Hi,
> Trying to use FR to query AD as an authentication oracle and set up per
> the docs at
> [1]http://deployingradius.com/documents/configuration/active_directory.html
> and several others pertaining to setting up Kerberos and winbind.
read the output - its clearly failing on the ntlm_auth line - which is
being called without any available username - you have configured it to use
--username=%{mschap:User-Name} - which is all well and good, but radtest
is a plain PAP method so no mschap present. if you want to use ntlm_ath in all
kinds of weather , then you need to follow the docs and guides to ensure that
username
is fed a username if given any other form of 'feed'. OR, if you really know
that its only going to ever get MSCHAP requests, then use a suitable tool to
feed it such tests - eapol_test from the wpa_supplicant package, or the
rad_eap_test
stuff which is supplied with newer versions of FreeRADIUS (best to use 2.1.10 if
you have a new install work anyway)
here:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{%{Stripped-User-Name}:-%{User-Name:-None}
}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
that sort of construct would ensure that is mschap:user-name has no value, then
it'll fall back
to stipped-user-name....and then back to user-name before just being blank
> DEFAULT Auth-Type = ntlm_auth
dont do that - you really dont need to do that.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
