directory.html All goes well until I get towards the end. Once I remove DEFAULT Auth-Type = ntlm_auth from users PAP stops working where do I add the configuration to allow PAP to continue with ntlm_auth rather than just failing? with the setting I get success Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "np", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] No EAP-Message, not doing EAP Info: ++[eap] returns noop Info: ++[unix] returns notfound Info: [files] users: Matched entry DEFAULT at line 1 Info: ++[files] returns ok Info: ++[expiration] returns noop Info: ++[logintime] returns noop Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Info: ++[pap] returns noop Info: Found Auth-Type = ntlm_auth Info: +- entering group authenticate {...} Info: [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=ID Info: [ntlm_auth] expand: --password=%{User-Password} -> --password=SECRET Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Debug: Exec-Program: returned: 0 Info: ++[ntlm_auth] returns ok Info: +- entering group post-auth {...} Info: ++[exec] returns noop Sending Access-Accept of id 243 to 158.143.207.212 port 42687 without it no ntlm is attempted Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "np", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] No EAP-Message, not doing EAP Info: ++[eap] returns noop Info: ++[unix] returns notfound Info: ++[files] returns noop Info: ++[expiration] returns noop Info: ++[logintime] returns noop Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Info: ++[pap] returns noop Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Info: Failed to authenticate the user. Info: Using Post-Auth-Type Reject Info: +- entering group REJECT {...} Info: [attr_filter.access_reject] expand: %{User-Name} -> ID Debug: attr_filter: Matched entry DEFAULT at line 11 Info: ++[attr_filter.access_reject] returns updated Info: Delaying reject of request 0 for 1 seconds Debug: Going to the next request Debug: Waking up in 0.9 seconds. Info: Sending delayed reject for request 0 Sending Access-Reject of id 7 to 158.143.207.212 port 53676 TIA, Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplian...
Neil Prockter wrote:w
I want to authenticate users against Active Directory for EAP-MSCHAPv2 and PAP. PAP is for a wireless web authentication redirection service that authenticates using PAP and its PAP I'm trying to debug not MSCHAP at present.
For that, you can configure Active Directory as an LDAP server. It will be faster and more stable than using ntlm_auth.
I've been following http://deployingradius.com/documents/configuration/active_directory.html
All goes well until I get towards the end.
Once I remove DEFAULT Auth-Type = ntlm_auth from users PAP stops working
If you *want* PAP to use ntlm_auth, then you need to leave that line in. We recommend deleting it because most people want PAP to use *another* way of authenticating. Alan DeKok.
On 15/06/10 07:51, Alan DeKok wrote:
Neil Prockter wrote:w
I want to authenticate users against Active Directory for EAP-MSCHAPv2 and PAP. PAP is for a wireless web authentication redirection service that authenticates using PAP and its PAP I'm trying to debug not MSCHAP at present.
For that, you can configure Active Directory as an LDAP server. It will be faster and more stable than using ntlm_auth. I've done that and PAP/LDAP has tested well. EAP-MSCHAPv2/ntlm_auth is not happy but I'll have more of a look before mailing about that.
Thanks Neil
I've been following http://deployingradius.com/documents/configuration/active_directory.html
All goes well until I get towards the end.
Once I remove DEFAULT Auth-Type = ntlm_auth from users PAP stops working
If you *want* PAP to use ntlm_auth, then you need to leave that line in. We recommend deleting it because most people want PAP to use *another* way of authenticating.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplian...
participants (2)
-
Alan DeKok -
Neil Prockter