autentication against active directory does not work

Mon Sep 22 22:08:55 CEST 2008

thanks 
---------------------------------

radtest luis x 127.0.0.1 0 123
Sending Access-Request of id 189 to 127.0.0.1 port 1812
        User-Name = "luis"
        User-Password = "x"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=189, length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)!  (Shared secret is incorrect.)  

that means that i need to config nas server ?
or do i need to config one more line in radiusd.conf ?
or means that account does not har ras access ?

now im receiving this 

rad_recv: Access-Request packet from host 127.0.0.1:44072, id=189, length=72
        User-Name = "luis"
        User-Password = "\324\322pv\373m\025\215d\005|j\230Ys,\271\323\014\344\234>^\206\270\335\305S\343\347>D"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "luis", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested action.
auth: Failed to validate the user.
  WARNING: Unprintable characters in the password. ?  Double-check the shared secret on the server and the NAS!
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 189 to 127.0.0.1 port 44072
Waking up in 4 seconds...
-------------------------------

--- El vie, 19/9/08, Kevin Smith <Kevin.Smith at emp.shentel.com> escribió:
De: Kevin Smith <Kevin.Smith at emp.shentel.com>
Asunto: RE: autentication against active directory does not work
Para: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Fecha: viernes, 19 septiembre, 2008 8:07

Have you verified that Samba was joined to your domain successfully
using wbinfo -t?  You should see " checking the trust secret via RPC
calls succeeded"

If that is successful try:

[root at ras ~]# ntlm_auth  --username your_user --password users_password
--domain your_ad_domain --request-nt-key

Should see: NT_STATUS_OK: Success (0x0)

If the two steps above aren't successful you will need to correct those
issues first before proceeding.

In the mschap module my ntlm_auth configuration is as follows:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

Good luck.

-----Original Message-----
From:
freeradius-users-bounces+kevin.smith=emp.shentel.com at lists.freeradius.or
g
[mailto:freeradius-users-bounces+kevin.smith=emp.shentel.com at lists.freer
adius.org] On Behalf Of tnt at kalik.net
Sent: Friday, September 19, 2008 3:40 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: autentication against active directory does not work

>i have read allready the documentation at 
>http://deployingradius.com/documents/configuration/active_directory.htm
l
>

Read it again.

>my freeradius debug is pasted at 
>
>http://pastebin.ca/1206001
>

1. You are using an outdated version of the server which has a default
entry in users file setting Auth-Type Sistem if all else fails. Upgrade
or at least comment that out since you have removed "unix" from the
configuration.

2. Read the obvious WARNING in the debug and fix that.

3. You have configured AD integration (ntlm_auth) in mschap module. And
then sent pap request. No wonder it's not working. Send mschap requests.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080922/ba3c523e/attachment.html>