Exec and ntlm_auth

tnt at kalik.net tnt at kalik.net
Wed Nov 25 23:12:50 CET 2009


> At 10:45 AM 11/25/2009, Alan DeKok wrote:
>>   What part of the instructions is not working for you?
>
> well for me at least, I have authentication working.
> radtest account password localhost 0 m3H1hc4Z1OtpNC2ZLX3A
> works fine.
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=164,
> length=20
>
> However, when I try the same thing from the Cisco client, I get
> Authorization failed
> back from the cisco.  Better, because I originally got back
> Authentication Failed, so I figure I'm one step farther.
>
> If I disable Authorization on the Cisco, or change it back over to my
> old tacacs+ server, I can log in successfully, so my problem
> is  somewhere in the authorization process, which isn't really (to
> me) in that document.

It isn't. Because you couldn't possible include all the authoriztion
scenarios for all possible NAS devices. Authorization is NAS and service
specific and you should read NAS documentation in order to find out how
should that work.

> Yet the results from the log show freeradius sending back
> Sending Access-Accept of id 121 to 10.100.0.8 port 1812
>
> Sending Access-Accept of id 121 to 10.100.0.8 port 1812

Which is empty. You most likely need to include at least Service-Type.
That looked like telnet request so most likely NAS-Prompt-User. You have a
cisco document on the wiki with some examples:

http://wiki.freeradius.org/Cisco#Shell_Access

Ivan Kalik




More information about the Freeradius-Users mailing list