infamous AD integration

lejeczek peljasz at yahoo.co.uk
Thu Jun 16 17:05:49 CEST 2016 


On 16/06/16 15:54, Matthew Newton wrote:
> On Thu, Jun 16, 2016 at 03:25:12PM +0100, lejeczek via Freeradius-Users wrote:
>> Now I have
>> $ radtest -t mschap ...
>> working, but I don't quite grasp why one has to test with "-t".
>> When I now test without "-t" it still fails with:
> Well, "-t mschap" sends an MSCHAP auth request, which is what
> you've configured.
>
> Without -t you're sending a PAP request, which you haven't
> configured (see mods-available/ntlm_auth if you need to do this;
> most people likely don't).
>
> So the first works and the second doesn't.
>
> Matthew
what I don't get is - this is radtest but how does it matter 
to a radius clients, say a net switch? Do all the clients 
have to specify auth method?
I thought we configure this different "backends" so radius 
server will traverse them all in search of a user account of 
which client has to know none.
One more thing - having mschap/ntlm I do not need to 
configure radius server to lookup AD's ldap at the same 
time, do I? Would there be a case when one would have both 
ntlm & ldap go to the same on AD?

>
>
>> (3)   } # filter_username filter_username = notfound
>> (3)   [preprocess] = ok
>> (3)   [chap] = noop
>> (3)   [mschap] = noop
>> (3)   [digest] = noop
>> (3)  suffix : Checking for suffix after "@"
>> (3)  suffix : Looking up realm "my.domain.local" for User-Name =
>> "pe243 at my.domain.local"
>> (3)  suffix : Found realm "my.domain.local"
>> (3)  suffix : Adding Stripped-User-Name = "pe243"
>> (3)  suffix : Adding Realm = "my.domain.local"
>> (3)  suffix : Authentication realm is LOCAL
>> (3)   [suffix] = ok
>> (3)  eap : No EAP-Message, not doing EAP
>> (3)   [eap] = noop
>> (3)   [unix] = notfound
>> (3)   [files] = noop
>> (3)   [expiration] = noop
>> (3)   [logintime] = noop
>> (3)  WARNING: pap : No "known good" password found for the user. Not setting
>> Auth-Type
>> (3)  WARNING: pap : Authentication will fail unless a "known good" password
>> is available
>> (3)   [pap] = noop
>> (3)  } #  authorize = ok
>> (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
>> Reject
>> (3) Failed to authenticate the user
>> (3) Using Post-Auth-Type Reject
>> (3) # Executing group from file /etc/raddb/sites-enabled/default
>> (3)  Post-Auth-Type REJECT {
>> (3)  attr_filter.access_reject : EXPAND %{User-Name}
>> (3)  attr_filter.access_reject :    --> pe243 at my.domain.local
>> (3)  attr_filter.access_reject : Matched entry DEFAULT at line 11
>> (3)   [attr_filter.access_reject] = updated
>> (3)  eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
>> (3)   [eap] = noop
>> (3)   remove_reply_message_if_eap remove_reply_message_if_eap {
>> (3)     if (&reply:EAP-Message && &reply:Reply-Message)
>> (3)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>> (3)    else else {
>> (3)     [noop] = noop
>> (3)    } # else else = noop
>> (3)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
>> (3)  } # Post-Auth-Type REJECT = updated

More information about the Freeradius-Users mailing list