Freeradius 2.0 with Activedirectory Integration Failed

tnt at kalik.net tnt at kalik.net
Thu Nov 6 10:58:33 CET 2008 

>I am implementing Freeradius 2.0 to be integrated with Microsoft
>Activedirectory and has encountered problems.
>All are being run in Virtual Environment (VMware Server 1.07)
>
>RADIUS
>OS: CentOS5.2
>Freeradius Server 2.1.1
>PAM radius 1.3.17
>
>Active Directory
>OS: Windows 2003 Server
>
>I refer to a number of URLS:
>http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
>http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
>http://deployingradius.com/documents/configuration/active_directory.html
>http://deployingradius.com/documents/configuration/active_directory.html
>
>I have successfully been able to join the RADIUS server to the AD, and is
>able to have output for "wbinfo -u", and NTLM works well:
>[root at RADIUS tmp]# ntlm_auth --request-nt-key --domain=TEST --username=test
>password:
>NT_STATUS_OK: Success (0x0)
>
>I used freeradius with it's default settings, but modifying MSCHAP module,
>enabling ntlm_auth:
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>--username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST}
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
>Installed pam_radius 1.3.17, and configured sshd for pam to authenticate
>from pam_radius first:
>#%PAM-1.0
>auth       sufficient   /lib/security/pam_radius_auth.so
>auth       include      system-auth
>account    required     pam_nologin.so
>account    include      system-auth
>password   include      system-auth
>session    optional     pam_keyinit.so force revoke
>session    include      system-auth
>session    required     pam_loginuid.so
>
>I ran "radiusd -X", and opened another SSH session, using "test" account,
>that I tried with ntlm_auth previously, and got the following as in the
>debug output:
>Listening on authentication address * port 1812
>Listening on accounting address * port 1813
>Listening on proxy address * port 1814
>Ready to process requests.
>rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71,
>length=86
>        User-Name = "test"
>        User-Password = "password"
>        NAS-IP-Address = 127.0.0.1
>        NAS-Identifier = "sshd"
>        NAS-Port = 26171
>        NAS-Port-Type = Virtual
>        Service-Type = Authenticate-Only
>        Calling-Station-Id = "10.0.0.151"

You have to go back to the step where you force Auth-Type ntlm_auth.

DEAFAULT   Auth-Type = ntlm_auth

Put that in users file (just = not :=). If you send mschap request mschap
in authorize will set the Auth-Type and this will have no effect; it
will set Auth-Type for pap requests.

Integration document describes how to make it work for mschap (PEAP)
request.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list