PAP problem?
Phil Mayers
p.mayers at imperial.ac.uk
Thu Mar 3 13:06:04 CET 2011
On 03/03/11 11:52, Matt Langthorpe wrote:
> Hi list,
>
> I'm pretty sure this issue is straight forward but I've searched the
> list and cant come up with an answer.
>
> I'm usuing freeradius 2.19 on cent OS 5.5
>
> Im trying to auth users from a NAC box (Bradford campus manager)
> against an AD domain using freeradius.
>
> All works fine when I point an AP at freeradius, but things fail
> when using our NAC to forward requests to FreeRadius. I suspect
> the problem is that the NAC is trying to use PAP, but im not sure how
> to really resolve the problem.
PAP requires a password or password hash from a database/ldap, or an
external "oracle" (script or service) that checks the password.
Your LDAP isn't telling FreeRadius the password:
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
...so when the "pap" module runs:
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user Failed to authenticate the user.
If you're using AD, the LDAP server will not (cannot) give you a
password or password hash. You'll therefore need to use Samba & the
"ntlm_auth" helper binary (in "plaintext" mode, not MSCHAP) to do this.
In recent versions of FreeRadius there is a file defining an "exec" module:
/etc/raddb/modules/ntlm_auth
...edit the "MYDOMAIN" in that file to the correct value, and you can
use it like this:
authorize {
...
# everything else, then right at the end
update control {
# If Auth-Type isn't already set (i.e. "=" versus ":=") set it
Auth-Type = ntlm_auth
}
}
authenticate {
Auth-Type ntlm_auth {
ntlm_auth
}
}
Obviously Samba & Winbind will need to be configured, installed and the
radius server joined to the domain.
More information about the Freeradius-Users
mailing list