RE: ntlm_auth and clear-text passwords
Our Cisco specialist told me, ssh can only be enabled on crypto-IOS. But this is more expensive. If you want, i can tell you the exact version of the IOS we currently use. But i will show him your question. Robert - Original Nachricht Von: "King, Michael" <[EMAIL PROTECTED]> An: FreeRadius users mailing list Datum: 04.07.2006 05:23 Betreff: RE: ntlm_auth and clear-text passwords > > > -Original Message- > On Behalf Of [EMAIL PROTECTED] > Users telnet the switch, therefore a clear-text password will be sent. > > > Just a completely left field question. Any particular reason you have > chosen not to enable SSH on that switch? It's in the IOS (Assuming you > have the correct IOS verison on there, there only 3 of them for that > switch. Base, Base with WebConfig, and Base without Crypto) It only > takes 3 command to enable it. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth and clear-text passwords
Dear all,
For AAA-Authenticating on a Cisco Catalyst Switch 3750, i try to use use the
ntlm_auth to authenticate users against our Active Directory (domain-name:
SOUTH). Users telnet the switch, therefore a clear-text password will be sent.
according to an earlier posting
http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-July/045377.html
i did this:
> What you need to do is to configure a *different* ntlm_auth, only
> for clear-text passwords. The simplest way to do this is to use the
> "exec" module:
>
> modules {
> ...
> exec win_domain {
>wait = yes
>input_pairs = request
>output_pairs = reply
>program = "ntlm_auth --username=\"%{User-Name}\"
> --password=\"%{User-Password}\" --domain=usmisgne"
> }
> ...
> }
>
> Now list "win_domain" in the "authenticate" section, and add the
> following entry to the "users" file:
>
> DEFAULT Auth-Type = win_domain
>
But the authentication still fails.
My ntlm_auth shell-command works:
~# /usr/bin/ntlm_auth --username="john.smith" --password='smith1000'
--domain=SOUTH
NT_STATUS_OK: Success (0x0)
but authentication via freeradius fails.
Here are my config files and the complete freeradius -X output:
my radiusd.conf file:
-
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}"
}
ldap {
server = "10.187.64.3"
identity = "CN=Hans
Dampf,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de"
password = Gerti1000
basedn = "DC=winlab,DC=rsnhm,DC=t-com,DC=de"
filter = "sAMAccountname=%{User-Name}"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with
Re: Multiple AD-Domains with rlm_ldap
> ntlm_auth should work. I'm less sure how to configure multiple AD
> domains in ldap.
>
> Alan DeKok.
>
Okay, according to an earlier posting
http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-July/045377.html
i did this:
> What you need to do is to configure a *different* ntlm_auth, only
> for clear-text passwords. The simplest way to do this is to use the
> "exec" module:
>
> modules {
> ...
> exec win_domain {
>wait = yes
>input_pairs = request
>output_pairs = reply
>program = "ntlm_auth --username=\"%{User-Name}\"
> --password=\"%{User-Password}\" --domain=usmisgne"
> }
> ...
> }
>
> Now list "win_domain" in the "authenticate" section, and add the
> following entry to the "users" file:
>
> DEFAULT Auth-Type = win_domain
>
But the authentication still fails.
Did i make some mistakes in my config?
Maybe here?
Auth-Type win_domain{
win_domain
}
Robert
My ntlm_auth shell-command works:
~# /usr/bin/ntlm_auth --username="john.smith" --password='smith1000'
--domain=SOUTH
NT_STATUS_OK: Success (0x0)
but radtest fails:
~# radtest john.smith smith1000 localhost 1645 testing123
abbreviated freeradius -X output:
auth: type "win_domain"
Processing the authenticate section of radiusd.conf
modcall: entering group win_domain for request 0
radius_xlat: '/usr/bin/ntlm_auth --username="john.smith"
--password='smith1000' --domain=SOUTH'
Exec-Program: /usr/bin/ntlm_auth --username="john.smith" --password='smith1000'
--domain=SOUTH
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program: returned: 1
rlm_exec (win_domain): External script failed
Here are my config files and the complete freeradius -X output:
radiusd.conf
-
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}"
}
ldap {
server = "10.187.64.3"
identity = "CN=Hans
Dampf,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de"
password = Gerti1000
basedn = "DC=winlab,DC=rsnhm,DC=t-com,DC=de"
filter = "sAMAccountname=%{User-Name}"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format =
Multiple AD-Domains with rlm_ldap
Dear all,
For AAA-Authenticating on a Cisco Catalyst Switch 3750, i use the rlm_ldap
module to authenticate users against our single Active Directory (domain-name:
SOUTH). Users telnet the switch, therefore a clear-text password will be sent.
