need help configuring ntlm_auth w/ freeradius 1.0.1
Alan DeKok
aland at ox.org
Tue Jul 12 18:33:05 CEST 2005
"Ken George" <Ken.George at mi-services.com> wrote:
> Also, my final goal is to authenticate clients to a Cisco Aironet 1200
> via our Windows 2003 Active Directory usernames and passwords is
> ntlm_auth the correct method to use?
Yes.
> Below are the ntlm_auth section of radiusd.conf and the radtest string
> used and the debug output from the other window.
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
That looks fine.
> radtest "test ops" xxxxxx localhost 0 testing123
That doesn't use MSCHAPv2, so the MSCHAP module won't run, and the
ntlm_auth program won't run.
If you want to pass *clear-text* passwords to ntlm_auth, you've got
to do something different. The command-line example you posted works,
because you're giving it a clear-text password. The mschap
configuration you posted uses mschap, and doesn't send a clear-text
password.
So... the mschap configuration you posted won't work with clear-text
passwords. The debug output you posted shows this. You use "radtest"
to send a clear-text password, and the mschap module doesn't run.
This shouldn't be a surprise.
What you need to do is to configure a *different* ntlm_auth, only
for clear-text passwords. The simplest way to do this is to use the
"exec" module:
modules {
...
exec win_domain {
wait = yes
input_pairs = request
output_pairs = reply
program = "ntlm_auth --username=\"%{User-Name}\" --password=\"%{User-Password}\" --domain=usmisgne"
}
...
}
Now list "win_domain" in the "authenticate" section, and add the
following entry to the "users" file:
DEFAULT Auth-Type = win_domain
This will use "win_domain" for authentication UNLESS the mschap
module has previously found MSCHAP in the request.
Alan DeKok.
More information about the Freeradius-Users
mailing list