RE: ntlm_auth and clear-text passwords
Our Cisco specialist told me, ssh can only be enabled on crypto-IOS. But this is more expensive. If you want, i can tell you the exact version of the IOS we currently use. But i will show him your question. Robert - Original Nachricht Von: "King, Michael" <[EMAIL PROTECTED]> An: FreeRadius users mailing list Datum: 04.07.2006 05:23 Betreff: RE: ntlm_auth and clear-text passwords > > > -Original Message- > On Behalf Of [EMAIL PROTECTED] > Users telnet the switch, therefore a clear-text password will be sent. > > > Just a completely left field question. Any particular reason you have > chosen not to enable SSH on that switch? It's in the IOS (Assuming you > have the correct IOS verison on there, there only 3 of them for that > switch. Base, Base with WebConfig, and Base without Crypto) It only > takes 3 command to enable it. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth and clear-text passwords
Dear all, For AAA-Authenticating on a Cisco Catalyst Switch 3750, i try to use use the ntlm_auth to authenticate users against our Active Directory (domain-name: SOUTH). Users telnet the switch, therefore a clear-text password will be sent. according to an earlier posting http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-July/045377.html i did this: > What you need to do is to configure a *different* ntlm_auth, only > for clear-text passwords. The simplest way to do this is to use the > "exec" module: > > modules { > ... > exec win_domain { >wait = yes >input_pairs = request >output_pairs = reply >program = "ntlm_auth --username=\"%{User-Name}\" > --password=\"%{User-Password}\" --domain=usmisgne" > } > ... > } > > Now list "win_domain" in the "authenticate" section, and add the > following entry to the "users" file: > > DEFAULT Auth-Type = win_domain > But the authentication still fails. My ntlm_auth shell-command works: ~# /usr/bin/ntlm_auth --username="john.smith" --password='smith1000' --domain=SOUTH NT_STATUS_OK: Success (0x0) but authentication via freeradius fails. Here are my config files and the complete freeradius -X output: my radiusd.conf file: - prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } ldap { server = "10.187.64.3" identity = "CN=Hans Dampf,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de" password = Gerti1000 basedn = "DC=winlab,DC=rsnhm,DC=t-com,DC=de" filter = "sAMAccountname=%{User-Name}" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with
Re: Multiple AD-Domains with rlm_ldap
> ntlm_auth should work. I'm less sure how to configure multiple AD > domains in ldap. > > Alan DeKok. > Okay, according to an earlier posting http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-July/045377.html i did this: > What you need to do is to configure a *different* ntlm_auth, only > for clear-text passwords. The simplest way to do this is to use the > "exec" module: > > modules { > ... > exec win_domain { >wait = yes >input_pairs = request >output_pairs = reply >program = "ntlm_auth --username=\"%{User-Name}\" > --password=\"%{User-Password}\" --domain=usmisgne" > } > ... > } > > Now list "win_domain" in the "authenticate" section, and add the > following entry to the "users" file: > > DEFAULT Auth-Type = win_domain > But the authentication still fails. Did i make some mistakes in my config? Maybe here? Auth-Type win_domain{ win_domain } Robert My ntlm_auth shell-command works: ~# /usr/bin/ntlm_auth --username="john.smith" --password='smith1000' --domain=SOUTH NT_STATUS_OK: Success (0x0) but radtest fails: ~# radtest john.smith smith1000 localhost 1645 testing123 abbreviated freeradius -X output: auth: type "win_domain" Processing the authenticate section of radiusd.conf modcall: entering group win_domain for request 0 radius_xlat: '/usr/bin/ntlm_auth --username="john.smith" --password='smith1000' --domain=SOUTH' Exec-Program: /usr/bin/ntlm_auth --username="john.smith" --password='smith1000' --domain=SOUTH Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program: returned: 1 rlm_exec (win_domain): External script failed Here are my config files and the complete freeradius -X output: radiusd.conf - prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } ldap { server = "10.187.64.3" identity = "CN=Hans Dampf,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de" password = Gerti1000 basedn = "DC=winlab,DC=rsnhm,DC=t-com,DC=de" filter = "sAMAccountname=%{User-Name}" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format =
Multiple AD-Domains with rlm_ldap
