--- On Thu, 10/2/08, Vieri <[EMAIL PROTECTED]> wrote:
> I'm running freeradius-2.0.5 on Linux.
>
> My setup is as follows:
>
> Windows Vista native client - Linksys AP - FreeRadius Linux
> server (PEAP/mschapv2) - Active Directory Windows server
>
> Everything works smoothly with the following ntlm_auth
> parameters in the mschap module:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> However, user authentication is rejected when I add the
> --domain parameter:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> (from the Windows Vista client I obviously set the DOMAIN
> filed; besides, if I run the freeradius daemon with debug
> enabled I see that it "correclty" reeives
> 'DOMAIN\username')
>
> For starters, I don't understand why authentication
> fails if I add --domain. How can I find out why?
>
> Then, adding --require-membership-of with or without
> --domain also fails.
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --require-membership-of='DOMAIN\\WIFI'
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> Finally, running ntlm_auth from the command line yields:
>
> # ntlm_auth --request-nt-key --domain=DOMAIN
> --username=myuser
> --require-membership-of='DOMAIN\\WIFI'
> password:
> NT_STATUS_OK: Success (0x0)
I found this in the radiusd debug log:
[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!
so I removed the '' in the ntlm_auth string like this:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN
--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
and now it works.
So this leads me to ask how I can specify group names with spaces such as 'WIFI
1'.
Also, I had to specify the domain explicitly either via --domain=DOMAIN or
--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication
succeeds only if the client does NOT specify a domain in the domain or user
field.
So I'm attaching some debug outputs with the hope that someone can shed some
light on this aspect which I obviously don't grasp.
Thanks,
Vieri
radiusd.log.tar.gz
Description: GNU Zip compressed data
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
