Re: Beating a dead horse, or freeradius 2.1.1 and active directory
PS. What is the error that you get when you remove quote around ntlm_auth. For users file entry as is in the howto. Ivan Kalik Kalik Informatika ISP
Here is the first line in the users file (quotes removed) rtest Auth-Type := ntlm_auth And here is the error that generates: /etc/raddb/users[1]: Parse error (check) for entry rtest: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/raddb/users /etc/raddb/modules/files[7]: Instantiation failed for module "files" /etc/raddb/sites-enabled/inner-tunnel[110]: Failed to find module "files". /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules With a frst line of this: rtest Auth-Type := "ntlm_auth" Radiusd starts normally.
-----Original Message----- From: freeradius-users-bounces+blittle=skylight.com@lists.freeradius .org [mailto:freeradius-users-bounces+blittle=skylight.com@lists.fr eeradius.org] On Behalf Of tnt@kalik.net Sent: Thursday, December 04, 2008 2:14 AM To: freeradius-users@lists.freeradius.org Subject: Re: Beating a dead horse, or freeradius 2.1.1 and active directory
PS. What is the error that you get when you remove quote around ntlm_auth. For users file entry as is in the howto.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is the first line in the users file
(quotes removed) rtest Auth-Type := ntlm_auth
And here is the error that generates:
/etc/raddb/users[1]: Parse error (check) for entry rtest: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/raddb/users /etc/raddb/modules/files[7]: Instantiation failed for module "files" /etc/raddb/sites-enabled/inner-tunnel[110]: Failed to find module "files". /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules
OK. Howto needs updating. Freeradius in default configuration has default and inner-tunnel virtual servers. You should add ntlm_auth to authenticate section of both (not just default as in howto). This issue is probably going to be resolved with virtual server specific users file but at present if Auth-Type is listed in users file it has to exist in all enabled virtual servers. So, add ntlm_auth to authenticate section of inner-tunnel virtual server and leave user entry without quotes. Ivan Kalik Kalik Informatika ISP Ivan Kalik Kalik Informatika ISP
Well I'll be a son of a gun :-) It worked! Awesome, thanks a ton, ok now to see if I can make my silly switch work with this authentication! Alan, if you're reading this you should add the inner-tunnel addition to the how to. Now I just have to figure out the authorization piece of the puzzle and I'll be golden. Thanks Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 53912, id=223, length=57 User-Name = "rtest" User-Password = "SEKRAT" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "rtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry rtest at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=rtest [ntlm_auth] expand: --password=%{User-Password} -> --password=SEKRAT Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 223 to 127.0.0.1 port 53912 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 223 with timestamp +19 Ready to process requests.
-----Original Message----- From: freeradius-users-bounces+blittle=skylight.com@lists.freeradius .org [mailto:freeradius-users-bounces+blittle=skylight.com@lists.fr eeradius.org] On Behalf Of tnt@kalik.net Sent: Thursday, December 04, 2008 10:35 AM To: FreeRadius users mailing list Subject: RE: Beating a dead horse, or freeradius 2.1.1 and active directory
Here is the first line in the users file
(quotes removed) rtest Auth-Type := ntlm_auth
And here is the error that generates:
/etc/raddb/users[1]: Parse error (check) for entry rtest: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/raddb/users /etc/raddb/modules/files[7]: Instantiation failed for module "files" /etc/raddb/sites-enabled/inner-tunnel[110]: Failed to find module "files". /etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules
OK. Howto needs updating. Freeradius in default configuration has default and inner-tunnel virtual servers. You should add ntlm_auth to authenticate section of both (not just default as in howto). This issue is probably going to be resolved with virtual server specific users file but at present if Auth-Type is listed in users file it has to exist in all enabled virtual servers.
So, add ntlm_auth to authenticate section of inner-tunnel virtual server and leave user entry without quotes.
Ivan Kalik Kalik Informatika ISP
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Now I just have to figure out the authorization piece of the puzzle and I'll be golden.
Service-Type you should use and priv level avpairs should be described in switch documentation. There is also a common Cisco configuration described on freeradius wiki: http://wiki.freeradius.org/index.php/Cisco Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ben Little -
tnt@kalik.net