On 08/21/2013 05:11 AM, Chris Parker wrote:
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = "wyse1"
User-Password = "K503D"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wyse1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=wyse1
[ntlm_auth] expand: --password=%{User-Password} -> --password=K503D
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
You're running ntlm_auth in the "authorize" section, and then:
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
...nothing in the "authenticate" section.
You either want:
authorize {
...
ntlm_auth
if (ok) {
update control {
Auth-Type := Accept
}
}
...
}
...or:
authorize {
...
# don't run ntlm_auth here, and right at the bottom
if (User-Password) {
# PAP request, tell ntlm_auth to run in authenticate
update control {
Auth-Type = ntlm_auth
}
}
}
authenticate {
Auth-Type ntlm_auth {
ntlm_auth
}
}
HOWEVER - you should note that the (EXTREMELY unfortunately named)
"ntlm_auth" module instance is usually not what you want for wireless.
Wireless is typically 802.1x with PEAP/MSCHAP, which will entail setting
up the "ntlm_auth" configuration *item* of the mschap module.
Read the extensive docs, wiki, and walkthrough on deployingradius.com
for more info.
Failed to authenticate the user.
Login incorrect: [wyse1/K503D] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 114 to 127.0.0.1 port 35826
Waking up in 4.9 seconds.
Cleaning up request 7 ID 114 with timestamp +843
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
