Problem with ntlm_auth
Syed Anwarul Hasan
syedanwarulhasan2007 at gmail.com
Thu Oct 9 13:33:52 CEST 2008
That was example,to check with different Users,DEFAULT should be used as
rightly said by Ivan.
On Thu, Oct 9, 2008 at 1:22 PM, <Frederik.Niedernolte at bertelsmann.de> wrote:
> So to understand you right:
>
> Every user that should be authenticated has to be an entry in the users
> file?
>
> Isn't it possible to add an forwarding for every user so that all requests
> are just forwarded and checked?
>
> If not I must add all users from the AD to the users file, mustn't I?
>
>
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte>
> =bertelsmann.de at lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 13:16
>
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> And also don't remove ntlm_auth from authenticate section of both default
> and inner-tunnel files.
>
> On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <
> syedanwarulhasan2007 at gmail.com> wrote:
>
> Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
> Bind as User. That is USer Entry is added in Users file and after using
> ntlm_auth, it is checked against a Active Directory or LDAP server backend
> using NT Lan manager Authentication Protocol.
>
> For example:
> Users file:
> User Auth-Type :- ntlm_auth
>
> In Active Directory
> User should be a member.
>
> So, then ntlm_auth requests will be passed from your Server to Active
> Directory or LDAP Server.
>
> Otherwise you will not setup ntlm_auth.
>
> SYED
>
>
>
> On Thu, Oct 9, 2008 at 12:58 PM, <Frederik.Niedernolte at bertelsmann.de>
> wrote:
>
> OK, I have tested it with "radtest MyUser MyPassword localhost 0
> testing123" and this is what the server gave back:
>
>
>
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92,
> length=58
>
> User-Name = "MyUser"
>
> User-Password = "MyPassword"
>
> NAS-IP-Address = IP.OF.THE.SERVER
>
> NAS-Port = 0
>
> +- entering group authorize {...}
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL
>
> [suffix] No such realm "NULL"
>
> ++[suffix] returns noop
>
> [eap] No EAP-Message, not doing EAP
>
> ++[eap] returns noop
>
> ++[unix] returns notfound
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
>
> ++[pap] returns noop
>
> No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user
>
> Failed to authenticate the user.
>
> Using Post-Auth-Type Reject
>
> +- entering group REJECT {...}
>
> [attr_filter.access_reject] expand: %{User-Name} -> MyUser
>
> attr_filter: Matched entry DEFAULT at line 11
>
> ++[attr_filter.access_reject] returns updated
>
> Delaying reject of request 0 for 1 seconds
>
> Going to the next request
>
> Waking up in 0.9 seconds.
>
> Sending delayed reject for request 0
>
> Sending Access-Reject of id 92 to 127.0.0.1 port 32793
>
> Waking up in 4.9 seconds.
>
> Cleaning up request 0 ID 92 with timestamp +3710
>
> Ready to process requests.
>
>
>
> Now what should I do?
> Thanks in advance.
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte>
> =bertelsmann.de at lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
>
>
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi,
> You can use radtest tool to check with the Server.The Server will return
> accept-accept message.
> Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
> you have)
>
> SYED
>
> On Thu, Oct 9, 2008 at 11:54 AM, <Frederik.Niedernolte at bertelsmann.de>
> wrote:
>
> Thanks, now it works :)
>
>
>
> Now the last step: How can I test it? What tool/program etc. can/should I
> use to test it?
>
> "The radclient cannot currently be used to send this request,
> unfortunately, which makes testing a little difficult If everything goes
> well, you should see the server returning an Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as above."
>
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Frederik Niedernolte
> -------------------------------------------------------
> arvato services
> An der Autobahn
> 33310 Gütersloh
> Germany
> http://www.arvato-services.de
> frederik.niedernolte at bertelsmann.de<frederik.niedernolte at bertelsmann.deTel>
> Tel.: +49 (0)5241 80-40554
>
> arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 |
> Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard
> Südmersen
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte<freeradius-users-bounces%2Bfrederik.niedernolte>
> =bertelsmann.de at lists.freeradius.org] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 11:44
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi Frederik,
>
> 1) Put User entry on *TOP* of users file.
> 2) In default file, in authenticate section, add *ntlm_auth. *Don't set
> using Auth-Type.
> 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel.
> Add *ntlm_auth* in Authenticate Section.
>
> I hope it will solve your problem.
> SYED
>
> On Thu, Oct 9, 2008 at 11:17 AM, <Frederik.Niedernolte at bertelsmann.de>
> wrote:
>
> I have finished all steps till „*user* Auth-Type := ntlm_auth" from
> http://deployingradius.com/documents/configuration/active_directory.html.
>
> With this command I get this error message at the end of
> "/usr/sbin/freeradius –X":
>
>
>
> /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown
> value ntlm_auth for attribute Auth-Type
>
> Errors reading /etc/freeradius/users
>
> /etc/freeradius/modules/files[7]: Instantiation failed for module "files"
>
> /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module
> "files".
>
> /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize
> section.
>
> }
>
> }
>
> Errors initializing modules
>
>
>
> The authenticate section in the /etc/freeradius/sites-enabled/default looks
> like this (only important part):
>
>
>
> authenticate {
>
> #
>
> # NTML_AUTH authentication.
>
> Auth-Type ntlm_auth {
>
> ntlm_auth
>
> }
>
>
>
> What is wrong and what can I do to solve the problem?
>
> Thanks in advance.
>
> Best regards, F. Niedernolte
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081009/3435b0b4/attachment.html>
More information about the Freeradius-Users
mailing list