Freeradius 2.0 with Activedirectory Integration Failed
Andy Ng
nding at hotmail.com
Fri Nov 7 09:11:42 CET 2008
Hi Ivan,
Firstly, Thanks for taking time to look at the problems I am facing.
I have followed your instructions, and set the following in the users file:
DEFAULT Auth-Type = ntlm_auth
After doing that, I ran radiusd -X
The configuration was fine at the beginning, but as it reaches an abrupt
stop with the following errors in the debug:
/usr/local/etc/raddb/users[1]: Parse error (check) for entry DEFAULT:
Unknown value ntlm_auth for attribute Auth-Type
Errors reading /usr/local/etc/raddb/users
/usr/local/etc/raddb/modules/files[7]: Instantiation failed for module
"files"
/usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module
"files".
/usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing
authorize section.
}
}
Errors initializing modules
It seems like it require an external ntlm_auth to execute, rather than one
that is embedded in MSCHAP module.
I pick and match certain items from the URLS that I have previously
attached. Just want to make it work at the minimum first, before I proceed
expand it.
Thanks!
Regards,
Andy
tnt-4 wrote:
>
>>I am implementing Freeradius 2.0 to be integrated with Microsoft
>>Activedirectory and has encountered problems.
>>All are being run in Virtual Environment (VMware Server 1.07)
>>RADIUS
>>OS: CentOS5.2
>>Freeradius Server 2.1.1
>>PAM radius 1.3.17
>>
>>Active Directory
>>OS: Windows 2003 Server
>>
>>I refer to a number of URLS:
>>http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
>>http://deployingradius.com/documents/configuration/active_directory.html
>>
>>I have successfully been able to join the RADIUS server to the AD, and is
>>able to have output for "wbinfo -u", and NTLM works well:
>>[root at RADIUS tmp]# ntlm_auth --request-nt-key --domain=TEST
--username=test
>>password:
>>NT_STATUS_OK: Success (0x0)
>>
>>I used freeradius with it's default settings, but modifying MSCHAP module,
>>enabling ntlm_auth:
>>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>>--username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-TEST}
>>--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
>>
>>Installed pam_radius 1.3.17, and configured sshd for pam to authenticate
>>from pam_radius first:
>>#%PAM-1.0
>>auth sufficient /lib/security/pam_radius_auth.so
>>auth include system-auth
>>account required pam_nologin.so
>>account include system-auth
>>password include system-auth
>>session optional pam_keyinit.so force revoke
>>session include system-auth
>>session required pam_loginuid.so
>>
>>I ran "radiusd -X", and opened another SSH session, using "test" account,
>>that I tried with ntlm_auth previously, and got the following as in the
>>debug output:
>>Listening on authentication address * port 1812
>>Listening on accounting address * port 1813
>>Listening on proxy address * port 1814
>>Ready to process requests.
>>rad_recv: Access-Request packet from host 127.0.0.1 port 27196, id=71,
>>length=86
>> User-Name = "test"
>> User-Password = "password"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Identifier = "sshd"
>> NAS-Port = 26171
>> NAS-Port-Type = Virtual
>> Service-Type = Authenticate-Only
>> Calling-Station-Id = "10.0.0.151"
>
> You have to go back to the step where you force Auth-Type ntlm_auth.
>
> DEAFAULT Auth-Type = ntlm_auth
>
> Put that in users file (just = not :=). If you send mschap request mschap
> in authorize will set the Auth-Type and this will have no effect; it
> will set Auth-Type for pap requests.
>
> Integration document describes how to make it work for mschap (PEAP)
> request.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20376253.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list