ntlm_auth not respected

Phil Mayers p.mayers at imperial.ac.uk
Wed Aug 21 09:25:47 CEST 2013 

On 08/21/2013 05:11 AM, Chris Parker wrote:
>
> Log output:
> rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114, length=57
> 	User-Name = "wyse1"
> 	User-Password = "K503D"
> 	NAS-IP-Address = 127.0.1.1
> 	NAS-Port = 1812
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "wyse1", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [ntlm_auth] 	expand: --username=%{mschap:User-Name} -> --username=wyse1
> [ntlm_auth] 	expand: --password=%{User-Password} -> --password=K503D
> Exec-Program output: NT_STATUS_OK: Success (0x0)
> Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
> Exec-Program: returned: 0
> ++[ntlm_auth] returns ok

You're running ntlm_auth in the "authorize" section, and then:

> [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

...nothing in the "authenticate" section.

You either want:

authorize {
   ...
   ntlm_auth
   if (ok) {
     update control {
       Auth-Type := Accept
     }
   }
   ...
}

...or:

authorize {
   ...
   # don't run ntlm_auth here, and right at the bottom
   if (User-Password) {
     # PAP request, tell ntlm_auth to run in authenticate
     update control {
       Auth-Type = ntlm_auth
     }
   }
}
authenticate {
   Auth-Type ntlm_auth {
     ntlm_auth
   }
}

HOWEVER - you should note that the (EXTREMELY unfortunately named) 
"ntlm_auth" module instance is usually not what you want for wireless. 
Wireless is typically 802.1x with PEAP/MSCHAP, which will entail setting 
up the "ntlm_auth" configuration *item* of the mschap module.

Read the extensive docs, wiki, and walkthrough on deployingradius.com 
for more info.

> Failed to authenticate the user.
> Login incorrect: [wyse1/K503D] (from client localhost port 1812)
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] 	expand: %{User-Name} -> wyse1
>   attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 7 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 7
> Sending Access-Reject of id 114 to 127.0.0.1 port 35826
> Waking up in 4.9 seconds.
> Cleaning up request 7 ID 114 with timestamp +843
> Ready to process requests.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list