This works properly.
But now, we have four AD-Domains (NORTH, SOUTH, EAST, WEST) and sometimes the
same username in different AD-Domains e.g.
NORTH\nicole.smith
SOUTH\john.smith
NORTH\john.smith
WEST\john.smith
What would be the best way to authenticate users? In my case, access should be
granted for user SOUTH\john.smith and NORTH\nicole.smith ?
Is ntlm_auth the right way, or multiple ldap instances to differ the AD-Domains
or what else?
Thanks in advance for any suggestions...
Robert
My current config follws below:
users
-
john.smith
Service-Type = Login,
Cisco-AVPair = "shell:priv-lvl=15"
nicole.smith
Service-Type = Login,
Cisco-AVPair = "shell:priv-lvl=7"
radiusd.conf
--
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}"
}
ldap {
server = "10.187.64.3"
identity = "CN=Hans
Dampf,CN=Computers,DC=SOUTH,DC=rsnhm,DC=com,DC=de"
password = laber
basedn = "DC=SOUTH,DC=rsnhm,DC=com,DC=de"
filter = "sAMAccountname=%{User-Name}"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${rada
ldap and MD5-Challenge
Dear all, My Supplicant is a WinXP-Client, EAP-Type is MD5-Challenge. My Authenticator is a Cisco Catalyst 3750 I try to do a 802.1X Authentication for a user listet in a LDAP-database. When i do a MD5-Challenge it does not work. Do i have a problem with MD5-encrypted passwords? My configuration files follows below... Thanks in advance The LDAP-Authentication seems to work, here is the freeradius -X output after radtest: Debian# radtest schlapp Gerti1000 localhost 1645 testing123 rad_recv: Access-Request packet from host 127.0.0.1:32852, id=247, length=59 User-Name = "schlapp" User-Password = "Gerti1000" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry schlapp at line 87 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for schlapp radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))' radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.187.64.3:389, authentication 0 rlm_ldap: bind as CN=Robert Huber,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user schlapp authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "schlapp" with password "Gerti1000" rlm_ldap: user DN: CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de rlm_ldap: (re)connect to 10.187.64.3:389, authentication 1 rlm_ldap: bind as CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user schlapp authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Login OK: [schlapp/Gerti1000] (from client localhost port 1645) Sending Access-Accept of id 247 to 127.0.0.1 port 32852 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... But when i try to use my WinXP-Client, EAP says: rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select Here is the entire freeradius -X output: rad_recv: Access-Request packet from host 10.187.0.15:1645, id=174, length=129 User-Name = "schlapp" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" EAP-Message = 0x0202000c017363686c617070 Message-Authenticator = 0x7a4a5ff5030a44b2fcee7b79d3aac47c NAS-Port = 60003 NAS-Port-Type = Virtual NAS-IP-Address = 10.187.0.15 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry schlapp at line 83 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization
Re: VLAN-mapping by DEFAULT Entry fails
- Original Nachricht Von: [EMAIL PROTECTED] An: FreeRadius users mailing list Datum: 23.05.2006 09:46 Betreff: Re: VLAN-mapping by DEFAULT Entry fails > Hi, > > > I use a WindowsXP, EAP-Type MD5-challenge as supplicant and a Cisco > Catalyst Switch 3750 as authenticator and i want that user hugo will be > mapped in VLAN 50 on the switch. This works properly. > > > > Every other user should be mapped in VLAN 999, my guest-vlan. I try this > with a DEFAULT-entry, but this does not work, the switch does not accept any > other user, in my case user nobody is unauthorized for my authenticator. > > those who dont have dot1x supplicant wouldnt be able to be put onto this > VLAN i agree, we try to solve this problem with the new Cisco feature mac authentication bypass, e.g for printers without dot1x supplicant. > though as there would be no do1x exchange...surely? > Hm, but i have a dot1x supplicant and try an authentication with username and password, not listet in users file. In my case user nobody, password abc. I ask myself how to deal with Default-entries and tell the switch the right Tunnel-Private-Group-Id. I wonder why the Default-entry say in the debug-output that everthing is okay and accepted -snip rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 218 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "999" --snap-- but my switch ignore it robert > surely using the built in guest VLAN facility of the switch itself > is the best way to achieve this aim? > > eg in the interface configuration > > dot1x guest-vlan 999 > > ? > yes, i agree. This works fine, if there is no xsupplicant sending a dot1x answer > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VLAN-mapping by DEFAULT Entry fails
