NTLM_Auth will not work from within FreeRadius
Neal Bullins
nbullins at gborocollege.edu
Tue Nov 21 21:40:07 CET 2006
Nice catch on the hyphen but that did not fix the problem (probably left
out after changing the line several times testing different
configurations). I realize the problem is in the creation of the
response for the user/password/challenge combination however it is just
a question of why. I have tried using with_ntdomain_hack = yes and
using with_ntdomain_hack = no but neither combination works, it seems to
ignore that value.
It may possibly be helpful if someone could give me a valid user, pass,
challenge, and response so that I can test ntlm with known good values.
my radiusd.conf follows
Thanks,
Neal
___________________________________________________
radiusd.conf
___________________________________________________
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
#user = nobody
#group = nobody
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
#use_mppe = yes
#require_encryption = yes
#require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
#passwd etc_group {
# filename = /etc/group
# format = "=Group-Name:::*,User-Name"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = ":"
#}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to
the original string
# append = no
#}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
#with_ntdomain_hack = yes
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
#packet_type = Access-Accept
}
ippool main_pool {
#this section isnt used is it?
}
}
instantiate {
exec
expr
# daily
}
authorize {
preprocess
auth_log
# attr_filter
# chap
mschap
# digest
# IPASS
#suffix
# ntdomain
eap
# files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
}
# Authentication.
authenticate {
#Auth-Type PAP {
#pap
#}
#Auth-Type CHAP {
#chap
#}
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
#unix
# Auth-Type LDAP {
# ldap
# }
eap
}
preacct {
preprocess
acct_unique
# IPASS
# suffix
#ntdomain
#files
}
accounting {
detail
# daily
unix
radutmp
# sradutmp
# main_pool
sql
# pgsql-voip
}
session {
radutmp
# sql
}
post-auth {
# Get an address from the IP Pool.
# main_pool
reply_log
# sql
# ldap
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}
pre-proxy {
}
post-proxy {
eap
}
James J J Hooper wrote:
>
> On 21 Nov 2006, at 10:34, Phil Mayers wrote:
>
>> Neal Bullins wrote:
>>
>>> /usr/bin/ntlm_auth --request-nt-key --domain=MyDom
>>> --username=radtest And then I enter the correct password and the
>>> result is “NT_STATUS_OK: Success (0x0)”.
>>
>> Well, that's a plaintext auth, so not really relevant to the next bit...
>>
>>> The debug output from freeradius is:
>>> Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MyDom
>>> --username=radtest --challenge=3bdc9461e268b957
>>> --ntresponse=d618ee49ab97f0ea5cc9c491904dbbbea5a56eb5c9cc0608
>>> Exec-Program output: Logon failure (0xc000006d)
>>
>> This is a challenge-response auth. The logical conclusion is that the
>> response is not correct for that user/password/challenge combination.
> ... or you have made a typo in the command.... there should be a
> hyphen between nt and response in --nt-response
>
> -James
>
> --
> James J J Hooper
> Information Services
> University of Bristol
> --
>
>
>
>
> -List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list