FreeRADIUS and Active Directory
Tomas
tomas.radius at googlemail.com
Thu Feb 19 12:33:43 CET 2009
On Thu, 2009-02-19 at 11:33 +0100, tnt at kalik.net wrote:
> I have news for you - you haven't done any of this:
>
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Configuration_of_radiusd.conf
>
> > Module: Instantiating mschap
> > mschap {
> > use_mppe = yes
> > require_encryption = no
> > require_strong = no
> *> with_ntdomain_hack = no*
> > }
>
> Also no ntlm_auth configured in mschap module (raddb/modules/mschap). So:
>
> >[mschapv2] +- entering group MS-CHAP {...}
> >[mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
>
> Server asks about the hack.
>
> >[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password
> >[mschap] FAILED: MS-CHAP2-Response is incorrect
> >++[mschap] returns reject
>
> And it isn't using ntlm_auth.
>
> You have an updated manual (relevant to freeradius 2.x) at:
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
Ivan,
thanks for pointing this out, I did not understand where do I need to
configure mschap so I've just appended ntlm_auth and nt hack strings to
the end of radiusd.conf, I've removed that now and updated
modules/mschap file, when radius starts I can clearly see it now picks
it up:
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=
%{Stripped-User-Name:-%{User-Name:-None}} --challenge=
%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
and it works!I authenticate
My question now is, how do I login to AD using a new user that has never
logged on to the box before? I'm getting an error saying domain AD
unavailable, but if I use username that I used to login before 802.1x
enforcement all is looking good...
Thanks all for your help!
More information about the Freeradius-Users
mailing list