ntlm and mysql

Paolo Barbato paolo.barbato at igi.cnr.it
Fri May 11 12:40:07 CEST 2012 

On a test deployment I've both mysql and ntlm (AD) configured.

If I use EAP no problem to authenticate users on both backend.

But…in the process to use a Cisco WLC captive portal I've verified that only sql works.

If I add in users DEFAULT	Auth-Type = ntlm_auth, then also AD users are authenticated, but not mysql ones.

radiusd -X reports in this case:

++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = ntlm_auth

Instead in absence of  DEFAULT	Auth-Type = ntlm_auth in users, I logs :

====
rad_recv: Access-Request packet from host 150.178.3.53 port 55249, id=114, length=77
	User-Name = "barbato"
	User-Password = "xxxxxxxxxxx"
	NAS-IP-Address = 150.178.33.105
	NAS-Port = 1
	Message-Authenticator = 0x122864a655b86ac6d24c76e360fac328
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "barbato", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "barbato"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] 	expand: %{User-Name} -> barbato
[sql] sql_set_user escaped user --> 'barbato'
rlm_sql (sql): Reserving sql socket id: 4
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'barbato'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'barbato'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User barbato not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [barbato] (from client rfxnet1 port 1)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> barbato
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
===

radtest behave the same.

So it's seems I miss something somewhere….any suggestion from the list ?



Regards,
Paolo.

------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
corso Stati Uniti,4                                  
35127 Padova - Italy                     	                  
Network Administrator 
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120511/b52ee9c3/attachment.html>

More information about the Freeradius-Users mailing list