Sorry I forgot to attach the radiusd.conf and debug results *************************************************************** .......... prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct
# Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log libdir = /usr/local/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 # max_requests = 1024 # bind_address = * # port = 0 # hostname_lookups = no # allow_core_dumps = no # Regular expressions # regular_expressions = yes extended_expressions = yes # Log the full User-Name attribute, as it was found in the request. # log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = no # Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no usercollide = no # lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad # security { max_attributes = 200 reject_delay = 1 status_server = no } $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 # min_spare_servers = 3 max_spare_servers = 10 # There may be memory leaks or resource allocation problems with max_requests_per_server = 0 } # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { exec ntlm_auth { wait = no program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.ORG --username=%{mschap:User-Name} --password=%{User-Password}" } # pap { encryption_scheme = crypt } chap { authtype = CHAP } $INCLUDE ${confdir}/eap.conf mschap { # authtype = MS-CHAP # ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-MYDOMAIN.ORG} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no #notfound-reject = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } expr { } exec { wait = yes input_pairs = request } exec echo { # wait = yes # program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } } # Instantiation instantiate { expr } authorize { preprocess chap mschap suffix eap files } authenticate { ntlm_auth } preacct { preprocess acct_unique suffix files } accounting { detail } session { radutmp } post-auth { } pre-proxy { } post-proxy { } *********************************************************************** rad_recv: Access-Request packet from host 127.0.0.1:32783, id=159, length=57 User-Name = "raduser" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 154 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ntlm_auth auth: type "ntlm_auth" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 radius_xlat: Running registered xlat function of module mschap for string 'User- Name' radius_xlat: '--username=raduser' radius_xlat: '--password=test123' modcall[authenticate]: module "ntlm_auth" returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Sending Access-Accept of id 159 to 127.0.0.1 port 32783 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 159 with timestamp 463879cf Nothing to do. Sleeping until we see a request. ***************************************************************************** On 5/2/07, shrikant Bhat <[EMAIL PROTECTED]> wrote: > Hello All, > Could some one please tell me why ntlm_auth resurning OK with out > looking up the ADS . > I couldnt understand the debug. > > On 5/1/07, shrikant Bhat <[EMAIL PROTECTED]> wrote: > > Alan, > > My intention is not argue, since I coudnt understand the debug I > > posted the messege. > > > > On 4/30/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > > > shrikant Bhat wrote: > > > > I dont have the user in Active directory, yet free radius sends a > > > > accept packet. > > > > > > I did read the debug output, unlike you. It shows why. I told you > > > why. Stop arguing and read the debug output again, and my responses. > > > > > > It's not FreeRADIUS. You have configured FreeRADIUS to reply with an > > > Access-Accept if the ntlm_auth module returns OK. For some reason, the > > > ntlm_auth is returning OK. Go find out why that's happening, and fix it. > > > > > > Do NOT reply with "but freeradius sends an access accept". That reply > > > indicates that you're not reading the messages here. If you're not > > > going to read the answers to your questions, I suggest you stop asking > > > the questions. You're wasting your time, and ours. > > > > > > Alan DeKok. > > > -- > > > http://deployingradius.com - The web site of the book > > > http://deployingradius.com/blog/ - The blog > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html