Beating a dead horse, or freeradius 2.1.1 and active directory

Ben Little BLittle at
Thu Dec 4 20:05:46 CET 2008

Well I'll be a son of a gun :-)

It worked!  Awesome, thanks a ton, ok now to see if I can make my silly switch work with this authentication! Alan, if you're reading this you should add the inner-tunnel addition to the how to.

Now I just have to figure out the authorization piece of the puzzle and I'll be golden.


Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host port 53912, id=223, length=57
	User-Name = "rtest"
	User-Password = "SEKRAT"
	NAS-IP-Address =
	NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry rtest at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] 	expand: --username=%{mschap:User-Name} -> --username=rtest
[ntlm_auth] 	expand: --password=%{User-Password} -> --password=SEKRAT
Exec-Program output: NT_STATUS_OK: Success (0x0) 
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) 
Exec-Program: returned: 0
++[ntlm_auth] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 223 to port 53912
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 223 with timestamp +19
Ready to process requests.

> -----Original Message-----
> From: 
> at lists.freeradius
> .org 
> [ at
>] On Behalf Of tnt at
> Sent: Thursday, December 04, 2008 10:35 AM
> To: FreeRadius users mailing list
> Subject: RE: Beating a dead horse, or freeradius 2.1.1 and 
> active directory
> >Here is the first line in the users file
> >
> >(quotes removed)
> >rtest   Auth-Type := ntlm_auth
> >
> >And here is the error that generates:
> >
> >/etc/raddb/users[1]: Parse error (check) for entry rtest: 
> Unknown value 
> >ntlm_auth for attribute Auth-Type Errors reading /etc/raddb/users
> >/etc/raddb/modules/files[7]: Instantiation failed for module "files"
> >/etc/raddb/sites-enabled/inner-tunnel[110]: Failed to find 
> module "files".
> >/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing 
> authorize section.
> > }
> >}
> >Errors initializing modules
> >
> OK. Howto needs updating. Freeradius in default configuration 
> has default and inner-tunnel virtual servers. You should add 
> ntlm_auth to authenticate section of both (not just default 
> as in howto). This issue is probably going to be resolved 
> with virtual server specific users file but at present if 
> Auth-Type is listed in users file it has to exist in all 
> enabled virtual servers.
> So, add ntlm_auth to authenticate section of inner-tunnel 
> virtual server and leave user entry without quotes.
> Ivan Kalik
> Kalik Informatika ISP
> Ivan Kalik
> Kalik Informatika ISP
> -
> List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list