NTLM_auth active directory - what is wrong?
Santiago Matiz V
santimatiz at yahoo.com
Tue Oct 7 16:08:24 CEST 2008
Syed thanks for your answer, when i configure the file "users" with "ntlm_auth" appears the error :
"/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: Unknown value ntlm_auth for attribute Auth-Type
Errors reading /usr/local/etc/raddb/users"
thanks again...
Santiago Matiz (santimatiz at yahoo.com)
Systems Engineer
Bogotá, Colombia (South America)
--- On Tue, 10/7/08, Syed Anwarul Hasan <syedanwarulhasan2007 at gmail.com> wrote:
> From: Syed Anwarul Hasan <syedanwarulhasan2007 at gmail.com>
> Subject: Re: NTLM_auth active directory - what is wrong?
> To: santimatiz at yahoo.com, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Date: Tuesday, October 7, 2008, 2:20 PM
> Hi Santiago,
>
> I would suggest you to first try with radtest to see
> ntlm_auth BIND AS
> USER is working or not.
>
> Have a User entry in Users file with Auth-Type := ntlm_auth
> Add *ntlm_auth* in Authenticate section of default and
> inner-tunnel files in
> /sites-enabled directory.
>
> Then if radtest returns NT Success Ok or ntlm_auth is being
> done by Server.
> Then Try for RADIUS requests from actual NAS.
>
> I have done this way as of now to check ntlm_auth Bind.
>
> The Experts can show you more light in your problem.
>
> Regards,
> SYED
>
>
>
> On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V
> <santimatiz at yahoo.com>wrote:
>
> >
> > Hi all
> > I follow the instructions of Alan :
> >
> >
> <http://deployingradius.com/documents/configuration/active_directory.html>
> >
> > to authenticate ntlm_auth with radius but appers the
> following message:
> >
> > " WARNING: Unknown value specified for Auth-Type.
> Cannot perform requested
> > action.
> > auth: Failed to validate the user."
> >
> > what is wrong?
> >
> > Please help.
> > Santiago
> >
> >
> > FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu,
> built on Sep 3 2008
> > at 15:55:02
> > Copyright (C) 1999-2008 The FreeRADIUS server project
> and contributors.
> > There is NO warranty; not even for MERCHANTABILITY or
> FITNESS FOR A
> > PARTICULAR PURPOSE.
> > You may redistribute copies of FreeRADIUS under the
> terms of the
> > GNU General Public License v2.
> > Starting - reading configuration files ...
> > including configuration file
> /usr/local/etc/raddb/radiusd.conf
> > including configuration file
> /usr/local/etc/raddb/proxy.conf
> > including configuration file
> /usr/local/etc/raddb/clients.conf
> > including configuration file
> /usr/local/etc/raddb/snmp.conf
> > including configuration file
> /usr/local/etc/raddb/eap.conf
> > including dictionary file
> /usr/local/etc/raddb/dictionary
> > main {
> > prefix = "/usr/local"
> > localstatedir = "/var"
> > logdir = "/var/log/radius"
> > libdir = "/usr/local/lib"
> > radacctdir =
> "/var/log/radius/radacct"
> > hostname_lookups = no
> > max_request_time = 30
> > cleanup_delay = 5
> > max_requests = 1024
> > allow_core_dumps = no
> > pidfile =
> "/var/run/radiusd/radiusd.pid"
> > checkrad = "/usr/local/sbin/checkrad"
> > debug_level = 0
> > proxy_requests = yes
> > log_auth = yes
> > log_auth_badpass = no
> > log_auth_goodpass = no
> > log_stripped_names = no
> > }
> > client localhost {
> > ipaddr = 127.0.0.1
> > require_message_authenticator = no
> > secret = "testing123"
> > nastype = "other"
> > }
> > client 192.100.16.11 {
> > require_message_authenticator = no
> > secret = "123"
> > }
> > radiusd: #### Loading Realms and Home Servers ####
> > proxy server {
> > retry_delay = 5
> > retry_count = 3
> > default_fallback = no
> > dead_time = 120
> > wake_all_if_all_dead = no
> > }
> > home_server localhost {
> > ipaddr = 127.0.0.1
> > port = 1812
> > type = "auth"
> > secret = "testing123"
> > response_window = 20
> > max_outstanding = 65536
> > zombie_period = 40
> > status_check = "status-server"
> > ping_check = "none"
> > ping_interval = 30
> > check_interval = 30
