FreeRadius 2 -> 3.04 ntlm_auth not working
Diggins Mike
diggins at mcmaster.ca
Wed Aug 9 02:10:45 CEST 2017
I updated my RHEL FreeRadius package to what it calls version 3.0.13-8.el7_4 and now my original users file works again (thank you). However, I have a new problem. When I use radtest to test authentication, the policy filter_username is now failing. If I comment it out of 'default', authentication works correctly. My username looks okay according to the output. I tried commenting out the if statement that produces the 'Rejected: User-Name contains multiple ..s' but then another if statement fails later on.
Ready to process requests
(0) Received Access-Request Id 199 from 127.0.0.1:39414 to 127.0.0.1:1812 length 134
(0) User-Name = "guest002"
(0) NAS-IP-Address = 192.168.199.163
(0) NAS-Port = 0
(0) Message-Authenticator = 0xfc43cddab6726d2fa73c3eb0bec5de4c
(0) MS-CHAP-Challenge = 0x0945f6b315705436
(0) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000b2a5f6c47982e677afdfc2761d9e8c0aec2e32a9ff91600d
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> TRUE
(0) if (&User-Name =~ /\.\./ ) {
(0) update request {
(0) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(0) } # update request = noop
(0) [reject] = reject
(0) } # if (&User-Name =~ /\.\./ ) = reject
(0) } # if (&User-Name) = reject
(0) } # policy filter_username = reject
(0) } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> guest002
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 199 from 127.0.0.1:1812 to 127.0.0.1:39414 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 199 with timestamp +215
Ready to process requests
-Mike
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+diggins=mcmaster.ca at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Monday, August 7, 2017 3:21 AM
To: FreeRadius users mailing list
Subject: Re: FreeRadius 2 -> 3.04 ntlm_auth not working
On Aug 7, 2017, at 1:41 AM, Diggins Mike <diggins at mcmaster.ca> wrote:
>
> Some progress. With my users file (/mods-config/files/authorize) empty, authentication works according to radtest.
>
> However, I need to return certain attributes along with specific userids that authenticate. The rest (default) can just authenticate normally.
>
> In FR v2 I added this to the users file.
>
> userid Auth-Type = ntlm_auth
> Reply-Message = "attr1","attr2",
>
> DEFAULT Auth-Type = ntlm_auth
>
> FR 3 doesn't like this (Unknown value 'ntlm_auth' for attribute 'Auth-Type'). I don't know what it wants to fix it. None of the samples in /mods-config/files/authorize look like this?
Use 3.0.15. This issue bas been fixed.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list