need help authenticating against AD

Michael Phillips mdphilip at hotmail.com
Fri Nov 20 17:23:21 CET 2009


I followed the directions in that link prior to emailing the group. For some reason, it still isn't working as expected.

If I put this line at the top of the users file, VPN users and Cisco exec users are able to authenticate with their AD account. 

DEFAULT     Auth-Type = ntlm_auth

This is the debug output from a successful auth:

rad_recv: Access-Request packet from host w.x.y.z port 1645, id=33, length=86

        User-Name = "mphillips"

        User-Password = "xxxx"

        NAS-Port = 1

        NAS-Port-Id = "tty1"

        NAS-Port-Type = Virtual

        Calling-Station-Id = "w.x.y.z"

        NAS-IP-Address = w.x.y.z

+- entering group authorize {...}

++[preprocess] returns ok

[suffix] No '@' in User-Name = "mphillips", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

[files] users: Matched entry DEFAULT at line 1

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

Found Auth-Type = ntlm_auth

+- entering group ntlm_auth {...}

[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=mphillips

[ntlm_auth]     expand: --password=%{User-Password} -> --password=xxxx

Exec-Program output: NT_STATUS_OK: Success (0x0)

Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)

Exec-Program: returned: 0

++[ntlm_auth] returns ok

Login OK: [mphillips] (from client Access-Layer-Switch1 port 1 cli w.x.y.z)

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 33 to w.x.y.z port 1645

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 0 ID 33 with timestamp +16

Ready to process requests.


Technically, this is all I need; this seems like a hacked way of doing things, though and I want to understand the operations of the server better. I commented out the pap and unix modules in ../sites-enabled/inner-tunnel and default and I also removed the DEFAULT line from the top of the users file. Now I get this debug output:


rad_recv: Access-Request packet from host w.x.y.z port 1645, id=34, length=86
        User-Name = "mphillips"
        User-Password = "xxxx"
        NAS-Port = 1
        NAS-Port-Id = "tty1"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "w.x.y.z"
        NAS-IP-Address = w.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "mphillips", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [mphillips/xxxx] (from client Access-Layer-Switch1 port 1 cli w.x.y.z)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> mphillips
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 34 to 10.200.1.4 port 1645
Waking up in 4.6 seconds.
Cleaning up request 0 ID 34 with timestamp +12
Ready to process requests.

Thanks for any assistance.

-Mike

> Date: Thu, 19 Nov 2009 22:30:50 +0000
> Subject: Re: need help authenticating against AD
> From: tnt at kalik.net
> To: freeradius-users at lists.freeradius.org
> 
> > I need some help authenticating against AD. I have followed directions
> > online as best as I can, but things still aren't working as expected.
> 
> These:
> 
> http://deployingradius.com/documents/configuration/active_directory.html
> 
> > I'm
> > ultimately hoping to have our VPN users and admins logging into Cisco
> > network equipment authenticate against AD through our FreeRADIUS 2
> > installation. Today, I have been testing authentication from one of Cisco
> > switches, and I continually receive this basic output:
> 
> You are not authenticating against AD. You are authenticating against
> local system file:
> ...
> > Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated
> ...
> > Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password "xxxx"
> > Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption.
> > Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match
> 
> ... and the password isn't correct.
> 
> > I can't tell from this output if the RADIUS server is ever even attempting
> > to reach AD.
> 
> It isn't.
> 
> > Obviously, if I enter the correct password for my username on
> > the RADIUS server itself, authentication will succeed, but this is not the
> > desired behavior at this time.
> 
> Comment out unix in authorize then. If you follow the guide this will work
> with Auth-Type := ntlm_auth in users file.
> 
> Ivan Kalik
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 		 	   		  
_________________________________________________________________
Hotmail: Trusted email with Microsoft's powerful SPAM protection.
http://clk.atdmt.com/GBL/go/177141664/direct/01/
http://clk.atdmt.com/GBL/go/177141664/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091120/957b8356/attachment.html>


More information about the Freeradius-Users mailing list