Freeradius Active Directory Authentication using ntlm_auth
Shyju Kanaprath
shyjuk at live.com
Sat Nov 15 15:07:48 CET 2014
Hi All,
I'm trying to configure Freeradius Active Directory Authentication using ntlm_auth.When I run from the shell I could get the positive response.
ntlm_auth --username shyju --passwordPassword:NT_STATUS_OK: Success (0x0)
But when I test with the radtest authentication does not work. Please Find below the logs.
Client - Sideradtest shyju password localhost 0 testing123
Sending Access-Request of id 125 to 127.0.0.1 port 1812 User-Name = "shyju" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=125, length=20
Server-Side
rad_recv: Access-Request packet from host 127.0.0.1 port 60581, id=253, length=131 User-Name = "shyju" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x0156cd3b06a063bf8c9dee41dca40c37 MS-CHAP-Challenge = 0x3b41e041947f5126 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003d43a50a42ac1c73b4beeab62bfba628013e7764d8651047# Executing section authorize from file /etc/freeradius/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'++[mschap] returns ok++[digest] returns noop[suffix] No '@' in User-Name = "shyju", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop++[files] returns noop++[expiration] returns noop++[logintime] returns noop[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.++[pap] returns noopFound Auth-Type = MSCHAP# Executing group from file /etc/freeradius/sites-enabled/default+- entering group MS-CHAP {...}[mschap] Told to do MS-CHAPv1 with NT-Password[mschap] expand: %{Stripped-User-Name} ->[mschap] ... expanding second conditional[mschap] expand: %{User-Name} -> shyju[mschap] expand: %{%{User-Name}:-None} -> shyju[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=shyju[mschap] No NT-Domain was found in the User-Name.[mschap] expand: %{mschap:NT-Domain} ->[mschap] ... expanding second conditional[mschap] expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.LOCAL} -> --domain=DOMAIN.LOCAL[mschap] mschap1: 3b[mschap] expand: %{mschap:Challenge} -> 3b41e041947f5126[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=3b41e041947f5126[mschap] expand: %{mschap:NT-Response} -> 3d43a50a42ac1c73b4beeab62bfba628013e7764d8651047[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=3d43a50a42ac1c73b4beeab62bfba628013e7764d8651047Exec-Program output: Reading winbind reply failed! (0xc0000001)Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)Exec-Program: returned: 1[mschap] External script failed.[mschap] MS-CHAP-Response is incorrect.++[mschap] returns rejectFailed to authenticate the user.Using Post-Auth-Type Reject# Executing group from file /etc/freeradius/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> shyjuattr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 2 for 1 secondsGoing to the next requestWaking up in 0.8 seconds.Sending delayed reject for request 2Sending Access-Reject of id 253 to 127.0.0.1 port 60581 MS-CHAP-Error = "\000E=691 R=1"Waking up in 4.9 seconds.Cleaning up request 2 ID 253 with timestamp +73Ready to process requests.
_______
Regards,
Shyju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141115/1f93b8a4/attachment.html>
More information about the Freeradius-Users
mailing list