Dear all, I use a WindowsXP, EAP-Type MD5-challenge as supplicant and a Cisco Catalyst Switch 3750 as authenticator and i want that user hugo will be mapped in VLAN 50 on the switch. This works properly. Every other user should be mapped in VLAN 999, my guest-vlan. I try this with a DEFAULT-entry, but this does not work, the switch does not accept any other user, in my case user nobody is unauthorized for my authenticator. My other configuration files are seen at the end of this text. Thanks in advance... Robert My entire users file: == hugoUser-Password == "hugo01" # line 54 Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 50 DEFAULT Auth-Type := Accept # line 69 Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 999 My radiusd output for user nobody, (my authenticator do not accept this): == rad_recv: Access-Request packet from host 10.187.0.15:1645, id=218, length=127 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "nobody" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0203000b016e6f626f6479 Message-Authenticator = 0x48b3cb8e3c0c39e55e33121529f28c7d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 3 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 69 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 218 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "999" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 218 with timestamp 4472b042 Nothing to do. Sleeping until we see a request. My radiusd output for user hugo (that works, accepted from authenticator): == rad_recv: Access-Request packet from host 10.187.0.15:1645, id=215, length=123 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "hugo" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0209016875676f Message-Authenticator = 0xc8b883765bb2789fe6eac6542635ab5c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "hugo", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry hugo at line 54 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 215 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x010100061920 Message-Authenticator = 0x0
Re: VLAN Mapping with MS-CHAP
> [EMAIL PROTECTED] wrote:
> >
> > robiwan: Okay, here is the complete output from my radiusd, when user roka
> do a request:
> > sorry, it's huge
> >
> > rad_recv: Access-Request packet from host 10.187.0.15:1645, id=231,
> length=137
> > NAS-IP-Address = 10.187.0.15
> > NAS-Port = 50103
> > NAS-Port-Type = Ethernet
> > User-Name = "WINLAB\\roka"
> > Called-Station-Id = "00-14-69-5B-8B-03"
> > Calling-Station-Id = "00-0B-5D-84-AE-CA"
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > EAP-Message = 0x02100157494e4c41425c726f6b61
> > Message-Authenticator = 0x58539e67c56f220589cf69d3485c493d
> > Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 0
> > modcall[authorize]: module "preprocess" returns ok for request 0
> > modcall[authorize]: module "chap" returns noop for request 0
> > modcall[authorize]: module "mschap" returns noop for request 0
> > rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> > modcall[authorize]: module "suffix" returns noop for request 0
> > rlm_eap: EAP packet type response id 0 length 16
> > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> > modcall[authorize]: module "eap" returns updated for request 0
> > users: Matched entry DEFAULT at line 185
> > modcall[authorize]: module "files" returns ok for request 0
> > modcall: leaving group authorize (returns updated) for request 0
>
> It should be obvious what's happening here. The "files" module is only
> matching a DEFAULT entry. This is because your username is DOMAIN\user.
> DOMAIN\user != user
>
> Either do this to break the user into realm+user:
>
> authorize {
>preprocess
>ntdomain
>mschap
>eap
>files
> }
>
> ...and this in proxy.conf:
>
> realm WINLAB {
>type = radius
>authhost = LOCAL
>accthost = LOCAL
>strip
> }
>
> OR edit your "users" to read:
>
> WINLAB\\roka The-Stuff-Here := whatever>
>
> > peap {
> > default_eap_type = mschapv2
> > copy_request_to_tunnel = yes
> > use_tunneled_reply = yes
> > proxy_tunneled_request_as_eap = no
> > }
> >
I edit my users as mentioned above.
