Freeradius + AD authentication passing Domain+User

Alan DeKok aland at deployingradius.com
Thu Jun 22 16:09:44 CEST 2017 

On Jun 21, 2017, at 2:12 PM, Alejandro Cabrera Obed <aco1967 at gmail.com> wrote:
> 
> *1) Configuring Freeradius to use ntlm_auth, in
> /etc/freeradius/modules/ntlm_**auth:*
> 
> exec ntlm_auth {
>                wait = yes
>                program = "*/usr/bin/ntlm_auth* --request-nt-key
> --domain=*DOMAIN.COM
> <http://DOMAIN.COM>* --username=%{mschap:User-Name}
> --password=%{User-Password}"
>        }
> 
> But in /etc/freeradius/sites-enabled/default and inner-tunnel, I have not
> the following authenticate sections at all:
> 
> authenticate {
>        ...
>        ntlm_auth
>        ...
> }
> 
> If I have to put them, what do I have to add in the "..." lines you don't
> specify???

  The "..." is a place-holder.  It indicates other things in that section. it does' t mean insert a literal "..."

  
> *2) After that, you recommend to use the testing command:*
> 
> $ radtest *user* *password* localhost 0 testing123
> 
> This user correspond to my domain "DOMAIN.COM", or is a local user in order
> to test the config ???

  If you're testing a user in AD, you should run radtest with a user in AD.

> *3) Configuring Freeradius to use ntlm_auth for MSCHAP*
> 
> In /etc/freeradius/modules/mschap file I put:
> 
> ntlm_auth = "*/usr/bin/ntlm_auth* --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-*DOMAIN.COM
> <http://DOMAIN.COM>*} --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> 
> After that I start the Freeradius service in debug mode, and I use radtest
> command to send a MSCHAP authentication request. I have Freeradius 2.2.5,
> so I execute:
> 
> $ radtest -t mschap bob hello localhost 0 testing123
> 
> Is bob/hello a username/password from DOMAIN.COM ???
> 
> If I execute this in this way:
> 
> Sending Access-Request of id 220 to 127.0.0.1 port 1812
>        User-Name = "alejandro at domain.com <alcabrera at g-bapro.net>"

  Is the account in AD called "alejandro at domain.com"?  Or is it just alejandro ?

  Again... if you're testing a user in AD, you just need to test with the username that's in AD.  There is simply no reason to do anything else.

>        NAS-IP-Address = 192.168.1.250
>        NAS-Port = 0
>        Message-Authenticator = 0x00000000000000000000000000000000
>        MS-CHAP-Challenge = 0xdb6688ffc58b6208
>        MS-CHAP-Response = 0x0001000000000000000000000000
> 0000000000000000000000007cf9df3af3b49e1fa7eb2697b78da21f1e9dde3f44a6493a
> r
> ad_recv: *Access-Reject* packet from host 127.0.0.1 port 1812, id=220,
> length=38
>        MS-CHAP-Error = "\000E=691 R=1"

  And all of the FAQ, web pages, "man" pages and EVERYTHING ELSE says to look at / post the debug output of the server.  NOT the output of "radtest".

  Alan DeKok.

More information about the Freeradius-Users mailing list