Exec and ntlm_auth

freeradius at corwyn.net freeradius at corwyn.net
Wed Nov 25 22:50:07 CET 2009 

At 10:45 AM 11/25/2009, Alan DeKok wrote:
>   What part of the instructions is not working for you?

well for me at least, I have authentication working.
radtest account password localhost 0 m3H1hc4Z1OtpNC2ZLX3A
works fine.
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=164, length=20

However, when I try the same thing from the Cisco client, I get
Authorization failed
back from the cisco.  Better, because I originally got back 
Authentication Failed, so I figure I'm one step farther.

If I disable Authorization on the Cisco, or change it back over to my 
old tacacs+ server, I can log in successfully, so my problem 
is  somewhere in the authorization process, which isn't really (to 
me) in that document.

Yet the results from the log show freeradius sending back
Sending Access-Accept of id 121 to 10.100.0.8 port 1812

rad_recv: Access-Request packet from host 10.100.0.8 port 1812, 
id=121, length=79
         NAS-IP-Address = 10.100.0.8
         NAS-Port = 1
         NAS-Port-Type = Virtual
         User-Name = "username"
         Calling-Station-Id = "10.20.31.17"
         User-Password = "password"
server server_cisco {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "username", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the 
user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=username
[ntlm_auth]     expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [rsteeves] (from client Cisco port 1 cli 10.20.31.17)
+- entering group post-auth {...}
++[exec] returns noop
} # server server_cisco
Sending Access-Accept of id 121 to 10.100.0.8 port 1812

Rick

More information about the Freeradius-Users mailing list