Thats it !!!
Thanks a lot.
Robert
Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig
und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer,
nur 44,85 inkl. DSL- und ISDN-Grundgebühr!
http://www.arcor.de/rd/emf-dsl-2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN Mapping with MS-CHAP
> Dear all, > I try to put my Windows-XP-Clients in different VLANs on my Cisco Catalyst > 3750 Switch, depending on their Account. > And i use two differnt authentication methods: MD5-Challange and MS-CHAP. > > User hugo should be mapped in VLAN 50 and authenticated via MD5-Challange > User roka at Domain WINLAB should be mapped in VLAN 40 and authenticated via > MS-CHAP > > Now both authentication works (thanks to all again) but i have difficulties > to map user roka in his right VLAN. > > Here is my users file: > ---snip > > hugoUser-Password == "hugo01" > Tunnel-Type = VLAN, > Tunnel-Medium-Type = 6, > Tunnel-Private-Group-ID = 50 > > rokaAuth-Type := MS-CHAP > Tunnel-Type = VLAN, > Tunnel-Medium-Type = 6, > Tunnel-Private-Group-ID = 40 > -snap-- Do NOT set Auth-Type. If your server is properly configured, it is not needed and can cause problems. In this case, it should not be causing the problem. Just to check - that's the ENTIRE users file, yes? robiwan: Now, here is my complete users: -start users --- hugoUser-Password == "hugo01" Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 50 roka Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP --end users--- > > > Here is the output of my radiusd with user hugo > The Cisco-Switch map user hugo in VLAN 50: > > Login OK: [hugo/] (from client M4DEMRCO015 > port 50103 cli 00-0B-5D-84-AE-CA) > Sending Access-Accept of id 210 to 10.187.0.15 port 1645 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "50" > EAP-Message = 0x03010004 > Message-Authenticator = 0x > User-Name = "hugo" > Finished request 1 > Going to the next request > > > Here is the output with user roka > The Cisco-Switch map user roka in VLAN 1, and NOT in VLAN 40, i miss the > Tunnel informations: > > Login OK: [WINLAB\\roka/] (from client > M4DEMRCO015 port 50103 cli 00-0B-AA-84-AE-CA) > Sending Access-Accept of id 220 to 10.187.0.15 port 1645 > Framed-IP-Address = 255.255.255.254 > Framed-MTU = 576 > Service-Type = Framed-User > MS-MPPE-Recv-Key = > 0x70235fcdc1bc208578d0a26edb3c6d0b09f7cb712d4e9b66e7b2bea5b159c4f2 > MS-MPPE-Send-Key = > 0x6208fd4f8c1d2cd07a5e4597c98707dc70c94f29898eb0672e4572808efbd13d > EAP-Message = 0x03090004 > Message-Authenticator = 0x > User-Name = "WINLAB\\roka" > Finished request 9 > Going to the next request This is not helpful. Send the full debugging output prior to this, so we can see what modules matched. If you're going to trim, start from the point the radius server is idling, not the very last packet. robiwan: Okay, here is the complete output from my radiusd, when user roka do a request: sorry, it's huge rad_recv: Access-Request packet from host 10.187.0.15:1645, id=231, length=137 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "WINLAB\\roka" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02100157494e4c41425c726f6b61 Message-Authenticator = 0x58539e67c56f220589cf69d3485c493d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet t
VLAN Mapping with MS-CHAP
Dear all, I try to put my Windows-XP-Clients in different VLANs on my Cisco Catalyst 3750 Switch, depending on their Account. And i use two differnt authentication methods: MD5-Challange and MS-CHAP. User hugo should be mapped in VLAN 50 and authenticated via MD5-Challange User roka at Domain WINLAB should be mapped in VLAN 40 and authenticated via MS-CHAP Now both authentication works (thanks to all again) but i have difficulties to map user roka in his right VLAN. Here is my users file: ---snip hugoUser-Password == "hugo01" Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 50 rokaAuth-Type := MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 -snap-- Here is the output of my radiusd with user hugo The Cisco-Switch map user hugo in VLAN 50: Login OK: [hugo/] (from client M4DEMRCO015 port 50103 cli 00-0B-5D-84-AE-CA) Sending Access-Accept of id 210 