Dear
All,
I installed
successfully freeradius-1.0.2 under Suse Linux 9.1 and one of the
features of freeradius is to enable the authentication using
Windows 2003 via ntlm_auth and winbindd. The smbd, nmbd and winbindd are
running successfully locally. All our Windows domain users can now
login successfully to Linux Suse server. Samba integration using winbindd can
authenticate to Linux Suse server.
Under in
radiusd.conf there's a line for ntlm_auth. I modified the entry and try to
change to "ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap-User-Name} --domain=%{nschap:NT-Domain}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" to
enable to look to Windows 2003 domain. I try to use my users in Windows 2003 to
dial-in but so far it's failed. But using local user can successfully
login. Any idea what wrong in my configurations? And
what other area should I check? Please help how to work this
authentication. Attached debug logs when running "radiusd -X" and
during authentications using Windows 2003 user lists.
RADIUS
DEBUG LOGS:-
papillon:/usr/local/src/freeradius-1.0.2 #
/usr/local/freeradius/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf
Config: including file: /usr/local/freeradius/etc/raddb/clients.conf
Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf
Config: including file: /usr/local/freeradius/etc/raddb/eap.conf
Config: including file: /usr/local/freeradius/etc/raddb/sql.conf
main: prefix = "/usr/local/freeradius"
main: localstatedir = "/usr/local/freeradius/var"
main: logdir = "/usr/local/freeradius/var/log/radius"
main: libdir = "/usr/local/freeradius/lib"
main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"
main: hostname_lookups = yes
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/freeradius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/freeradius/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap-User-Name} --domain=%{nschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/freeradius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/freeradius/etc/raddb/users"
files: acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/freeradius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf
Config: including file: /usr/local/freeradius/etc/raddb/clients.conf
Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf
Config: including file: /usr/local/freeradius/etc/raddb/eap.conf
Config: including file: /usr/local/freeradius/etc/raddb/sql.conf
main: prefix = "/usr/local/freeradius"
main: localstatedir = "/usr/local/freeradius/var"
main: logdir = "/usr/local/freeradius/var/log/radius"
main: libdir = "/usr/local/freeradius/lib"
main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"
main: hostname_lookups = yes
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/freeradius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/freeradius/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap-User-Name} --domain=%{nschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/freeradius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/freeradius/etc/raddb/users"
files: acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/freeradius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
Using
user under Windows 2003:-
rad_recv:
Access-Request packet from host 10.76.16.2:1645, id=255,
length=76
NAS-IP-Address = 10.76.16.2
NAS-Port = 6
NAS-Port-Type = Async
User-Name = "jungab"
User-Password = "[EMAIL PROTECTED]@rl1k@"
Service-Type = Framed-User
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "jungab", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
users: Matched entry DEFAULT at line 183
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [jungab]: invalid password
modcall[authenticate]: module "unix" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 255 to 10.76.16.2:1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 255 with timestamp 421c04c2
Nothing to do. Sleeping until we see a request.
NAS-IP-Address = 10.76.16.2
NAS-Port = 6
NAS-Port-Type = Async
User-Name = "jungab"
User-Password = "[EMAIL PROTECTED]@rl1k@"
Service-Type = Framed-User
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "jungab", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
users: Matched entry DEFAULT at line 183
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [jungab]: invalid password
modcall[authenticate]: module "unix" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 255 to 10.76.16.2:1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 255 with timestamp 421c04c2
Nothing to do. Sleeping until we see a request.
Using
user under Suse Linux:-
rad_recv:
Accounting-Request packet from host 10.76.16.2:1646, id=1,
length=87
NAS-IP-Address = 10.76.16.2
NAS-Port = 6
NAS-Port-Type = Async
User-Name = "jsungab"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "00000444"
Framed-Protocol = PPP
Acct-Delay-Time = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 2
modcall[preacct]: module "preprocess" returns noop for request 2
rlm_acct_unique: Hashing 'NAS-Port = 6,Client-IP-Address = jd3-accs1-rt.dairy-farm.com.ph,NAS-IP-Address = 10.76.16.2,Acct-Session-Id = "00000444",User-Name = "jsungab"'
rlm_acct_unique: Acct-Unique-Session-ID = "7461be81d4b43e14".
modcall[preacct]: module "acct_unique" returns ok for request 2
rlm_realm: No '@' in User-Name = "jsungab", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop for request 2
modcall[preacct]: module "files" returns noop for request 2
modcall: group preacct returns ok for request 2
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 2
radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/jd3-accs1-rt.dairy-farm.com.ph/detail-20050223'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/jd3-accs1-rt.dairy-farm.com.ph/detail-20050223
modcall[accounting]: module "detail" returns ok for request 2
modcall[accounting]: module "unix" returns ok for request 2
radius_xlat: '/usr/local/freeradius/var/log/radius/radutmp'
radius_xlat: 'jsungab'
modcall[accounting]: module "radutmp" returns ok for request 2
modcall: group accounting returns ok for request 2
Sending Accounting-Response of id 1 to 10.76.16.2:1646
Finished request 2
NAS-IP-Address = 10.76.16.2
NAS-Port = 6
NAS-Port-Type = Async
User-Name = "jsungab"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "00000444"
Framed-Protocol = PPP
Acct-Delay-Time = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 2
modcall[preacct]: module "preprocess" returns noop for request 2
rlm_acct_unique: Hashing 'NAS-Port = 6,Client-IP-Address = jd3-accs1-rt.dairy-farm.com.ph,NAS-IP-Address = 10.76.16.2,Acct-Session-Id = "00000444",User-Name = "jsungab"'
rlm_acct_unique: Acct-Unique-Session-ID = "7461be81d4b43e14".
modcall[preacct]: module "acct_unique" returns ok for request 2
rlm_realm: No '@' in User-Name = "jsungab", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop for request 2
modcall[preacct]: module "files" returns noop for request 2
modcall: group preacct returns ok for request 2
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 2
radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/jd3-accs1-rt.dairy-farm.com.ph/detail-20050223'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/jd3-accs1-rt.dairy-farm.com.ph/detail-20050223
modcall[accounting]: module "detail" returns ok for request 2
modcall[accounting]: module "unix" returns ok for request 2
radius_xlat: '/usr/local/freeradius/var/log/radius/radutmp'
radius_xlat: 'jsungab'
modcall[accounting]: module "radutmp" returns ok for request 2
modcall: group accounting returns ok for request 2
Sending Accounting-Response of id 1 to 10.76.16.2:1646
Finished request 2
Regards,
Jay
