Authorize with SQL and/or AD with ntlm_auth

Alan DeKok aland at deployingradius.com
Fri Apr 4 08:02:30 CEST 2008 

Guillaume Chartrand wrote:
> Hi, I want to configure my freeradius to authorize my user with an sql
> database or if the user isn’t present it would check in AD.

  To be clear: get the password from LDAP, or ask AD about the
*authentication*.

> authorize {
>       sql
>       if (notfound) 
>                 ntlm_auth

  No, this won't work.  ntlm_auth *authenticates* someone.  It does
*not* pull the password from AD.
..
>         exec ntlm_auth {
>                 wait = no

  That is wrong.  I presume you want to wait for the authentication
result from AD?

>                 program = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{mschap:NT-Domain:-intranet}
> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

  If this is being run for PAP requests, you will need to use the
"--password" command-line option.  See "man ntlm_auth".


  And even with all that, you don't need to use ntlm_auth for PAP
requests.  You can just use LDAP to bind to AD as the user.
...
>         expand: --domain=%{mschap:NT-Domain:-intranet} -> --domain=intranet
> 
>   rlm_mschap: No MS-CHAP-Challenge in the request.

  See?  It's not doing MS-CHAP.

>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
> +- entering group MS-CHAP
>   rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for gchartra with NT-Password
>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  Um... so you did NOT configure the ntlm_auth program in the mschap
module.  Why?  If you had, this would have worked.

> If in the radius.conf mschap section module I insert the same ntlm_auth
> line of the exec. The sql don’t work but AD work. If I put nothing in
> mschap section. The SQL works but not AD. So what I did make wrong

  1) Do not create your own "ntlm_auth" module.
  2) configure ntlm_auth in the mschap module
  4) test that AD authentication works (ignoring SQL for now)
  3) update the "authorize" section to look like this:

authorize {
	preprocess
	sql
	if (ok) {
		update control {
			MS-CHAP-Use-NTLM-Auth := No
		}
	}
	...

  After that, both AD and SQL should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list