Add ntlm_auth to inner-tunnel virtual server as well. Or add it to instatiate section of radiusd.conf.
Ivan Kalik Kalik Informatika ISP Dana 7/10/2008, "Santiago Matiz V" <[EMAIL PROTECTED]> piše: > >Syed thanks for your answer, when i configure the file "users" with >"ntlm_auth" appears the error : > >"/usr/local/etc/raddb/users[230]: Parse error (check) for entry DEFAULT: >Unknown value ntlm_auth for attribute Auth-Type >Errors reading /usr/local/etc/raddb/users" > >thanks again... > >Santiago Matiz ([EMAIL PROTECTED]) >Systems Engineer >Bogotá, Colombia (South America) > > >--- On Tue, 10/7/08, Syed Anwarul Hasan <[EMAIL PROTECTED]> wrote: > >> From: Syed Anwarul Hasan <[EMAIL PROTECTED]> >> Subject: Re: NTLM_auth active directory - what is wrong? >> To: [EMAIL PROTECTED], "FreeRadius users mailing list" >> <[email protected]> >> Date: Tuesday, October 7, 2008, 2:20 PM >> Hi Santiago, >> >> I would suggest you to first try with radtest to see >> ntlm_auth BIND AS >> USER is working or not. >> >> Have a User entry in Users file with Auth-Type := ntlm_auth >> Add *ntlm_auth* in Authenticate section of default and >> inner-tunnel files in >> /sites-enabled directory. >> >> Then if radtest returns NT Success Ok or ntlm_auth is being >> done by Server. >> Then Try for RADIUS requests from actual NAS. >> >> I have done this way as of now to check ntlm_auth Bind. >> >> The Experts can show you more light in your problem. >> >> Regards, >> SYED >> >> >> >> On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V >> <[EMAIL PROTECTED]>wrote: >> >> > >> > Hi all >> > I follow the instructions of Alan : >> > >> > >> <http://deployingradius.com/documents/configuration/active_directory.html> >> > >> > to authenticate ntlm_auth with radius but appers the >> following message: >> > >> > " WARNING: Unknown value specified for Auth-Type. >> Cannot perform requested >> > action. >> > auth: Failed to validate the user." >> > >> > what is wrong? >> > >> > Please help. >> > Santiago >> > >> > >> > FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, >> built on Sep 3 2008 >> > at 15:55:02 >> > Copyright (C) 1999-2008 The FreeRADIUS server project >> and contributors. >> > There is NO warranty; not even for MERCHANTABILITY or >> FITNESS FOR A >> > PARTICULAR PURPOSE. >> > You may redistribute copies of FreeRADIUS under the >> terms of the >> > GNU General Public License v2. >> > Starting - reading configuration files ... >> > including configuration file >> /usr/local/etc/raddb/radiusd.conf >> > including configuration file >> /usr/local/etc/raddb/proxy.conf >> > including configuration file >> /usr/local/etc/raddb/clients.conf >> > including configuration file >> /usr/local/etc/raddb/snmp.conf >> > including configuration file >> /usr/local/etc/raddb/eap.conf >> > including dictionary file >> /usr/local/etc/raddb/dictionary >> > main { >> > prefix = "/usr/local" >> > localstatedir = "/var" >> > logdir = "/var/log/radius" >> > libdir = "/usr/local/lib" >> > radacctdir = >> "/var/log/radius/radacct" >> > hostname_lookups = no >> > max_request_time = 30 >> > cleanup_delay = 5 >> > max_requests = 1024 >> > allow_core_dumps = no >> > pidfile = >> "/var/run/radiusd/radiusd.pid" >> > checkrad = "/usr/local/sbin/checkrad" >> > debug_level = 0 >> > proxy_requests = yes >> > log_auth = yes >> > log_auth_badpass = no >> > log_auth_goodpass = no >> > log_stripped_names = no >> > } >> > client localhost { >> > ipaddr = 127.0.0.1 >> > require_message_authenticator = no >> > secret = "testing123" >> > nastype = "other" >> > } >> > client 192.100.16.11 { >> > require_message_authenticator = no >> > secret = "123" >> > } >> > radiusd: #### Loading Realms and Home Servers #### >> > proxy server { >> > retry_delay = 5 >> > retry_count = 3 >> > default_fallback = no >> > dead_time = 120 >> > wake_all_if_all_dead = no >> > } >> > home_server localhost { >> > ipaddr = 127.0.0.1 >> > port = 1812 >> > type = "auth" >> > secret = "testing123" >> > response_window = 20 >> > max_outstanding = 65536 >> > zombie_period = 40 >> > status_check = "status-server" >> > ping_check = "none" >> > ping_interval = 30 >> > check_interval = 30 >> > num_answers_to_alive = 3 >> > num_pings_to_alive = 3 >> > revive_interval = 120 >> > status_check_timeout = 4 >> > } >> > home_server_pool my_auth_failover { >> > type = fail-over >> > home_server = localhost >> > } >> > realm example.com { >> > auth_pool = my_auth_failover >> > } >> > realm LOCAL { >> > } >> > realm DOMAIN.LOC { >> > authhost = LOCAL >> > accthost = LOCAL >> > } >> > realm DOMAIN { >> > authhost = LOCAL >> > accthost = LOCAL >> > } >> > radiusd: #### Instantiating modules #### >> > instantiate { >> > Module: Linked to module rlm_expr >> > Module: Instantiating expr >> > } >> > radiusd: #### Loading Virtual Servers #### >> > server { >> > modules { >> > Module: Checking authenticate {...} for more modules >> to load >> > Module: Linked to module rlm_mschap >> > Module: Instantiating mschap >> > mschap { >> > use_mppe = yes >> > require_encryption = no >> > require_strong = no >> > with_ntdomain_hack = yes >> > ntlm_auth = "/usr/bin/ntlm_auth >> --request-nt-key >> > --domain=%{mschap:NT-Domain:-DOMAIN} >> > --username=%{mschap:User-Name} >> --challenge=%{mschap:Challenge:-00} >> > >> --nt-response=%{mschap:NT-Response:-00}" >> > } >> > Module: Checking authorize {...} for more modules to >> load >> > Module: Linked to module rlm_preprocess >> > Module: Instantiating preprocess >> > preprocess { >> > huntgroups = >> "/usr/local/etc/raddb/huntgroups" >> > hints = "/usr/local/etc/raddb/hints" >> > with_ascend_hack = no >> > ascend_channels_per_line = 23 >> > with_ntdomain_hack = no >> > with_specialix_jetstream_hack = no >> > with_cisco_vsa_hack = no >> > with_alvarion_vsa_hack = no >> > } >> > Module: Linked to module rlm_realm >> > Module: Instantiating realmslash >> > realm realmslash { >> > format = "prefix" >> > delimiter = "\" >> > ignore_default = no >> > ignore_null = no >> > } >> > Module: Instantiating suffix >> > realm suffix { >> > format = "suffix" >> > delimiter = "@" >> > ignore_default = no >> > ignore_null = no >> > } >> > Module: Linked to module rlm_eap >> > Module: Instantiating eap >> > eap { >> > default_eap_type = "peap" >> > timer_expire = 60 >> > ignore_unknown_eap_types = no >> > cisco_accounting_username_bug = no >> > } >> > Module: Linked to sub-module rlm_eap_md5 >> > Module: Instantiating eap-md5 >> > Module: Linked to sub-module rlm_eap_leap >> > Module: Instantiating eap-leap >> > Module: Linked to sub-module rlm_eap_gtc >> > Module: Instantiating eap-gtc >> > gtc { >> > challenge = "Password: " >> > auth_type = "PAP" >> > } >> > Module: Linked to sub-module rlm_eap_tls >> > Module: Instantiating eap-tls >> > tls { >> > rsa_key_exchange = no >> > dh_key_exchange = yes >> > rsa_key_length = 512 >> > dh_key_length = 512 >> > verify_depth = 0 >> > pem_file_type = yes >> > private_key_file = >> "/usr/local/etc/raddb/certs/server.pem" >> > certificate_file = >> "/usr/local/etc/raddb/certs/server.pem" >> > CA_file = >> "/usr/local/etc/raddb/certs/ca.pem" >> > private_key_password = "whatever" >> > dh_file = >> "/usr/local/etc/raddb/certs/dh" >> > random_file = >> "/usr/local/etc/raddb/certs/random" >> > fragment_size = 1024 >> > include_length = yes >> > check_crl = no >> > cipher_list = "DEFAULT" >> > make_cert_command = >> "/usr/local/etc/raddb/certs/bootstrap" >> > } >> > Module: Linked to sub-module rlm_eap_ttls >> > Module: Instantiating eap-ttls >> > ttls { >> > default_eap_type = "md5" >> > copy_request_to_tunnel = no >> > use_tunneled_reply = no >> > virtual_server = "inner-tunnel" >> > } >> > Module: Linked to sub-module rlm_eap_peap >> > Module: Instantiating eap-peap >> > peap { >> > default_eap_type = "mschapv2" >> > copy_request_to_tunnel = no >> > use_tunneled_reply = no >> > proxy_tunneled_request_as_eap = yes >> > virtual_server = "inner-tunnel" >> > } >> > Module: Linked to module rlm_files >> > Module: Instantiating files >> > files { >> > usersfile = >> "/usr/local/etc/raddb/users" >> > acctusersfile = >> "/usr/local/etc/raddb/acct_users" >> > compat = "no" >> > } >> > Module: Checking preacct {...