FreeRadius 2 -> 3.04 ntlm_auth not working

Diggins Mike diggins at mcmaster.ca
Mon Aug 7 01:41:44 CEST 2017 

Some progress. With my users file (/mods-config/files/authorize) empty, authentication works according to radtest.

However, I need to return certain attributes along with specific userids that authenticate. The rest (default) can just authenticate normally. 

In FR v2 I added this to the users file.

userid       Auth-Type = ntlm_auth
                   Reply-Message = "attr1","attr2", 

DEFAULT         Auth-Type = ntlm_auth

FR 3 doesn't like this (Unknown value 'ntlm_auth' for attribute 'Auth-Type'). I don't know what it wants to fix it. None of the samples in /mods-config/files/authorize look like this?

-Mike


-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+diggins=mcmaster.ca at lists.freeradius.org] On Behalf Of Fajar A. Nugraha
Sent: Sunday, August 6, 2017 12:36 AM
To: FreeRadius users mailing list
Subject: Re: FreeRadius 2 -> 3.04 ntlm_auth not working

On Sun, Aug 6, 2017 at 5:16 AM, Diggins Mike <diggins at mcmaster.ca> wrote:
> I built a new server using FreeRadius 3.0.4 (the one that comes with RHEL7) and attempted to port my FR v2 configuration but it's failing.
>

You should be able to easily build latest FR3 stable RPM from the source.

> The error (from radius -X) is:
>
> reading pairlist file /etc/raddb/mods-config/files/authorize
> /etc/raddb/mods-config/files/authorize[5]: Parse error (check) for entry DEFAULT: Unknown value 'ntlm_auth' for attribute 'Auth-Type'
> Failed reading /etc/raddb/mods-config/files/authorize
> /etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"

Did you read http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
?

>
> My /etc/raddb/mods-config/files/authorize contains only:
>
> # Begin
> DEFAULT         Auth-Type = ntlm_auth
> # end of user file
>

That shouldn't be needed.


> I added ntlm_auth to the authenticate sections in sites-enabled/default and sites-enabled/inner-tunnel.
>
> #       Auth-Type LDAP {
> #               ldap
> #       }
>
>         #
>         #  Allow EAP authentication.
>         eap
>

I don't remember this one on top of my head, but IIRC you simply need to have mods-enabled/eap dan mods-enabled/mschap links.

>         # Allow NTLM_AUTH
>         ntlm_auth
>         #
>

Definitely don't do that.


> I've searched this error for the last hour but can't find anything that points to my problem.
>

Don't copy-paste FR2 config in FR3. Start with the default config, and follow known-good recipes.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list