> > num_answers_to_alive = 3
> > num_pings_to_alive = 3
> > revive_interval = 120
> > status_check_timeout = 4
> > }
> > home_server_pool my_auth_failover {
> > type = fail-over
> > home_server = localhost
> > }
> > realm example.com {
> > auth_pool = my_auth_failover
> > }
> > realm LOCAL {
> > }
> > realm DOMAIN.LOC {
> > authhost = LOCAL
> > accthost = LOCAL
> > }
> > realm DOMAIN {
> > authhost = LOCAL
> > accthost = LOCAL
> > }
> > radiusd: #### Instantiating modules ####
> > instantiate {
> > Module: Linked to module rlm_expr
> > Module: Instantiating expr
> > }
> > radiusd: #### Loading Virtual Servers ####
> > server {
> > modules {
> > Module: Checking authenticate {...} for more modules
> to load
> > Module: Linked to module rlm_mschap
> > Module: Instantiating mschap
> > mschap {
> > use_mppe = yes
> > require_encryption = no
> > require_strong = no
> > with_ntdomain_hack = yes
> > ntlm_auth = "/usr/bin/ntlm_auth
> --request-nt-key
> > --domain=%{mschap:NT-Domain:-DOMAIN}
> > --username=%{mschap:User-Name}
> --challenge=%{mschap:Challenge:-00}
> >
> --nt-response=%{mschap:NT-Response:-00}"
> > }
> > Module: Checking authorize {...} for more modules to
> load
> > Module: Linked to module rlm_preprocess
> > Module: Instantiating preprocess
> > preprocess {
> > huntgroups =
> "/usr/local/etc/raddb/huntgroups"
> > hints = "/usr/local/etc/raddb/hints"
> > with_ascend_hack = no
> > ascend_channels_per_line = 23
> > with_ntdomain_hack = no
> > with_specialix_jetstream_hack = no
> > with_cisco_vsa_hack = no
> > with_alvarion_vsa_hack = no
> > }
> > Module: Linked to module rlm_realm
> > Module: Instantiating realmslash
> > realm realmslash {
> > format = "prefix"
> > delimiter = "\"
> > ignore_default = no
> > ignore_null = no
> > }
> > Module: Instantiating suffix
> > realm suffix {
> > format = "suffix"
> > delimiter = "@"
> > ignore_default = no
> > ignore_null = no
> > }
> > Module: Linked to module rlm_eap
> > Module: Instantiating eap
> > eap {
> > default_eap_type = "peap"
> > timer_expire = 60
> > ignore_unknown_eap_types = no
> > cisco_accounting_username_bug = no
> > }
> > Module: Linked to sub-module rlm_eap_md5
> > Module: Instantiating eap-md5
> > Module: Linked to sub-module rlm_eap_leap
> > Module: Instantiating eap-leap
> > Module: Linked to sub-module rlm_eap_gtc
> > Module: Instantiating eap-gtc
> > gtc {
> > challenge = "Password: "
> > auth_type = "PAP"
> > }
> > Module: Linked to sub-module rlm_eap_tls
> > Module: Instantiating eap-tls
> > tls {
> > rsa_key_exchange = no
> > dh_key_exchange = yes
> > rsa_key_length = 512
> > dh_key_length = 512
> > verify_depth = 0
> > pem_file_type = yes
> > private_key_file =
> "/usr/local/etc/raddb/certs/server.pem"
> > certificate_file =
> "/usr/local/etc/raddb/certs/server.pem"
> > CA_file =
> "/usr/local/etc/raddb/certs/ca.pem"
> > private_key_password = "whatever"
> > dh_file =
> "/usr/local/etc/raddb/certs/dh"
> > random_file =
> "/usr/local/etc/raddb/certs/random"
> > fragment_size = 1024
> > include_length = yes
> > check_crl = no
> > cipher_list = "DEFAULT"
> > make_cert_command =
> "/usr/local/etc/raddb/certs/bootstrap"
> > }
> > Module: Linked to sub-module rlm_eap_ttls
> > Module: Instantiating eap-ttls
> > ttls {
> > default_eap_type = "md5"
> > copy_request_to_tunnel = no
> > use_tunneled_reply = no
> > virtual_server = "inner-tunnel"
> > }
> > Module: Linked to sub-module rlm_eap_peap
> > Module: Instantiating eap-peap
> > peap {
> > default_eap_type = "mschapv2"
> > copy_request_to_tunnel = no
> > use_tunneled_reply = no
> > proxy_tunneled_request_as_eap = yes
> > virtual_server = "inner-tunnel"
> > }
> > Module: Linked to module rlm_files
> > Module: Instantiating files
> > files {
> > usersfile =
> "/usr/local/etc/raddb/users"
> > acctusersfile =
> "/usr/local/etc/raddb/acct_users"
> > compat = "no"
> > }
> > Module: Checking preacct {...} for more modules to
> load
> > Module: Checking accounting {...} for more modules to
