freeradius 3.0.4 CentOS 7.2 AD
Hubert Kupper
kupper at uni-landau.de
Mon Apr 11 07:29:28 CEST 2016
Am 08.04.2016 um 13:00 schrieb Alan DeKok:
> On Apr 8, 2016, at 4:15 AM, Hubert Kupper <kupper at uni-landau.de> wrote:
>> we have freeradius 3.0.4 on a centos 7.2 machine with ldap authentication against edirectory running for a long time. Now we want to authenticate against AD. We followed the intructions on http://deployingradius.com/documents/configuration/active_directory.html
>>
>> ntlm_auth returns: NT_STATUS_OK: Success (0x0). Radiusd -X returns the following error:
>>
>> /etc/raddb/mods-config/files/authorize[1]: Parse error (check) for entry DEFAULT: Unknown value 'ntlm_auth' for attribute 'Auth-Type'
>>
>> What is the reason?
> It means you're not following the guide.
>
> The error message is pretty clear. The DEFAULT entry you added at the start of the "authorize" file doesn't work.
>
> Why? Because you didn't add an ntlm_auth entry in the "authenticate" section, as documented in the guide.
>
> Follow the guide. Every step. Don't skip steps.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
I had followed the guide and set a ntlm_auth entry in the "authenticate"
section of "default" and "inner-tunnel".
default:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
#
ntlm_auth
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
Auth-Type LDAP {
ldap
}
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from
attr_filter
# }
# }
}
inner-tunnel:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# Pluggable Authentication Modules.
# pam
#
ntlm_auth
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
Auth-Type LDAP {
ldap
}
#
# Allow EAP authentication.
eap
}
I hat tested it with Auth-Type {
ntlm_auth
}
also.
More information about the Freeradius-Users
mailing list