FR/AD integration
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Sat Feb 19 09:39:37 CET 2011
Hi,
> Trying to use FR to query AD as an authentication oracle and set up per
> the docs at
> [1]http://deployingradius.com/documents/configuration/active_directory.html
> and several others pertaining to setting up Kerberos and winbind.
read the output - its clearly failing on the ntlm_auth line - which is
being called without any available username - you have configured it to use
--username=%{mschap:User-Name} - which is all well and good, but radtest
is a plain PAP method so no mschap present. if you want to use ntlm_ath in all
kinds of weather , then you need to follow the docs and guides to ensure that username
is fed a username if given any other form of 'feed'. OR, if you really know
that its only going to ever get MSCHAP requests, then use a suitable tool to
feed it such tests - eapol_test from the wpa_supplicant package, or the rad_eap_test
stuff which is supplied with newer versions of FreeRADIUS (best to use 2.1.10 if
you have a new install work anyway)
here:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{%{Stripped-User-Name}:-%{User-Name:-None}
}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
that sort of construct would ensure that is mschap:user-name has no value, then it'll fall back
to stipped-user-name....and then back to user-name before just being blank
> DEFAULT Auth-Type = ntlm_auth
dont do that - you really dont need to do that.
alan
More information about the Freeradius-Users
mailing list