> load
> > Module: Linked to module rlm_acct_unique
> > Module: Instantiating acct_unique
> > acct_unique {
> > key = "User-Name, Acct-Session-Id,
> NAS-IP-Address,
> > Client-IP-Address, NAS-Port-Id"
> > }
> > Module: Linked to module rlm_detail
> > Module: Instantiating detail
> > detail {
> > detailfile =
> >
> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> > header = "%t"
> > detailperm = 384
> > dirperm = 493
> > locking = no
> > log_packet_header = no
> > }
> > Module: Linked to module rlm_radutmp
> > Module: Instantiating radutmp
> > radutmp {
> > filename = "/var/log/radius/radutmp"
> > username = "%{User-Name}"
> > case_sensitive = yes
> > check_with_nas = yes
> > perm = 384
> > callerid = yes
> > }
> > Module: Checking session {...} for more modules to
> load
> > Module: Checking post-proxy {...} for more modules to
> load
> > }
> > }
> > radiusd: #### Opening IP addresses and Ports ####
> > bind_address = *
> > WARNING: The directive 'bind_adress' is
> deprecated, and will be removed in
> > future versions of FreeRADIUS. Please edit the
> configuration files to use
> > the directive 'listen'.
> > Listening on authentication address * port 1812
> > Listening on accounting address * port 1813
> > Listening on proxy address * port 1814
> > Ready to process requests.
> > rad_recv: Access-Request packet from host
> 192.100.16.11 port 1308, id=0,
> > length=217
> > Message-Authenticator =
> 0x92d1b860b93a1c6d28f08eaa37697101
> > Service-Type = Framed-User
> > User-Name =
> "DOMAIN\\user\000"
> > Framed-MTU = 1488
> > Called-Station-Id =
> "00-16-E0-04-FE-44:pcountry"
> > Calling-Station-Id =
> "00-1B-77-4D-1A-74"
> > NAS-Identifier = "PISO 7 UG SISTEMAS"
> > NAS-Port-Type = Wireless-802.11
> > Connect-Info = "CONNECT 54Mbps
> 802.11g"
> > EAP-Message =
> 0x0200001601434c49434f554e5452595c736d6174697a
> > NAS-IP-Address = 192.100.16.11
> > NAS-Port = 1
> > NAS-Port-Id = "STA port # 1"
> > +- entering group authorize
> > ++[preprocess] returns ok
> > ++[mschap] returns noop
> > rlm_realm: Looking up realm "DOMAIN" for
> User-Name = "DOMAIN\user"
> > rlm_realm: Found realm "DOMAIN"
> > rlm_realm: Adding Stripped-User-Name =
> "user"
> > rlm_realm: Adding Realm = "DOMAIN"
> > rlm_realm: Authentication realm is LOCAL.
> > ++[realmslash] returns ok
> > rlm_realm: Request already proxied. Ignoring.
> > ++[suffix] returns ok
> > rlm_eap: EAP packet type response id 0 length 22
> > rlm_eap: No EAP Start, assuming it's an on-going
> EAP conversation
> > ++[eap] returns updated
> > users: Matched entry user at line 178
> > ++[files] returns ok
> > rad_check_password: Found Auth-Type EAP
> > auth: type "EAP"
> > WARNING: Unknown value specified for Auth-Type.
> Cannot perform requested
> > action.
> > auth: Failed to validate the user.
> > Login incorrect: [DOMAIN\\user\000] (from
> client 192.100.16.11 port 1 cli
> > 00-1B-77-4D-1A-74)
> > Sending Access-Reject of id 0 to 192.100.16.11 port
> 1308
> > Finished request 0.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host
> 192.100.16.11 port 1310, id=0,
> > length=217
> > Message-Authenticator =
> 0xf829fc414e9407ab04ede033d5a60941
> > Service-Type = Framed-User
> > User-Name =
> "DOMAIN\\user\000"
> > Framed-MTU = 1488
> > Called-Station-Id =
> "00-16-E0-04-FE-44:pcountry"
> > Calling-Station-Id =
> "00-1B-77-4D-1A-74"
> > NAS-Identifier = "PISO 7 UG SISTEMAS"
> > NAS-Port-Type = Wireless-802.11
> > Connect-Info = "CONNECT 54Mbps
> 802.11g"
> > EAP-Message =
> 0x0200001601434c49434f554e5452595c736d6174697a
> > NAS-IP-Address = 192.100.16.11
> > NAS-Port = 1
> > NAS-Port-Id = "STA port # 1"
> > +- entering group authorize
> > ++[preprocess] returns ok
> > ++[mschap] returns noop
> > rlm_realm: Looking up realm "DOMAIN" for
> User-Name = "DOMAIN\user"
> > rlm_realm: Found realm "DOMAIN"
> > rlm_realm: Adding Stripped-User-Name =
> "user"
> > rlm_realm: Adding Realm = "DOMAIN"
> > rlm_realm: Authentication realm is LOCAL.