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x03010004 Message-Authenticator = 0x User-Name = "hugo" Finished request 1 Going to the next request Here is the output with user roka The Cisco-Switch map user roka in VLAN 1, and NOT in VLAN 40, i miss the Tunnel informations: Login OK: [WINLAB\\roka/] (from client M4DEMRCO015 port 50103 cli 00-0B-AA-84-AE-CA) Sending Access-Accept of id 220 to 10.187.0.15 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User MS-MPPE-Recv-Key = 0x70235fcdc1bc208578d0a26edb3c6d0b09f7cb712d4e9b66e7b2bea5b159c4f2 MS-MPPE-Send-Key = 0x6208fd4f8c1d2cd07a5e4597c98707dc70c94f29898eb0672e4572808efbd13d EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = "WINLAB\\roka" Finished request 9 Going to the next request So, any ideas what to do, that for user roka my radiusd also say to my Switch the Tunnel things: Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" Thanks in advance Robert Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth is not used by mschap
- Original Nachricht Von: Stefan Winter <[EMAIL PROTECTED]> An: FreeRadius users mailing list Datum: 04.05.2006 13:20 Betreff: Re: ntlm_auth is not used by mschap > Hi, > > you didn't state what problem you have right now. The logs send an Accept at > > the end, so everything looks very fine. > Was your mail just to let the world know that things work now, or do you > have > a question? > Hi, Oh sorry, my Question is, that the Authenticator, a Cisco Catalyst 3750, do not map my XP-Client into the VLAN 40 as i defined it in the users file: rokaAuth-Type := MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 When the XP-Client will be authenticated via MS-CHAP, the Cisco Catalyst map my Client in VLAN 1, the default-VLAN, and NOT in VLAN 40. When i authenticate with Auth-Type := Local rokaAuth-Type := Local, User-Password = "Gerti1000" Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 40 it works, as you can see the output from radtest: Debian:~# radtest roka Gerti1000 localhost 1645 testing123 Sending Access-Request of id 0 to 127.0.0.1 port 1812 User-Name = "roka" User-Password = "Gerti1000" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=0, length=36 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" Here is the output from the radiusd: rad_recv: Access-Request packet from host 127.0.0.1:1024, id=72, length=56 User-Name = "roka" User-Password = "Gerti1000" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 modcall[authorize]: module "chap" returns noop for request 13 modcall[authorize]: module "mschap" returns noop for request 13 rlm_realm: No '@' in User-Name = "roka", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 13 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 13 users: Matched entry roka at line 82 modcall[authorize]: module "files" returns ok for request 13 modcall: leaving group authorize (returns ok) for request 13 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [roka/Gerti1000] (from client localhost port 1645) Sending Access-Accept of id 72 to 127.0.0.1 port 1024 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" Finished request 13 Going to the next request Thanks in advance... Robert Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth is not used by mschap
Dear All,
Now i am a step further on, my radiusd uses the ntlm_auth module AND
authenticate the user correctly !!!.
My Username = roka, Password = Gerti1000, Domain = WINLAB
Now i use the selfcompiled freeradius 1.1.1 and NOT the Debian freeradius. The
Debian freeradius is unable to load EAP-Type/peap.
I activated in the file eap.cfg the peap-section:
---snip---
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}
---snap
Here again the mschap-section in the radiusd.conf
---snip---
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --domain=winlab --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
}
---snap
And the file users:
---snip---
DEFAULT Auth-Type = MS-Chap
Fall-Through = 1
rokaAuth-Type := MS-CHAP
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 40
---snap
In my Windows XP-Box i use as 802.1X authentfication the EAP(PEAP) and as
authentification-method EAP-MASCHAP v2.
