need help authenticating against AD

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Fri Nov 20 17:41:52 CET 2009


You broke the server and authentication fails - not a suprise. If the server cannot discover the source/type of auth then you need to give it a hint - users file will feed that hint . I think you dont need the unix module

--- original message ---
From: "Michael Phillips" <mdphilip at hotmail.com>
Subject: RE: need help authenticating against AD
Date: 20th November 2009
Time: 4:25:56



I followed the directions in that link prior to emailing the group. For some reason, it still isn't working as expected.

If I put this line at the top of the users file, VPN users and Cisco exec users are able to authenticate with their AD account.

DEFAULT     Auth-Type = ntlm_auth

This is the debug output from a successful auth:

rad_recv: Access-Request packet from host w.x.y.z port 1645, id=33, length=86
        User-Name = "mphillips"
        User-Password = "xxxx"
        NAS-Port = 1
        NAS-Port-Id = "tty1"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "w.x.y.z"
        NAS-IP-Address = w.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "mphillips", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = ntlm_auth
+- entering group ntlm_auth {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=mphillips
[ntlm_auth]     expand: --password=%{User-Password} -> --password=xxxx
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [mphillips] (from client Access-Layer-Switch1 port 1 cli w.x.y.z)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 33 to w.x.y.z port 1645
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 33 with timestamp +16
Ready to process requests.


Technically, this is all I need; this seems like a hacked way of doing things, though and I want to understand the operations of the server better. I commented out the pap and unix modules in ../sites-enabled/inner-tunnel and default and I also removed the DEFAULT line from the top of the users file. Now I get this debug output:


rad_recv: Access-Request packet from host w.x.y.z port 1645, id=34, length=86
        User-Name = "mphillips"
        User-Password = "xxxx"
        NAS-Port = 1
        NAS-Port-Id = "tty1"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "w.x.y.z"
        NAS-IP-Address = w.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "mphillips", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [mphillips/xxxx] (from client Access-Layer-Switch1 port 1 cli w.x.y.z)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> mphillips
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 34 to 10.200.1.4 port 1645
Waking up in 4.6 seconds.
Cleaning up request 0 ID 34 with timestamp +12
Ready to process requests.

Thanks for any assistance.

-Mike

> Date: Thu, 19 Nov 2009 22:30:50 +0000
> Subject: Re: need help authenticating against AD
> From: tnt at kalik.net
> To: freeradius-users at lists.freeradius.org
>
> > I need some help authenticating against AD. I have followed directions
> > online as best as I can, but things still aren't working as expected.
>
> These:
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
> > I'm
> > ultimately hoping to have our VPN users and admins logging into Cisco
> > network equipment authenticate against AD through our FreeRADIUS 2
> > installation. Today, I have been testing authentication from one of Cisco
> > switches, and I continually receive this basic output:
>
> You are not authenticating against AD. You are authenticating against
> local system file:
> ...
> > Thu Nov 19 16:17:34 2009 : Info: ++[unix] returns updated
> ...
> > Thu Nov 19 16:17:34 2009 : Info: [pap] login attempt with password "xxxx"
> > Thu Nov 19 16:17:34 2009 : Info: [pap] Using CRYPT encryption.
> > Thu Nov 19 16:17:34 2009 : Info: [pap] Passwords don't match
>
> ... and the password isn't correct.
>
> > I can't tell from this output if the RADIUS server is ever even attempting
> > to reach AD.
>
> It isn't.
>
> > Obviously, if I enter the correct password for my username on
> > the RADIUS server itself, authentication will succeed, but this is not the
> > desired behavior at this time.
>
> Comment out unix in authorize then. If you follow the guide this will work
> with Auth-Type := ntlm_auth in users file.
>
> Ivan Kalik
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

________________________________
Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign up now.<http://clk.atdmt.com/GBL/go/177141664/direct/01/
http://clk.atdmt.com/GBL/go/177141664/direct/01/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091120/30e4e7dd/attachment.html>


More information about the Freeradius-Users mailing list