OK, so the current problem seems to be that I cannot get the ntlm_auth to work.
I read
http://freeradius.1045715.n5.nabble.com/Freeradius-with-Active-Directory-td2747221.html
but that does not seem to apply for me as the ntlm_auth file contains the
exec.
Attached (if that works) is the radius -X output for the current working
configuration (basic_configuration_run.txt). We are only doing
mac-authentication now and depending on the mac-address, the device is placed
in a certain VLAN. I unfortunately did not install the server myself but as far
as I know FR was originally installed from the Debian package 2.1.8 and we
recently upgraded to 2.1.10.
Until a year ago I never really worked with (free)radius, linux or cisco
switches and it still is just a small part of my daily work, so I probably make
a lot of beginner mistakes.
# -*- text -*-
#
# $Id$
# NTLM module
#
# To authenticate requests using AD.
#
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=ALEO.LOCAL
--username=%{mschap:User-Name} --password=%{User-Password}"
}
If I add ntlm_auth to the beginning of the users file I get an error
/etc/freeradius/users[157]: Parse error (check) for entry DEFAULT: Unknown
value ntlm_auth for attribute Auth-Type
Errors reading /etc/freeradius/users
If I add ntlm_auth to the authenticate section of the default virtual server I
get an error
/etc/freeradius/sites-enabled/default[254]: Failed to load module "ntlm_auth".
/etc/freeradius/sites-enabled/default[217]: Errors parsing authenticate section.
If I add ntlm_auth to the modules section of radiusd.conf I get a 'warning'
/etc/freeradius/radiusd.conf[1840]: Failed to link to module 'rlm_ntlm_auth':
file not found
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010
at 21:14:10
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "secret"
nastype = "other"
}
client 10.1.1.201 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.201"
nastype = "cisco"
}
client 10.1.1.202 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.202"
nastype = "cisco"
}
client 10.1.1.203 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.203"
nastype = "cisco"
}
client 10.1.1.204 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.204"
nastype = "cisco"
}
client 10.1.1.205 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.205"
nastype = "cisco"
}
client 10.1.1.206 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.206"
nastype = "cisco"
}
client 10.1.1.207 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.207"
nastype = "cisco"
}
client 10.1.1.208 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.208"
nastype = "cisco"
}
client 10.1.1.209 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.209"
nastype = "cisco"
}
client 10.1.1.210 {
require_message_authenticator = no
secret = "secret"
shortname = "10.1.1.210"
nastype = "cisco"
}
client 10.1.1.42 {
require_message_authenticator = no
secret = "secret"
shortname = "wlc"
nastype = "cisco"
}
client 10.1.2.0/24 {
require_message_authenticator = no
secret = "secret"
shortname = "network"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/radiusd.conf
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/radiusd.conf
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/radiusd.conf
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/radiusd.conf
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/radiusd.conf
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/radiusd.conf
Module: Linked to module rlm_always
Module: Instantiating module "ok" from file /etc/freeradius/radiusd.conf
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file /etc/freeradius/radiusd.conf
detail auth_log {
detailfile =
"/var/log/freeradius/radacct/%{Calling-Station-ID}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/radiusd.conf
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/freeradius/radiusd.conf
detail {
detailfile =
"/var/log/freeradius/radacct/%{Calling-Station-ID}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/radiusd.conf
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = no
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking session {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "reply_log" from file /etc/freeradius/radiusd.conf
detail reply_log {
detailfile =
"/var/log/freeradius/radacct/%{Calling-Station-ID}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "authorized_phones" from file
/etc/freeradius/modules/files
files authorized_phones {
usersfile = "/etc/freeradius/authorized_phones"
compat = "no"
key = "%{tolower:%{Calling-Station-ID}}"
}
Module: Instantiating module "authorized_atas" from file
/etc/freeradius/modules/files
files authorized_atas {
usersfile = "/etc/freeradius/authorized_atas"
compat = "no"
key = "%{tolower:%{Calling-Station-ID}}"
}
Module: Instantiating module "authorized_printers" from file
/etc/freeradius/modules/files
files authorized_printers {
usersfile = "/etc/freeradius/authorized_printers"
compat = "no"
key = "%{tolower:%{Calling-Station-ID}}"
}
Module: Instantiating module "authorized_test" from file
/etc/freeradius/modules/files
files authorized_test {
usersfile = "/etc/freeradius/authorized_test"
compat = "no"
key = "%{tolower:%{Calling-Station-ID}}"
}
Module: Instantiating module "authorized_macs" from file
/etc/freeradius/modules/files
files authorized_macs {
usersfile = "/etc/freeradius/authorized_macs"
compat = "no"
key = "%{tolower:%{Calling-Station-ID}}"
}
Module: Instantiating module "reject" from file /etc/freeradius/radiusd.conf
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
