Problem with ntlm_auth

Syed Anwarul Hasan syedanwarulhasan2007 at gmail.com
Thu Oct 9 13:12:04 CEST 2008


Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
Bind as User. That is USer Entry is added in Users file and after using
ntlm_auth, it is checked against a Active Directory or LDAP server backend
using NT Lan manager Authentication Protocol.

For example:
Users file:
User      Auth-Type :- ntlm_auth

In Active Directory
User should be a member.

So, then ntlm_auth requests will be passed from your Server to Active
Directory or LDAP Server.

Otherwise you will not setup ntlm_auth.

SYED

On Thu, Oct 9, 2008 at 12:58 PM, <Frederik.Niedernolte at bertelsmann.de>wrote:

>  OK, I have tested it with "radtest MyUser MyPassword localhost 0
> testing123" and this is what the server gave back:
>
>
>
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92,
> length=58
>
>         User-Name = "MyUser"
>
>         User-Password = "MyPassword"
>
>         NAS-IP-Address = IP.OF.THE.SERVER
>
>         NAS-Port = 0
>
> +- entering group authorize {...}
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL
>
> [suffix] No such realm "NULL"
>
> ++[suffix] returns noop
>
> [eap] No EAP-Message, not doing EAP
>
> ++[eap] returns noop
>
> ++[unix] returns notfound
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
>
> ++[pap] returns noop
>
> No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user
>
> Failed to authenticate the user.
>
> Using Post-Auth-Type Reject
>
> +- entering group REJECT {...}
>
> [attr_filter.access_reject]     expand: %{User-Name} -> MyUser
>
>  attr_filter: Matched entry DEFAULT at line 11
>
> ++[attr_filter.access_reject] returns updated
>
> Delaying reject of request 0 for 1 seconds
>
> Going to the next request
>
> Waking up in 0.9 seconds.
>
> Sending delayed reject for request 0
>
> Sending Access-Reject of id 92 to 127.0.0.1 port 32793
>
> Waking up in 4.9 seconds.
>
> Cleaning up request 0 ID 92 with timestamp +3710
>
> Ready to process requests.
>
>
>
> Now what should I do?
> Thanks in advance.
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte>
> =bertelsmann.de at lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
>
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi,
> You can use radtest tool to check with the Server.The Server will return
> accept-accept message.
> Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
> you have)
>
> SYED
>
>  On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte at bertelsmann.de>
> wrote:
>
> Thanks, now it works :)
>
>
>
> Now the last step: How can I test it? What tool/program etc. can/should I
> use to test it?
>
> "The radclient cannot currently be used to send this request,
> unfortunately, which makes testing a little difficult If everything goes
> well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above."
>
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Frederik Niedernolte
> -------------------------------------------------------
> arvato services
> An der Autobahn
> 33310 Gütersloh
> Germany
> http://www.arvato-services.de
> frederik.niedernolte at bertelsmann.de<frederik.niedernolte at bertelsmann.deTel>
> Tel.:      +49 (0)5241 80-40554
>
> arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 |
> Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard
> Südmersen
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte>
> =bertelsmann.de at lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 11:44
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi Frederik,
>
> 1) Put User entry on *TOP* of users file.
> 2) In default file, in authenticate section, add *ntlm_auth. *Don't set
> using Auth-Type.
> 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel.
> Add *ntlm_auth* in Authenticate Section.
>
> I hope it will solve your problem.
> SYED
>
>  On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte at bertelsmann.de>
> wrote:
>
> I have finished all steps till „*user*     Auth-Type := ntlm_auth" from
> http://deployingradius.com/documents/configuration/active_directory.html.
>
> With this command I get this error message at the end of
> "/usr/sbin/freeradius –X":
>
>
>
> /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown
> value ntlm_auth for attribute Auth-Type
>
> Errors reading /etc/freeradius/users
>
> /etc/freeradius/modules/files[7]: Instantiation failed for module "files"
>
> /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module
> "files".
>
> /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize
> section.
>
>  }
>
> }
>
> Errors initializing modules
>
>
>
> The authenticate section in the /etc/freeradius/sites-enabled/default looks
> like this (only important part):
>
>
>
> authenticate {
>
> #
>
> #  NTML_AUTH authentication.
>
> Auth-Type ntlm_auth {
>
>        ntlm_auth
>
> }
>
>
>
> What is wrong and what can I do to solve the problem?
>
> Thanks in advance.
>
> Best regards, F. Niedernolte
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081009/3fc8d9aa/attachment.html>


More information about the Freeradius-Users mailing list