Problem with MSCHAP and Freeradius authentication

Dhiraj Gaur dhiraj.gaur at gmail.com
Sat Jan 21 17:14:57 CET 2012


hi Fajar
I did read the replies as well as Alan's page. Being a newbie to FR i
actually started with that only.

On Sat, Jan 21, 2012 at 7:44 PM, Fajar A. Nugraha <list at fajar.net> wrote:

> Did you REALLY read the replies sent to this list?
> Did you REALLY read Alan's page,
> http://deployingradius.com/documents/configuration/active_directory.html
> to the end?
>
>
The version of radtest on my system doesnt support the -t option, hence
even after doing radtest -h I could not find anything. I settled for
jradius client to achieve the same effect already. Have tried upgrading the
package but its already in the latest version.


> If yes, you'd know that:
> - radtest can send mschap request as well (see 'radtest -h')
>

The only changes I have done to default config is in the inner tunnel or
default file. Attaching the same if you may have a look. I have never
blamed Alan that his recipe is flawed.


> - Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth',
> contains detailed instruction on how to make FR works with AD and pap.
> If you can't get it to work, that means you're doing something wrong.
> Probably editing some entries you shouldn't, since your ntlm_auth
> result is OK (which means samba + AD part is working correctly). It's
> perfectly fine to be creative and edit the config file as you see fit,
> but ONLY if you know what you're doing. If you're given a recipe, and
> choose to stray from it, and messed up, don't blame the guy who
> created the recipe.
>

The PAP things is already working fine as I mentioned earlier and have
followed every bit of Alans guide. Would redo the things again if it works.


> - Also on Alan's page, there's the section 'Configuring FreeRADIUS to
> use ntlm_auth for MS-CHAP'. That pretty much answers the last part of
> your question, but ONLY if you already got pap working properly.
>


Attaching the inner tunnel and default file, please go through the same and
point out if something is amiss.....

Default File
------------------------------------------------------------------------------
authorize {
    preprocess

#    auth_log
    chap
    mschap
#    digest
#    wimax
#    IPASS
    suffix
#    ntdomain
    eap {
        ok = return
    }
#    unix
#    files
#    sql
    ntlm_auth
#    etc_smbpasswd
#    ldap
#    checkval
    expiration
    logintime
    pap
    #if(!control:Auth-Type) {
        #update control {
        #    Auth-Type = "ntlm_auth"
        #}
    #}
#    Autz-Type Status-Server {
#
#    }
}

authenticate {
    Auth-Type NTLM_AUTH {
    ntlm_auth
    }
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
#    digest

#    pam
#    unix
#    Auth-Type LDAP {
#        ldap
#    }
    eap
#    Auth-Type eap {
#        eap {
#            handled = 1
#        }
#        if (handled && (Response-Packet-Type == Access-Challenge)) {
#            attr_filter.access_challenge.post-auth
#            handled  # override the "updated" code from attr_filter
#        }
#    }
}

INNER TUNNEL FILE
--------------------------------------------------
server inner-tunnel {

#listen {
#       ipaddr = 127.0.0.1
#       port = 18120
#       type = auth
#}

authorize {
    chap
    mschap
#    unix
#    IPASS
    suffix
#    ntdomain
    update control {
           Proxy-To-Realm := LOCAL
    }
    eap {
        ok = return
    }
    files
    #sql
    ntlm_auth
#    etc_smbpasswd
#    ldap
#    daily
#    checkval
    expiration
    logintime
    pap
}


authenticate {
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    Auth-Type MS-CHAP {
        mschap
    }
#    pam
    ntlm_auth
#    unix
#    Auth-Type LDAP {
#        ldap
#    }
    eap
}



-- 
Regards

Dhiraj Gaur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120121/e2b54806/attachment.html>


More information about the Freeradius-Users mailing list