PAP / ntlm_auth fails unless "DEFAULT Auth-Type = ntlm_auth" in users.

Gary Gatten Ggatten at waddell.com
Thu Oct 15 17:47:46 CEST 2009


Working, uses DEFAULT Auth-Type = ntlm_auth in users file:

rad_recv: Access-Request packet from host 10.1.x.y port 1645, id=217,
length=85
        User-Name = "myname"
        User-Password = "myt0p$3cr3tP@$$W0rd"
        NAS-Port = 1
        NAS-Port-Id = "tty1"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "192.168.x.y"
        NAS-IP-Address = 10.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myname", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{User-Name} -> --username=myname
[ntlm_auth] expand: --password=%{Password} ->
--password=myt0p$3cr3tP@$$W0rd
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [myname] (from client Ci$coSwitch port 1 cli 192.168.x.y)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 217 to 10.x.y.z port 1645
Finished request 28.
Going to the next request
Waking up in 4.9 seconds.




NOT WORKING:

rad_recv: Access-Request packet from host 10.x.y.z port 1645, id=218,
length=85
        User-Name = "myname"
        User-Password = "myt0p$3cr3tP@$$W0rd"
        NAS-Port = 1
        NAS-Port-Id = "tty1"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "192.168.x.y"
        NAS-IP-Address = 10.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myname", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "myt0p$3cr3tP@$$W0rd"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
### I have local unix account with a pw different than my AD password
###
### If I use local PW it auths me correctly ###
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [myname] (from
client Ci$coSwitch port 1 cli 192.168.x.y)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> myname
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 38 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 38
Sending Access-Reject of id 218 to 10.x.y.z port 1645
Waking up in 4.9 seconds.
Cleaning up request 38 ID 218 with timestamp +3237
Ready to process requests.



-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.or
g] On Behalf Of Ivan Kalik
Sent: Thursday, October 15, 2009 10:30 AM
To: FreeRadius users mailing list
Subject: Re: PAP / ntlm_auth fails unless "DEFAULT Auth-Type =
ntlm_auth" in users.

> I've been jacking around trying to fix this for several hours - but no
> go.  I've RTFM several times, and read several docs such as:
>
http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28nt
> lm_auth%29_with_accounts_stored_elsewhere
>
>
>
> When I say "fix" - it's always been "broken" - it's never worked
without
> the DEFAULT entry in users.  Most all my accounts are in AD so the
> DEFAULT works for me, but I'm using this issue as a learning
> opportunity, but instead it's just a frustration opportunity.
>
>
>
> I'll post all my confs (2.1.6) and -X output if needed, but just
looking
> for some hints to help determine why when the process fails through to
> PAP, it won't use ntlm_auth - it will only use "files"

Post the debug.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>





More information about the Freeradius-Users mailing list