freeradius and ntlm_auth howto

Phil Mayers p.mayers at imperial.ac.uk
Fri Oct 27 12:26:09 CEST 2006 

Stieven.Struyf at komatsu.eu wrote:
> 
> All,
> I finally got it working, but not yet as i want.
> The trick that made it work is settings auth-type := MSCHAPv2 for the 

You should not do that, and should not *have* to do that.

Most likely you have not put the mschap module in the authorize section, 
*or* you have put another module higher up that it setting the auth-type 
first e.g. LDAP.

You should have:

authorize {
   preprocess
   mschap
   # other modules, maybe files?
}
authenticate {
   Auth-Type MS-CHAP {
     mschap
   }
}

> user(s) and i also started radiusd as root(changed the rights without 
> success to radiusd, but once everything is working i will try to run 
> again with radiusd user)

That's probably permissions on the winbind socket - see

[pjm3 at wildfire var]$ ls -ld /var/cache/samba/winbindd_privileged/
drwxr-x--- 2 root root 4096 Jul 24 21:36 
/var/cache/samba/winbindd_privileged/

...radius will need to be able to get into that directory and access the 
unix socket inside.

Many distributions have the unix group "squid" setup to be able to read 
it for the purposes of Squid+ntlm. If so, just add the "radiusd" user to 
the "squid" group. Or, create an "ntlmauth" group and set permissions 
appropriately.

If you are on an SELinux distribution, watch for that.

> If i connect my user(s)s with username at realm it works,
> but if i use realm\userame the realm is found but no ntlm is used(and 
> authentication fails).
> 
> Below you find an extract from the debug where you can see that the 

An extract is no use. Please show the full debug output for a failing 
session.

HOWEVER, first you may want to check your mschap module definition:

modules {
   mschap {
     ntlm_auth = "/usr/bin/ntlm_auth \
  --request-nt-key \
  --username=%{mschap:User-Name:-None} \
  --domain=%{mschap:NT-Domain:-None} \
  --challenge=%{mschap:Challenge:-00} \
  --nt-response=%{mschap:NT-Response:-00}"

...all on one line of course. Note the use of the "mschap:User-Name" and 
"mschap:NT-Domain" values.

More information about the Freeradius-Users mailing list