Dear all, For AAA-Authenticating on a Cisco Catalyst Switch 3750, i use the rlm_ldap module to authenticate users against our single Active Directory (domain-name: SOUTH). Users telnet the switch, therefore a clear-text password will be sent. This works properly. But now, we have four AD-Domains (NORTH, SOUTH, EAST, WEST) and sometimes the same username in different AD-Domains e.g. NORTH\nicole.smith SOUTH\john.smith NORTH\john.smith WEST\john.smith What would be the best way to authenticate users? In my case, access should be granted for user SOUTH\john.smith and NORTH\nicole.smith ? Is ntlm_auth the right way, or multiple ldap instances to differ the AD-Domains or what else? Thanks in advance for any suggestions... Robert My current config follws below: users - john.smith Service-Type = Login, Cisco-AVPair = "shell:priv-lvl=15" nicole.smith Service-Type = Login, Cisco-AVPair = "shell:priv-lvl=7" radiusd.conf -- prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } ldap { server = "10.187.64.3" identity = "CN=Hans Dampf,CN=Computers,DC=SOUTH,DC=rsnhm,DC=com,DC=de" password = laber basedn = "DC=SOUTH,DC=rsnhm,DC=com,DC=de" filter = "sAMAccountname=%{User-Name}" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${rada
ldap and MD5-Challenge
Dear all, My Supplicant is a WinXP-Client, EAP-Type is MD5-Challenge. My Authenticator is a Cisco Catalyst 3750 I try to do a 802.1X Authentication for a user listet in a LDAP-database. When i do a MD5-Challenge it does not work. Do i have a problem with MD5-encrypted passwords? My configuration files follows below... Thanks in advance The LDAP-Authentication seems to work, here is the freeradius -X output after radtest: Debian# radtest schlapp Gerti1000 localhost 1645 testing123 rad_recv: Access-Request packet from host 127.0.0.1:32852, id=247, length=59 User-Name = "schlapp" User-Password = "Gerti1000" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry schlapp at line 87 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for schlapp radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))' radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.187.64.3:389, authentication 0 rlm_ldap: bind as CN=Robert Huber,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user schlapp authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "schlapp" with password "Gerti1000" rlm_ldap: user DN: CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de rlm_ldap: (re)connect to 10.187.64.3:389, authentication 1 rlm_ldap: bind as CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user schlapp authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Login OK: [schlapp/Gerti1000] (from client localhost port 1645) Sending Access-Accept of id 247 to 127.0.0.1 port 32852 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... But when i try to use my WinXP-Client, EAP says: rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select Here is the entire freeradius -X output: rad_recv: Access-Request packet from host 10.187.0.15:1645, id=174, length=129 User-Name = "schlapp" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" EAP-Message = 0x0202000c017363686c617070 Message-Authenticator = 0x7a4a5ff5030a44b2fcee7b79d3aac47c NAS-Port = 60003 NAS-Port-Type = Virtual NAS-IP-Address = 10.187.0.15 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry schlapp at line 83 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization
Re: VLAN-mapping by DEFAULT Entry fails
- Original Nachricht Von: [EMAIL PROTECTED] An: FreeRadius users mailing list Datum: 23.05.2006 09:46 Betreff: Re: VLAN-mapping by DEFAULT Entry fails > Hi, > > > I use a WindowsXP, EAP-Type MD5-challenge as supplicant and a Cisco > Catalyst Switch 3750 as authenticator and i want that user hugo will be > mapped in VLAN 50 on the switch. This works properly. > > > > Every other user should be mapped in VLAN 999, my guest-vlan. I try this > with a DEFAULT-entry, but this does not work, the switch does not accept any > other user, in my case user nobody is unauthorized for my authenticator. > > those who dont have dot1x supplicant wouldnt be able to be put onto this > VLAN i agree, we try to solve this problem with the new Cisco feature mac authentication bypass, e.g for printers without dot1x supplicant. > though as there would be no do1x exchange...surely? > Hm, but i have a dot1x supplicant and try an authentication with username and password, not listet in users file. In my case user nobody, password abc. I ask myself how to deal with Default-entries and tell the switch the right Tunnel-Private-Group-Id. I wonder why the Default-entry say in the debug-output that everthing is okay and accepted -snip rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 218 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "999" --snap-- but my switch ignore it robert > surely using the built in guest VLAN facility of the switch itself > is the best way to achieve this aim? > > eg in the interface configuration > > dot1x guest-vlan 999 > > ? > yes, i agree. This works fine, if there is no xsupplicant sending a dot1x answer > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VLAN-mapping by DEFAULT Entry fails
