freeradius against AD not working

Karthik R kartthikr at gmail.com
Fri Oct 27 01:07:37 CEST 2006


Using freeradius v1.1.1 on a RHEL 4 box trying to authenticate users against
Windows 2003 Active directory. I was able to bind linux box to Windows
domain successfully and able to read the active directory users and groups
using

wbinfo - u
R1\Administrator
R1\Guest

and wbinfo -g.

Using ntlm_auth tool am able to successfully authenticate the users too.

-bash-3.00# ntlm_auth --request-nt-key --username=kartthikr
password:
NT_STATUS_OK: Success (0x0)

But while using radtest tool with the same logon credentials as above it
rejects the user and here is the log message.

rad_recv: Access-Request packet from host 127.0.0.1:32927, id=243, length=61
        User-Name = "<removed>"
        User-Password = "<removed>"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "<removed>", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 156
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Sending Access-Reject of id 243 to 127.0.0.1 port 32927
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 243 with timestamp 45413139
Nothing to do.  Sleeping until we see a request.

Here is nss config file:

passwd:     files winbind
shadow:     files winbind
group:      files winbind

hosts:      files winbind nis dns

protocols:  files winbind # nis
services:   files winbind # nis
netgroup:   files winbind # nis
automount:  files winbind nis

Here is radiusd.conf file:

modules {
pap {
  encryption_scheme = crypt
 }

 chap {
  authtype = CHAP
 }

pam {
  pam_auth = radiusd
 }
unix {
  cache = no
  cache_reload = 600
  radwtmp = ${logdir}/radwtmp
 }

$INCLUDE ${confdir}/eap.conf


 mschap {

  authtype = MS-CHAP
  #use_mppe = no

  require_encryption = yes

  #require_strong = yes

  with_ntdomain_hack = yes

    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
 }

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061026/5debca8d/attachment.html>


More information about the Freeradius-Users mailing list