ntlm_auth works on commandline but not in radiusd.conf
radius at illiana.net
radius at illiana.net
Wed Oct 1 16:11:45 CEST 2008
Please forgive me as I'm a newbie to Radius. I've been reading FAQs and
archived mail list for three days and haven't seen a problem similar to
mine. ntlm_auth works as expected on the command line, however it does
not work in radius. In radius it ALWAYS returns a status ok and
authenticates the user, even the the password is incorrect. Below are log
snippets from issuing radiusd -X I'm using the latest version, FreeRadius
2.1.1, compiled from source. Very specifically, I followed the (out of
date) guide by Alan DeKok called "Deploying Radius"
http://deployingradius.com/documents/configuration/active_directory.html
Everything works ok in the guide up to the point of the first radtest
command. I can put ANY password for the user in the radtest command and
it works. Again issuing ntml_auth from the command line gives predictable
results. Here's the real work example demonstrating that I have ntlm_auth
properly working. These are the expected results.
Is there a better way to debug the exec module to see what is really
happening when exec called ntlm_auth from within freeradius?
[root at marauder ~]# ntlm_auth --domain=GTDEV --request-nt-key
--username=ntlmtest --password=radpw
NT_STATUS_OK: Success (0x0)
[root at marauder ~]# ntlm_auth --domain=GTDEV --request-nt-key
--username=ntlmtest --password=radpwnogood
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Radtest is issued from the command line and this is the debug output from
radiusd -X
[root at marauder ~]# radtest ntlmtest radpw localhost 0 testing123
Sending Access-Request of id 103 to 127.0.0.1 port 1812
User-Name = "ntlmtest"
User-Password = "radpw"
NAS-IP-Address = 10.10.3.5
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=103,
length=20
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 60006, id=103,
length=60
User-Name = "ntlmtest"
User-Password = "radpw"
NAS-IP-Address = 10.10.3.5
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ntlmtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry ntlmtest at line 96
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=ntlmtest
[ntlm_auth] expand: --password=%{User-Password} -> --password=radpw
++[ntlm_auth] returns ok
Login OK: [ntlmtest/radpw] (from client localhost port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 103 to 127.0.0.1 port 60006
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 103 with timestamp +3
Ready to process requests.
OK now here's the same radtest with a bad password. It works but it
shouldnt!
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 58940, id=87,
length=60
User-Name = "ntlmtest"
User-Password = "radpwnogood"
NAS-IP-Address = 10.10.3.5
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ntlmtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry ntlmtest at line 96
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=ntlmtest
[ntlm_auth] expand: --password=%{User-Password} -> --password=radpwnogood
++[ntlm_auth] returns ok
Login OK: [ntlmtest/radpwnogood] (from client localhost port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 87 to 127.0.0.1 port 58940
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 87 with timestamp +7
Ready to process requests.
And for those of you who must see the ntlm_auth config portion, here it
is: (it's the same as the deployment guide)
$INCLUDE ${confdir}/modules/
#
# put exec ntlm_auth AFTER the exec module is defined
#
exec ntlm_auth {
wait = no
program = "/usr/bin/ntlm_auth --request-nt-key --domain=GTDEV
--username=%{mschap:User-Name} --password=%{User-Password}"
More information about the Freeradius-Users
mailing list