Dear all, I use a WindowsXP, EAP-Type MD5-challenge as supplicant and a Cisco Catalyst Switch 3750 as authenticator and i want that user hugo will be mapped in VLAN 50 on the switch. This works properly. Every other user should be mapped in VLAN 999, my guest-vlan. I try this with a DEFAULT-entry, but this does not work, the switch does not accept any other user, in my case user nobody is unauthorized for my authenticator. My other configuration files are seen at the end of this text. Thanks in advance... Robert My entire users file: == hugoUser-Password == "hugo01" # line 54 Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 50 DEFAULT Auth-Type := Accept # line 69 Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 999 My radiusd output for user nobody, (my authenticator do not accept this): == rad_recv: Access-Request packet from host 10.187.0.15:1645, id=218, length=127 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "nobody" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0203000b016e6f626f6479 Message-Authenticator = 0x48b3cb8e3c0c39e55e33121529f28c7d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 3 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 69 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 218 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "999" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 218 with timestamp 4472b042 Nothing to do. Sleeping until we see a request. My radiusd output for user hugo (that works, accepted from authenticator): == rad_recv: Access-Request packet from host 10.187.0.15:1645, id=215, length=123 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "hugo" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0209016875676f Message-Authenticator = 0xc8b883765bb2789fe6eac6542635ab5c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "hugo", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry hugo at line 54 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 215 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x010100061920 Message-Authenticator = 0x0
Re: VLAN Mapping with MS-CHAP
> [EMAIL PROTECTED] wrote: > > > > robiwan: Okay, here is the complete output from my radiusd, when user roka > do a request: > > sorry, it's huge > > > > rad_recv: Access-Request packet from host 10.187.0.15:1645, id=231, > length=137 > > NAS-IP-Address = 10.187.0.15 > > NAS-Port = 50103 > > NAS-Port-Type = Ethernet > > User-Name = "WINLAB\\roka" > > Called-Station-Id = "00-14-69-5B-8B-03" > > Calling-Station-Id = "00-0B-5D-84-AE-CA" > > Service-Type = Framed-User > > Framed-MTU = 1500 > > EAP-Message = 0x02100157494e4c41425c726f6b61 > > Message-Authenticator = 0x58539e67c56f220589cf69d3485c493d > > Processing the authorize section of radiusd.conf > > modcall: entering group authorize for request 0 > > modcall[authorize]: module "preprocess" returns ok for request 0 > > modcall[authorize]: module "chap" returns noop for request 0 > > modcall[authorize]: module "mschap" returns noop for request 0 > > rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > rlm_eap: EAP packet type response id 0 length 16 > > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > > modcall[authorize]: module "eap" returns updated for request 0 > > users: Matched entry DEFAULT at line 185 > > modcall[authorize]: module "files" returns ok for request 0 > > modcall: leaving group authorize (returns updated) for request 0 > > It should be obvious what's happening here. The "files" module is only > matching a DEFAULT entry. This is because your username is DOMAIN\user. > DOMAIN\user != user > > Either do this to break the user into realm+user: > > authorize { >preprocess >ntdomain >mschap >eap >files > } > > ...and this in proxy.conf: > > realm WINLAB { >type = radius >authhost = LOCAL >accthost = LOCAL >strip > } > > OR edit your "users" to read: > > WINLAB\\roka The-Stuff-Here := whatever> > > > peap { > > default_eap_type = mschapv2 > > copy_request_to_tunnel = yes > > use_tunneled_reply = yes > > proxy_tunneled_request_as_eap = no > > } > > I edit my users as mentioned above. Thats it !!! Thanks a lot. Robert Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN Mapping with MS-CHAP
