FreeRADIUS and Active Directory

Tomas tomas.radius at googlemail.com
Thu Feb 19 12:33:43 CET 2009


On Thu, 2009-02-19 at 11:33 +0100, tnt at kalik.net wrote:

> I have news for you - you haven't done any of this:
> 
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Configuration_of_radiusd.conf
> 
> > Module: Instantiating mschap
> >  mschap {
> >	use_mppe = yes
> >	require_encryption = no
> >	require_strong = no
> *>	with_ntdomain_hack = no*
> >  }
> 
> Also no ntlm_auth configured in mschap module (raddb/modules/mschap). So:
> 
> >[mschapv2] +- entering group MS-CHAP {...}
> >[mschap]   NT Domain delimeter found, should we have enabled with_ntdomain_hack?
> 
> Server asks about the hack.
> 
> >[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password
> >[mschap] FAILED: MS-CHAP2-Response is incorrect
> >++[mschap] returns reject
> 
> And it isn't using ntlm_auth.
> 
> You have an updated manual (relevant to freeradius 2.x) at:
> 
> http://deployingradius.com/documents/configuration/active_directory.html
> 
Ivan, 
thanks for pointing this out, I did not understand where do I need to
configure mschap so I've just appended ntlm_auth and nt hack strings to
the end of radiusd.conf, I've removed that now and updated
modules/mschap file, when radius starts I can clearly see it now picks
it up:
 Module: Instantiating mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = yes
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=
%{Stripped-User-Name:-%{User-Name:-None}} --challenge=
%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  }

and it works!I authenticate

My question now is, how do I login to AD using a new user that has never
logged on to the box before? I'm getting an error saying domain AD
unavailable, but if I use username that I used to login before 802.1x
enforcement all is looking good...

Thanks all for your help!




More information about the Freeradius-Users mailing list