infamous AD integration

Matthew Newton mcn4 at leicester.ac.uk
Thu Jun 16 16:54:10 CEST 2016 

On Thu, Jun 16, 2016 at 03:25:12PM +0100, lejeczek via Freeradius-Users wrote:
> Now I have
> $ radtest -t mschap ...
> working, but I don't quite grasp why one has to test with "-t".
> When I now test without "-t" it still fails with:

Well, "-t mschap" sends an MSCHAP auth request, which is what
you've configured.

Without -t you're sending a PAP request, which you haven't
configured (see mods-available/ntlm_auth if you need to do this;
most people likely don't).

So the first works and the second doesn't.

Matthew


> (3)   } # filter_username filter_username = notfound
> (3)   [preprocess] = ok
> (3)   [chap] = noop
> (3)   [mschap] = noop
> (3)   [digest] = noop
> (3)  suffix : Checking for suffix after "@"
> (3)  suffix : Looking up realm "my.domain.local" for User-Name =
> "pe243 at my.domain.local"
> (3)  suffix : Found realm "my.domain.local"
> (3)  suffix : Adding Stripped-User-Name = "pe243"
> (3)  suffix : Adding Realm = "my.domain.local"
> (3)  suffix : Authentication realm is LOCAL
> (3)   [suffix] = ok
> (3)  eap : No EAP-Message, not doing EAP
> (3)   [eap] = noop
> (3)   [unix] = notfound
> (3)   [files] = noop
> (3)   [expiration] = noop
> (3)   [logintime] = noop
> (3)  WARNING: pap : No "known good" password found for the user. Not setting
> Auth-Type
> (3)  WARNING: pap : Authentication will fail unless a "known good" password
> is available
> (3)   [pap] = noop
> (3)  } #  authorize = ok
> (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (3) Failed to authenticate the user
> (3) Using Post-Auth-Type Reject
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3)  Post-Auth-Type REJECT {
> (3)  attr_filter.access_reject : EXPAND %{User-Name}
> (3)  attr_filter.access_reject :    --> pe243 at my.domain.local
> (3)  attr_filter.access_reject : Matched entry DEFAULT at line 11
> (3)   [attr_filter.access_reject] = updated
> (3)  eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
> (3)   [eap] = noop
> (3)   remove_reply_message_if_eap remove_reply_message_if_eap {
> (3)     if (&reply:EAP-Message && &reply:Reply-Message)
> (3)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (3)    else else {
> (3)     [noop] = noop
> (3)    } # else else = noop
> (3)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (3)  } # Post-Auth-Type REJECT = updated

-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list