> Dear all, > I try to put my Windows-XP-Clients in different VLANs on my Cisco Catalyst > 3750 Switch, depending on their Account. > And i use two differnt authentication methods: MD5-Challange and MS-CHAP. > > User hugo should be mapped in VLAN 50 and authenticated via MD5-Challange > User roka at Domain WINLAB should be mapped in VLAN 40 and authenticated via > MS-CHAP > > Now both authentication works (thanks to all again) but i have difficulties > to map user roka in his right VLAN. > > Here is my users file: > ---snip > > hugoUser-Password == "hugo01" > Tunnel-Type = VLAN, > Tunnel-Medium-Type = 6, > Tunnel-Private-Group-ID = 50 > > rokaAuth-Type := MS-CHAP > Tunnel-Type = VLAN, > Tunnel-Medium-Type = 6, > Tunnel-Private-Group-ID = 40 > -snap-- Do NOT set Auth-Type. If your server is properly configured, it is not needed and can cause problems. In this case, it should not be causing the problem. Just to check - that's the ENTIRE users file, yes? robiwan: Now, here is my complete users: -start users --- hugoUser-Password == "hugo01" Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 50 roka Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP --end users--- > > > Here is the output of my radiusd with user hugo > The Cisco-Switch map user hugo in VLAN 50: > > Login OK: [hugo/] (from client M4DEMRCO015 > port 50103 cli 00-0B-5D-84-AE-CA) > Sending Access-Accept of id 210 to 10.187.0.15 port 1645 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "50" > EAP-Message = 0x03010004 > Message-Authenticator = 0x > User-Name = "hugo" > Finished request 1 > Going to the next request > > > Here is the output with user roka > The Cisco-Switch map user roka in VLAN 1, and NOT in VLAN 40, i miss the > Tunnel informations: > > Login OK: [WINLAB\\roka/] (from client > M4DEMRCO015 port 50103 cli 00-0B-AA-84-AE-CA) > Sending Access-Accept of id 220 to 10.187.0.15 port 1645 > Framed-IP-Address = 255.255.255.254 > Framed-MTU = 576 > Service-Type = Framed-User > MS-MPPE-Recv-Key = > 0x70235fcdc1bc208578d0a26edb3c6d0b09f7cb712d4e9b66e7b2bea5b159c4f2 > MS-MPPE-Send-Key = > 0x6208fd4f8c1d2cd07a5e4597c98707dc70c94f29898eb0672e4572808efbd13d > EAP-Message = 0x03090004 > Message-Authenticator = 0x > User-Name = "WINLAB\\roka" > Finished request 9 > Going to the next request This is not helpful. Send the full debugging output prior to this, so we can see what modules matched. If you're going to trim, start from the point the radius server is idling, not the very last packet. robiwan: Okay, here is the complete output from my radiusd, when user roka do a request: sorry, it's huge rad_recv: Access-Request packet from host 10.187.0.15:1645, id=231, length=137 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "WINLAB\\roka" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02100157494e4c41425c726f6b61 Message-Authenticator = 0x58539e67c56f220589cf69d3485c493d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet t
VLAN Mapping with MS-CHAP
Dear all, I try to put my Windows-XP-Clients in different VLANs on my Cisco Catalyst 3750 Switch, depending on their Account. And i use two differnt authentication methods: MD5-Challange and MS-CHAP. User hugo should be mapped in VLAN 50 and authenticated via MD5-Challange User roka at Domain WINLAB should be mapped in VLAN 40 and authenticated via MS-CHAP Now both authentication works (thanks to all again) but i have difficulties to map user roka in his right VLAN. Here is my users file: ---snip hugoUser-Password == "hugo01" Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 50 rokaAuth-Type := MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 -snap-- Here is the output of my radiusd with user hugo The Cisco-Switch map user hugo in VLAN 50: Login OK: [hugo/] (from client M4DEMRCO015 port 50103 cli 00-0B-5D-84-AE-CA) Sending Access-Accept of id 210 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x03010004 Message-Authenticator = 0x User-Name = "hugo" Finished request 1 Going to the next request Here is the output with user roka The Cisco-Switch map user roka in VLAN 1, and NOT in VLAN 40, i miss the Tunnel informations: Login OK: [WINLAB\\roka/] (from client M4DEMRCO015 port 50103 cli 00-0B-AA-84-AE-CA) Sending Access-Accept of id 220 to 10.187.0.15 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User MS-MPPE-Recv-Key = 0x70235fcdc1bc208578d0a26edb3c6d0b09f7cb712d4e9b66e7b2bea5b159c4f2 MS-MPPE-Send-Key = 0x6208fd4f8c1d2cd07a5e4597c98707dc70c94f29898eb0672e4572808efbd13d EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = "WINLAB\\roka" Finished request 9 Going to the next request So, any ideas what to do, that for user roka my radiusd also say to my Switch the Tunnel things: Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" Thanks in advance Robert Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth is not used by mschap