} for more modules to >> load >> > Module: Checking accounting {...} for more modules to >> load >> > Module: Linked to module rlm_acct_unique >> > Module: Instantiating acct_unique >> > acct_unique { >> > key = "User-Name, Acct-Session-Id, >> NAS-IP-Address, >> > Client-IP-Address, NAS-Port-Id" >> > } >> > Module: Linked to module rlm_detail >> > Module: Instantiating detail >> > detail { >> > detailfile = >> > >> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" >> > header = "%t" >> > detailperm = 384 >> > dirperm = 493 >> > locking = no >> > log_packet_header = no >> > } >> > Module: Linked to module rlm_radutmp >> > Module: Instantiating radutmp >> > radutmp { >> > filename = "/var/log/radius/radutmp" >> > username = "%{User-Name}" >> > case_sensitive = yes >> > check_with_nas = yes >> > perm = 384 >> > callerid = yes >> > } >> > Module: Checking session {...} for more modules to >> load >> > Module: Checking post-proxy {...} for more modules to >> load >> > } >> > } >> > radiusd: #### Opening IP addresses and Ports #### >> > bind_address = * >> > WARNING: The directive 'bind_adress' is >> deprecated, and will be removed in >> > future versions of FreeRADIUS. Please edit the >> configuration files to use >> > the directive 'listen'. >> > Listening on authentication address * port 1812 >> > Listening on accounting address * port 1813 >> > Listening on proxy address * port 1814 >> > Ready to process requests. >> > rad_recv: Access-Request packet from host >> 192.100.16.11 port 1308, id=0, >> > length=217 >> > Message-Authenticator = >> 0x92d1b860b93a1c6d28f08eaa37697101 >> > Service-Type = Framed-User >> > User-Name = >> "DOMAIN\\user\000" >> > Framed-MTU = 1488 >> > Called-Station-Id = >> "00-16-E0-04-FE-44:pcountry" >> > Calling-Station-Id = >> "00-1B-77-4D-1A-74" >> > NAS-Identifier = "PISO 7 UG SISTEMAS" >> > NAS-Port-Type = Wireless-802.11 >> > Connect-Info = "CONNECT 54Mbps >> 802.11g" >> > EAP-Message = >> 0x0200001601434c49434f554e5452595c736d6174697a >> > NAS-IP-Address = 192.100.16.11 >> > NAS-Port = 1 >> > NAS-Port-Id = "STA port # 1" >> > +- entering group authorize >> > ++[preprocess] returns ok >> > ++[mschap] returns noop >> > rlm_realm: Looking up realm "DOMAIN" for >> User-Name = "DOMAIN\user" >> > rlm_realm: Found realm "DOMAIN" >> > rlm_realm: Adding Stripped-User-Name = >> "user" >> > rlm_realm: Adding Realm = "DOMAIN" >> > rlm_realm: Authentication realm is LOCAL. >> > ++[realmslash] returns ok >> > rlm_realm: Request already proxied. Ignoring. >> > ++[suffix] returns ok >> > rlm_eap: EAP packet type response id 0 length 22 >> > rlm_eap: No EAP Start, assuming it's an on-going >> EAP conversation >> > ++[eap] returns updated >> > users: Matched entry user at line 178 >> > ++[files] returns ok >> > rad_check_password: Found Auth-Type EAP >> > auth: type "EAP" >> > WARNING: Unknown value specified for Auth-Type. >> Cannot perform requested >> > action. >> > auth: Failed to validate the user. >> > Login incorrect: [DOMAIN\\user\000] (from >> client 192.100.16.11 port 1 cli >> > 00-1B-77-4D-1A-74) >> > Sending Access-Reject of id 0 to 192.100.16.11 port >> 1308 >> > Finished request 0. >> > Going to the next request >> > Waking up in 4.9 seconds. >> > rad_recv: Access-Request packet from host >> 192.100.16.11 port 1310, id=0, >> > length=217 >> > Message-Authenticator = >> 0xf829fc414e9407ab04ede033d5a60941 >> > Service-Type = Framed-User >> > User-Name = >> "DOMAIN\\user\000" >> > Framed-MTU = 1488 >> > Called-Station-Id = >> "00-16-E0-04-FE-44:pcountry" >> > Calling-Station-Id = >> "00-1B-77-4D-1A-74" >> > NAS-Identifier = "PISO 7 UG SISTEMAS" >> > NAS-Port-Type = Wireless-802.11 >> > Connect-Info = "CONNECT 54Mbps >> 802.11g" >> > EAP-Message = >> 0x0200001601434c49434f554e5452595c736d6174697a >> > NAS-IP-Address = 192.100.16.11 >> > NAS-Port = 1 >> > NAS-Port-Id = "STA port # 1" >> > +- entering group authorize >> > ++[preprocess] returns ok >> > ++[mschap] returns noop >> > rlm_realm: Looking up realm "DOMAIN" for >> User-Name = "DOMAIN\user" >> > rlm_realm: Found realm "DOMAIN" >> > rlm_realm: Adding Stripped-User-Name = >> "user" >> > rlm_realm: Adding Realm = "DOMAIN" >> > rlm_realm: Authentication realm is LOCAL. >> > ++[realmslash] returns ok >> > rlm_realm: Request already proxied. Ignoring. >> > ++[suffix] returns ok >> > rlm_eap: EAP packet type response id 0 length 22 >> > rlm_eap: No EAP Start, assuming it's an on-going >> EAP conversation >> > ++[eap] returns updated >> > users: Matched entry user at line 178 >> > ++[files] returns ok >> > rad_check_password: Found Auth-Type EAP >> > auth: type "EAP" >> > WARNING: Unknown value specified for Auth-Type. >> Cannot perform requested >> > action. >> > auth: Failed to validate the user. >> > Login incorrect: [DOMAIN\\user\000] (from >> client 192.100.16.11 port 1 cli >> > 00-1B-77-4D-1A-74) >> > Sending Access-Reject of id 0 to 192.100.16.11 port >> 1310 >> > Finished request 1. >> > Going to the next request >> > Waking up in 4.7 seconds. >> > rad_recv: Access-Request packet from host >> 192.100.16.11 port 1312, id=0, >> > length=217 >> > Message-Authenticator = >> 0xef8314925f34ccf891d91ca6fa18857d >> > Service-Type = Framed-User >> > User-Name = >> "DOMAIN\\user\000" >> > Framed-MTU = 1488 >> > Called-Station-Id = >> "00-16-E0-04-FE-44:pcountry" >> > Calling-Station-Id = >> "00-1B-77-4D-1A-74" >> > NAS-Identifier = "PISO 7 UG SISTEMAS" >> > NAS-Port-Type = Wireless-802.11 >> > Connect-Info = "CONNECT 54Mbps >> 802.11g" >> > EAP-Message = >> 0x0200001601434c49434f554e5452595c736d6174697a >> > NAS-IP-Address = 192.100.16.11 >> > NAS-Port = 1 >> > NAS-Port-Id = "STA port # 1" >> > +- entering group authorize >> > ++[preprocess] returns ok >> > ++[mschap] returns noop >> > rlm_realm: Looking up realm "DOMAIN" for >> User-Name = "DOMAIN\user" >> > rlm_realm: Found realm "DOMAIN" >> > rlm_realm: Adding Stripped-User-Name = >> "user" >> > rlm_realm: Adding Realm = "DOMAIN" >> > rlm_realm: Authentication realm is LOCAL. >> > ++[realmslash] returns ok >> > rlm_realm: Request already proxied. Ignoring. >> > ++[suffix] returns ok >> > rlm_eap: EAP packet type response id 0 length 22 >> > rlm_eap: No EAP Start, assuming it's an on-going >> EAP conversation >> > ++[eap] returns updated >> > users: Matched entry user at line 178 >> > ++[files] returns ok >> > rad_check_password: Found Auth-Type EAP >> > auth: type "EAP" >> > WARNING: Unknown value specified for Auth-Type. >> Cannot perform requested >> > action. >> > auth: Failed to validate the user. >> > Login incorrect: [DOMAIN\\user\000] (from >> client 192.100.16.11 port 1 cli >> > 00-1B-77-4D-1A-74) >> > Sending Access-Reject of id 0 to 192.100.16.11 port >> 1312 >> > Finished request 2. >> > Going to the next request >> > Waking up in 4.4 seconds. >> > Cleaning up request 0 ID 0 with timestamp +113 >> > Waking up in 0.2 seconds. >> > Cleaning up request 1 ID 0 with timestamp +113 >> > Waking up in 0.2 seconds. >> > Cleaning up request 2 ID 0 with timestamp +114 >> > Ready to process requests. >> > >> > Santiago Matiz ([EMAIL PROTECTED]) >> > Systems Engineer >> > Bogotá, Colombia (South America) >> > >> > >> > >> > >> > - >> > List info/subscribe/unsubscribe? See >> > http://www.freeradius.org/list/users.html >> > > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
