Freeradius 2.0 with Activedirectory Integration Failed

Andy Ng nding at hotmail.com
Thu Nov 6 07:16:43 CET 2008


Hi all,

I am implementing Freeradius 2.0 to be integrated with Microsoft
Activedirectory and has encountered problems.
All are being run in Virtual Environment (VMware Server 1.07)

RADIUS
OS: CentOS5.2
Freeradius Server 2.1.1
PAM radius 1.3.17

Active Directory
OS: Windows 2003 Server

I refer to a number of URLS:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO 
http://deployingradius.com/documents/configuration/active_directory.html
http://deployingradius.com/documents/configuration/active_directory.html 

I have successfully been able to join the RADIUS server to the AD, and is
able to have output for "wbinfo -u", and NTLM works well:
[root at RADIUS tmp]# ntlm_auth --request-nt-key --domain=TEST --username=test
password:
NT_STATUS_OK: Success (0x0)

I used freeradius with it's default settings, but modifying MSCHAP module,
enabling ntlm_auth:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

Installed pam_radius 1.3.17, and configured sshd for pam to authenticate
from pam_radius first:
#%PAM-1.0
auth       sufficient   /lib/security/pam_radius_auth.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

I ran "radiusd -X", and opened another SSH session, using "test" account,
that I tried with ntlm_auth previously, and got the following as in the
debug output:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71,
length=86
        User-Name = "test"
        User-Password = "password"
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "sshd"
        NAS-Port = 26171
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "10.0.0.151"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 71 to 127.0.0.1 port 27196
Waking up in 4.9 seconds.
Cleaning up request 0 ID 71 with timestamp +13
Ready to process requests.

It doesn't seem to be doing ntlm_auth?
I am not sure how I am supposed to debug this problem further, as I have
tried a number of troubleshooting, but still to no avail.

Can someone enlighten me on this problem?

If there is more information required, please tell me.
I have attached my radius configuration as well: 
http://www.nabble.com/file/p20355701/radiusd.conf radiusd.conf 

Thanks in advance!

Regards,
Andy
-- 
View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20355701.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list