- Original Nachricht Von: Stefan Winter <[EMAIL PROTECTED]> An: FreeRadius users mailing list Datum: 04.05.2006 13:20 Betreff: Re: ntlm_auth is not used by mschap > Hi, > > you didn't state what problem you have right now. The logs send an Accept at > > the end, so everything looks very fine. > Was your mail just to let the world know that things work now, or do you > have > a question? > Hi, Oh sorry, my Question is, that the Authenticator, a Cisco Catalyst 3750, do not map my XP-Client into the VLAN 40 as i defined it in the users file: rokaAuth-Type := MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 When the XP-Client will be authenticated via MS-CHAP, the Cisco Catalyst map my Client in VLAN 1, the default-VLAN, and NOT in VLAN 40. When i authenticate with Auth-Type := Local rokaAuth-Type := Local, User-Password = "Gerti1000" Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 it works, as you can see the output from radtest: Debian:~# radtest roka Gerti1000 localhost 1645 testing123 Sending Access-Request of id 0 to 127.0.0.1 port 1812 User-Name = "roka" User-Password = "Gerti1000" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=0, length=36 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" Here is the output from the radiusd: rad_recv: Access-Request packet from host 127.0.0.1:1024, id=72, length=56 User-Name = "roka" User-Password = "Gerti1000" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 modcall[authorize]: module "chap" returns noop for request 13 modcall[authorize]: module "mschap" returns noop for request 13 rlm_realm: No '@' in User-Name = "roka", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 13 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 13 users: Matched entry roka at line 82 modcall[authorize]: module "files" returns ok for request 13 modcall: leaving group authorize (returns ok) for request 13 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [roka/Gerti1000] (from client localhost port 1645) Sending Access-Accept of id 72 to 127.0.0.1 port 1024 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" Finished request 13 Going to the next request Thanks in advance... Robert Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth is not used by mschap
Dear All, Now i am a step further on, my radiusd uses the ntlm_auth module AND authenticate the user correctly !!!. My Username = roka, Password = Gerti1000, Domain = WINLAB Now i use the selfcompiled freeradius 1.1.1 and NOT the Debian freeradius. The Debian freeradius is unable to load EAP-Type/peap. I activated in the file eap.cfg the peap-section: ---snip--- peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } ---snap Here again the mschap-section in the radiusd.conf ---snip--- mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --domain=winlab --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } ---snap And the file users: ---snip--- DEFAULT Auth-Type = MS-Chap Fall-Through = 1 rokaAuth-Type := MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 ---snap In my Windows XP-Box i use as 802.1X authentfication the EAP(PEAP) and as authentification-method EAP-MASCHAP v2. Here is the radiusd output: rad_recv: Access-Request packet from host 10.187.0.15:1645, id=132, length=137 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "WINLAB\\roka" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02100157494e4c41425c726f6b61 Message-Authenticator = 0xbd4afc42085fcbbf08d044ae750c53fd Sending Access-Challenge of id 132 to 10.187.0.15 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0xeef3170dad81ebde10041bb347cd rad_recv: Access-Request packet from host 10.187.0.15:1645, id=133, length=145 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "WINLAB\\roka" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 State = 0xeef3170dad81ebde10041bb347cd EAP-Message = 0x020100060319 Message-Authenticator = 0xbc407e57ea0373c4d3c64172b16383e3 Sending Access-Challenge of id 133 to 10.187.0.15 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xe31f70214e83e2de5cc7759b43818b12 rad_recv: Access-Request packet from host 10.187.0.15:1645, id=134, length=251 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "WINLAB\\roka" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 State = 0xe31f70214e83e2de5cc7759b43818b12 EAP-Message = 