Unknown value ntlm_auth for attribute Auth-Type
Charles Jones
linuxchuck at gmail.com
Thu Apr 3 15:06:20 CEST 2008
Hello again,
First off, thanks go to all who provided the excellent documentation
available on the FR wiki, and affiliated sites. Because of that
documentation, I have FR 2.0.3 installed on CentOS 5.1, and it is
working rather nicely for Cisco port-based 802.1x authentication via
Active Directory (2k3 server).
I have now configured LDAP-based Group authorization for Cisco
privileged access to the routers/switches in our network. I have the
authorization side working great, but I've run into a problem trying
to get AD authorization to work:
Passwords are not checked at all. Authentication is not happening
through FR for these logins. As long as a valid user account from AD
is supplied, and as long as that user is in the proper group,
("Network Managers" or "Switch Access") instant shell access is
granted regardless of the password supplied, and they are immediately
dropped into the designated privilege level for that group.
I presume the immediate cause of this problem is the "Auth-Type :=
Accept" in my users file.
My first instinct (after reading *tons* of mailing lists and forum
posts) was to simply remove the Auth-Type attribute, and see if FR
would find a way. Unfortunately, I receive an error stating "No
authenticate method (Auth-Type) configuration found for the request",
and the request is rejected.
Next, I decided to try a different Auth-Type. However, anytime I try
to provide an alternative Auth-Type, FR refuses to start with "Unknown
value for <insert Auth-Type of choice here> for attribute Auth-Type".
I have specifically tried to use ntlm_auth because that would be my
preferred method of authentication between FR and AD. When I
attempted to use ntlm_auth as the Auth-Type, I received the "Unknown
Value" message. I also tried adding an entry for it in the
sites_available/default file under the "authorize" section to see if
that helped. I received the same error. Next, I tried adding it to
the "instantiate" section just out of curiosity, and received a new
error stating "Cannot find a configuration entry for module
ntlm_auth".
Am I even moving in the right direction with this? I know there are
people out there who must be using a configuration similar to this
setup.
I have attached all of the relevant configuration files, cisco
configs, and debug logs from my test lab for your review.
*edit* The files take me 12K over the 100K size limit for a posting,
so I will send the debug logs in a reply to this post.
I will gladly accept any assistance, advice, known working configs, or
suggestions you may have regarding this issue. And if I've just
royally screwed something up, I'd like to know that too. Heck, if you
see *anything* that doesn't make sense in my configuration setup,
please feel free to bring it to my attention.
Thanks in advance,
Charles Jones
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd.conf
Type: application/octet-stream
Size: 61657 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080403/6955b703/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: users
Type: application/octet-stream
Size: 7478 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080403/6955b703/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cisco.log
Type: application/octet-stream
Size: 2080 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080403/6955b703/attachment-0002.obj>
More information about the Freeradius-Users
mailing list