Here is the radiusd output:
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=132, length=137
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02100157494e4c41425c726f6b61
Message-Authenticator = 0xbd4afc42085fcbbf08d044ae750c53fd
Sending Access-Challenge of id 132 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0xeef3170dad81ebde10041bb347cd
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=133, length=145
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xeef3170dad81ebde10041bb347cd
EAP-Message = 0x020100060319
Message-Authenticator = 0xbc407e57ea0373c4d3c64172b16383e3
Sending Access-Challenge of id 133 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0xe31f70214e83e2de5cc7759b43818b12
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=134, length=251
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xe31f70214e83e2de5cc7759b43818b12
EAP-Message =
0x02020070198000661603010061015d03014459dd090912178089f8e3c69693534605b03bf50368573ab4d2e6b2236469142079a45d849f7096a2b2bbc38c20a1ed71682d0fd9e6debf2bc4412059da76b1df001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x5916349f8c6defda32f07b85cec1f492
TLS_accept:error in SSLv3 read client certificate A
Sending Access-Challenge of id 134 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x0103040a19c006f1160301004a024603014459dda2b79409fcb6d4d89fac9548c3823e922e24a065fe40651a32332886db20eac3c696ce916da32ce4d48b6b696d0895a73a5c1ea3587a904d849d32fde49e00040016030106940b0006968d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message =
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931
ntlm_auth is not used by mschap
You send a packet that does not contain any MS-CHAP attributes. Because of that, the server is not doing MS-CHAP: > modcall[authorize]: module "mschap" returns noop for request 0 As this line tells you. Send a MS-CHAP request, and look what happens then. Stefan Hi , Now i send a mschap request (EAP/PEAP with WindowsXP) and that is the output of my radiusd: rad_recv: Access-Request packet from host 10.187.0.15:1645, id=229, length=137 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "WINLAB\\roka" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02100157494e4c41425c726f6b61 Message-Authenticator = 0x90f61cee340a78e94ee24fe3c625baa0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 174 users: Matched entry DEFAULT at line 198 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 229 to 10.187.0.15:1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100160410be8025aedc237e79bb769d7448c5e684 Message-Authenticator = 0x State = 0x01aa44a4c384c8d0b88b27a8f803a381 Finished request 0 Going to the next request Again the modcall[authorize]: module "mschap" returns noop for request 0 You said, this mean i do not send a mschap request. What else can i do ? Many thanks in Advance Robert Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aw: Re: ntlm_auth is not used by mschap
- Original Nachricht Von: Stefan Winter <[EMAIL PROTECTED]> An: FreeRadius users mailing list Datum: 03.05.2006 11:59 Betreff: Re: ntlm_auth is not used by mschap > > Now i try to authenticate the user roka: > > --- > > > > Debian:/tmp# radtest roka Gerti1000 localhost 1645 testing123 > > Sending Access-Request of id 116 to 127.0.0.1:1812 > > User-Name = "roka" > > User-Password = "Gerti1000" > > NAS-IP-Address = Debian > > NAS-Port = 1645 > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=116, > length=20 > > You send a packet that does not contain any MS-CHAP attributes. Because of > that, the server is not doing MS-CHAP: > > > modcall[authorize]: module "mschap" returns noop for request 0 > > As this line tells you. > > Send a MS-CHAP request, and look what happens then. > > Stefan > > -- > Stefan WINTER > > Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de > la Recherche > Ingenieur Forschung & Entwicklung > > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 > http://www.restena.luFax: +352 422473 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Hi Stefan, You say i do not send a MS-CHAP Request. Hmm ... Finally it should work with Windows-XP Supplicant: In my WindowsXP 802.1X Network-Configuration I can choose between "MD5Challenge" , or "secure EAP(PEAP)" or "Smartcart or other Certificate" What ist the right one? Or is mschap basically the wrong authentication method for my equipment? Robert Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth is not used by mschap
Dear all,
I try to authenticate Radius-users against my Microsoft-2003-Server
Active-Directory using the mschap-Module with ntlm_auth.
My Windows-Domain is "winlab" my username is "roka" and the Password is
"Gerti1000".
The winbindd and therefore the ntlm_auth works properly as you can see:
Debian:~# /usr/bin/ntlm_auth --username=roka --password=Gerti1000
--domain=winlab
NT_STATUS_OK: Success (0x0)
Here is the mschap section of my /etc/freeradius/radiusd.conf:
--snip radiusd.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
--snap radiusd.conf
Here is my /etc/freeradius/users:
snip users-
hugoAuth-Type = Local, User-Password == "hugo01"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 40
rokaAuth-Type := MS-CHAP
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 40
DEFAULT Auth-Type := MS-CHAP
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
snap users.
Here is the output when i start freeradius,
the ntlm_auth in the mschap-section is seen
Debian:/etc/freeradius# freeradius -sfxxyz -l stdout
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