0x02020070198000661603010061015d03014459dd090912178089f8e3c69693534605b03bf50368573ab4d2e6b2236469142079a45d849f7096a2b2bbc38c20a1ed71682d0fd9e6debf2bc4412059da76b1df001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x5916349f8c6defda32f07b85cec1f492 TLS_accept:error in SSLv3 read client certificate A Sending Access-Challenge of id 134 to 10.187.0.15 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0103040a19c006f1160301004a024603014459dda2b79409fcb6d4d89fac9548c3823e922e24a065fe40651a32332886db20eac3c696ce916da32ce4d48b6b696d0895a73a5c1ea3587a904d849d32fde49e00040016030106940b0006968d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365 EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931
ntlm_auth is not used by mschap
You send a packet that does not contain any MS-CHAP attributes. Because of that, the server is not doing MS-CHAP: > modcall[authorize]: module "mschap" returns noop for request 0 As this line tells you. Send a MS-CHAP request, and look what happens then. Stefan Hi , Now i send a mschap request (EAP/PEAP with WindowsXP) and that is the output of my radiusd: rad_recv: Access-Request packet from host 10.187.0.15:1645, id=229, length=137 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "WINLAB\\roka" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02100157494e4c41425c726f6b61 Message-Authenticator = 0x90f61cee340a78e94ee24fe3c625baa0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 174 users: Matched entry DEFAULT at line 198 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 229 to 10.187.0.15:1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100160410be8025aedc237e79bb769d7448c5e684 Message-Authenticator = 0x State = 0x01aa44a4c384c8d0b88b27a8f803a381 Finished request 0 Going to the next request Again the modcall[authorize]: module "mschap" returns noop for request 0 You said, this mean i do not send a mschap request. What else can i do ? Many thanks in Advance Robert Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aw: Re: ntlm_auth is not used by mschap
- Original Nachricht Von: Stefan Winter <[EMAIL PROTECTED]> An: FreeRadius users mailing list Datum: 03.05.2006 11:59 Betreff: Re: ntlm_auth is not used by mschap > > Now i try to authenticate the user roka: > > --- > > > > Debian:/tmp# radtest roka Gerti1000 localhost 1645 testing123 > > Sending Access-Request of id 116 to 127.0.0.1:1812 > > User-Name = "roka" > > User-Password = "Gerti1000" > > NAS-IP-Address = Debian > > NAS-Port = 1645 > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=116, > length=20 > > You send a packet that does not contain any MS-CHAP attributes. Because of > that, the server is not doing MS-CHAP: > > > modcall[authorize]: module "mschap" returns noop for request 0 > > As this line tells you. > > Send a MS-CHAP request, and look what happens then. > > Stefan > > -- > Stefan WINTER > > Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de > la Recherche > Ingenieur Forschung & Entwicklung > > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 > http://www.restena.luFax: +352 422473 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Hi Stefan, You say i do not send a MS-CHAP Request. Hmm ... Finally it should work with Windows-XP Supplicant: In my WindowsXP 802.1X Network-Configuration I can choose between "MD5Challenge" , or "secure EAP(PEAP)" or "Smartcart or other Certificate" What ist the right one? Or is mschap basically the wrong authentication method for my equipment? Robert Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth is not used by mschap
Dear all, I try to authenticate Radius-users against my Microsoft-2003-Server Active-Directory using the mschap-Module with ntlm_auth. My Windows-Domain is "winlab" my username is "roka" and the Password is "Gerti1000". The winbindd and therefore the ntlm_auth works properly as you can see: Debian:~# /usr/bin/ntlm_auth --username=roka --password=Gerti1000 --domain=winlab NT_STATUS_OK: Success (0x0) Here is the mschap section of my /etc/freeradius/radiusd.conf: --snip radiusd.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap --snap radiusd.conf Here is my /etc/freeradius/users: snip users- hugoAuth-Type = Local, User-Password == "hugo01" Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 rokaAuth-Type := MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 DEFAULT Auth-Type := MS-CHAP DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP snap users. Here is the output when i start freeradius, the ntlm_auth in the mschap-section is seen Debian:/etc/freeradius# freeradius -sfxxyz -l stdout Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)"