need help configuring ntlm_auth w/ freeradius 1.0.1

Guy Davies Guy.Davies at telindus.co.uk
Tue Jul 12 18:11:55 CEST 2005 

Hi Ken,

[..snip..]

> 
> Below are the ntlm_auth section of radiusd.conf and the 
> radtest string used and the debug output from the other window.
> 
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>         }
> 
> radtest "test ops" xxxxxx localhost 0 testing123
> 
> radiusd -xxyz -l stdout
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /etc/raddb/proxy.conf
> Config:   including file: /etc/raddb/clients.conf
> Config:   including file: /etc/raddb/snmp.conf
> Config:   including file: /etc/raddb/eap.conf
> Config:   including file: /etc/raddb/sql.conf
> 
> [NORMAL OUTPUT SUPPRESSED]
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:32784, 
> id=232, length=60
> --- Walking the entire request list ---
> Waking up in 31 seconds...
> Thread 1 got semaphore
> Thread 1 handling request 0, (1 handled so far)
> Threads: total/active/spare threads = 5/0/5
>         User-Name = "test ops"
>         User-Password = "m1sg0ps"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 0

It looks like there's no NT Domain in the RADIUS request.  It's
certainly not in the output above.

> rad_lowerpair:  User-Name now 'test ops'
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' in User-Name = "test ops", looking up realm NULL
>     rlm_realm: No such realm "NULL"

Yep, there you go, there is no REALM associated with this username so
the REALM NULL is assumed but it hasn't been configured for that REALM.
I would expect the username to be sent as <REALM>\<username> by a
standard M$ supplicant.  Are you just telling it to use your windows
credentials?

Rgds,

Guy

>   modcall[authorize]: module "suffix" returns noop for request 0
>     rlm_realm: No '\' in User-Name = "test ops", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "ntdomain" returns noop for request 0
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 0
>   modcall[authorize]: module "files" returns notfound for request 0
> modcall: group authorize returns ok for request 0
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [test ops] (from client localhost port 0) 
> Delaying request 0 for 1 seconds Finished request 0 Going to 
> the next request Thread 1 waiting to be assigned a request
> rad_recv: Access-Request packet from host 127.0.0.1:32784, 
> id=232, length=60 Sending Access-Reject of id 232 to 127.0.0.1:32784
> --- Walking the entire request list ---
> Waking up in 3 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 232 with timestamp 42d3e0ec
> Nothing to do.  Sleeping until we see a request.
> 
> 
> 
> 
> Ken George
> Systems and Network Engineering
> Mi Services Group, Inc.   
> +1 610-230-2500 x129
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us.

More information about the Freeradius-Users mailing list