> > ++[realmslash] returns ok
> > rlm_realm: Request already proxied. Ignoring.
> > ++[suffix] returns ok
> > rlm_eap: EAP packet type response id 0 length 22
> > rlm_eap: No EAP Start, assuming it's an on-going
> EAP conversation
> > ++[eap] returns updated
> > users: Matched entry user at line 178
> > ++[files] returns ok
> > rad_check_password: Found Auth-Type EAP
> > auth: type "EAP"
> > WARNING: Unknown value specified for Auth-Type.
> Cannot perform requested
> > action.
> > auth: Failed to validate the user.
> > Login incorrect: [DOMAIN\\user\000] (from
> client 192.100.16.11 port 1 cli
> > 00-1B-77-4D-1A-74)
> > Sending Access-Reject of id 0 to 192.100.16.11 port
> 1310
> > Finished request 1.
> > Going to the next request
> > Waking up in 4.7 seconds.
> > rad_recv: Access-Request packet from host
> 192.100.16.11 port 1312, id=0,
> > length=217
> > Message-Authenticator =
> 0xef8314925f34ccf891d91ca6fa18857d
> > Service-Type = Framed-User
> > User-Name =
> "DOMAIN\\user\000"
> > Framed-MTU = 1488
> > Called-Station-Id =
> "00-16-E0-04-FE-44:pcountry"
> > Calling-Station-Id =
> "00-1B-77-4D-1A-74"
> > NAS-Identifier = "PISO 7 UG SISTEMAS"
> > NAS-Port-Type = Wireless-802.11
> > Connect-Info = "CONNECT 54Mbps
> 802.11g"
> > EAP-Message =
> 0x0200001601434c49434f554e5452595c736d6174697a
> > NAS-IP-Address = 192.100.16.11
> > NAS-Port = 1
> > NAS-Port-Id = "STA port # 1"
> > +- entering group authorize
> > ++[preprocess] returns ok
> > ++[mschap] returns noop
> > rlm_realm: Looking up realm "DOMAIN" for
> User-Name = "DOMAIN\user"
> > rlm_realm: Found realm "DOMAIN"
> > rlm_realm: Adding Stripped-User-Name =
> "user"
> > rlm_realm: Adding Realm = "DOMAIN"
> > rlm_realm: Authentication realm is LOCAL.
> > ++[realmslash] returns ok
> > rlm_realm: Request already proxied. Ignoring.
> > ++[suffix] returns ok
> > rlm_eap: EAP packet type response id 0 length 22
> > rlm_eap: No EAP Start, assuming it's an on-going
> EAP conversation
> > ++[eap] returns updated
> > users: Matched entry user at line 178
> > ++[files] returns ok
> > rad_check_password: Found Auth-Type EAP
> > auth: type "EAP"
> > WARNING: Unknown value specified for Auth-Type.
> Cannot perform requested
> > action.
> > auth: Failed to validate the user.
> > Login incorrect: [DOMAIN\\user\000] (from
> client 192.100.16.11 port 1 cli
> > 00-1B-77-4D-1A-74)
> > Sending Access-Reject of id 0 to 192.100.16.11 port
> 1312
> > Finished request 2.
> > Going to the next request
> > Waking up in 4.4 seconds.
> > Cleaning up request 0 ID 0 with timestamp +113
> > Waking up in 0.2 seconds.
> > Cleaning up request 1 ID 0 with timestamp +113
> > Waking up in 0.2 seconds.
> > Cleaning up request 2 ID 0 with timestamp +114
> > Ready to process requests.
> >
> > Santiago Matiz (santimatiz at yahoo.com)
> > Systems Engineer
> > Bogotá, Colombia (South America)
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
More information about the Freeradius-Users
mailing list