RE: freeradius and ntlm_auth howto
michael,
The configuration works when i type
in my username as '[EMAIL PROTECTED]', when i let windows fill it in i don't
get in.
My password gets locked after 3 attempts,
and the wifi retries several times. If you look higher in the file you
will see another error:(logon failure)
It works with the standard certs, so
for finding a good working configuration this is ok for now. Obviously
i will change this for production.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
"King, Michael"
<[EMAIL PROTECTED]>
11/06/2006 04:04 PM
To
<[EMAIL PROTECTED]>, "FreeRadius
users mailing list"
cc
Subject
RE: freeradius and ntlm_auth howto
Some things I've noticed from
your attached files
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
I've never enabled these before,
I'm unaware what affect they will have
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
Did you generate your OWN certs...
They one's that ship with the server ARE NOT vailid. You have to
generate your own.
rlm_eap: Loaded and initialized
type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
That doesn't look right
BUT YOUR FINAL ANSWER:
xec-Program: /usr/bin/ntlm_auth
--request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0
Exec-Program output: Account locked out (0xc234)
Exec-Program-Wait: plaintext: Account locked out (0xc234)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Your account in the domain is
not correct.
Looks like it's been disabled
or something.
Fix that first before you change
anymore config files.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 06, 2006 3:16 AM
To: King, Michael
Subject: Fw: freeradius and ntlm_auth howto
Michael,
I sent my reply already to the list, but due to the size(larger than 100k)
it had to be reviewed by the admin and after a week it was rejected.
Below you can find the mail. Thanks for helping me.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM
-
Stieven Struyf/KEISA/BE/KOMEUR
11/02/2006 08:55 AM
To
FreeRadius users mailing list
cc
Subject
RE: freeradius and ntlm_auth howtoLink
I added the debuglog as attachment(as it is a little large to paste here).
This is the mschap config:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_strong
= yes
with_ntdomain_hack
= yes
require_encryption
= yes
ntlm_auth = "/usr/bin/ntlm_auth
--request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
}
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
[EMAIL PROTECTED]
wrote on 10/27/2006 04:36:00 PM:
> Let's see if we can get this solved...
>
> > -Original Message-
> > Here's the full log:
> > Waking up in 6 seconds...
> > rad_recv: Access-Request packet from host 10.104.254.73:1645,
>
> This is NOT the full log. The full log would have started with
the line
> /path/to/radiusd -X
>
> Some important stuff is printed out there, it helps us help you.
>
>
> > rlm_mschap: NT Domain delimeter found, should we have
> > enabled with_ntdomain_hack?
> > rlm_mschap: NT Domain delimeter found, should we have
> > enabled with_ntdomain_hack?
>
> Did you enable Ntdomain Hack in the MSCHAP module? (See below)
>
>
> Including your radius.conf file would help.
>
>
> > > HOWEVER, first you may want to check your mschap module
definition:
> > >
> > > modules {
> > > mschap {
> > > ntlm_auth = "/usr/bin/ntlm_auth
\
> > > --request-nt-key \
> > > --username=%{mschap:User-Name:-None} \
> > > --domain=%{mschap:NT-Domain:-None} \
> > > --challenge=%{mschap:Challenge:
RE: freeradius and ntlm_auth howto
Some things I've noticed from your attached
files
Module: Loaded MS-CHAP mschap: use_mppe =
yes mschap: require_encryption = yes mschap: require_strong =
yes
I've never enabled these before, I'm unaware what
affect they will have
tls: pem_file_type = yes tls: private_key_file
= "/etc/raddb/certs/cert-srv.pem" tls: certificate_file =
"/etc/raddb/certs/cert-srv.pem" tls: CA_file =
"/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password =
"whatever" tls: dh_file = "/etc/raddb/certs/dh" tls:
random_file = "/etc/raddb/certs/random"
Did you generate your OWN certs... They one's
that ship with the server ARE NOT vailid. You have to generate your
own.
rlm_eap: Loaded and initialized type
peap mschapv2: with_ntdomain_hack = norlm_eap: Loaded and
initialized type mschapv2
That doesn't look right
BUT YOUR FINAL ANSWER:
xec-Program: /usr/bin/ntlm_auth --request-nt-key
--username=sstruyf --challenge=b9ee04ca891c7b7d
--nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0Exec-Program
output: Account locked out (0xc234) Exec-Program-Wait: plaintext:
Account locked out (0xc234) Exec-Program: returned: 1
rlm_mschap: External script failed. rlm_mschap: FAILED:
MS-CHAP2-Response is incorrect
Your account in the domain is not
correct.
Looks like it's been disabled or
something.
Fix that first before you change anymore config
files.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Sent: Monday, November 06, 2006
3:16 AMTo: King, MichaelSubject: Fw: freeradius and
ntlm_auth howto
Michael, I sent my reply already to the list, but due to the
size(larger than 100k) it had to be reviewed by the admin and after a week it
was rejected. Below you can find the
mail. Thanks for helping me. Stieven StruyfM.I.S. Division - System Operations Komatsu
Europe International NVMechelsesteenweg 586B-1800
Vilvoorde[EMAIL PROTECTED]Tel. +32 (0)2 2552551
- Forwarded by Stieven
Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM -
Stieven
Struyf/KEISA/BE/KOMEUR
11/02/2006 08:55 AM
To
FreeRadius users mailing list
cc
Subject
RE: freeradius and ntlm_auth
howtoLink
I added the debuglog as attachment(as it is a little
large to paste here). This is the
mschap config: mschap {
authtype = MS-CHAP use_mppe =
yes
require_strong = yes
with_ntdomain_hack = yes
require_encryption = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}" } Stieven StruyfM.I.S. Division - System Operations Komatsu
Europe International NVMechelsesteenweg 586B-1800
Vilvoorde[EMAIL PROTECTED]Tel. +32 (0)2 2552551
[EMAIL PROTECTED]
wrote on 10/27/2006 04:36:00 PM:> Let's see if we can get this
solved... > > > -Original Message-> >
Here's the full log: > > Waking up in 6 seconds... > >
rad_recv: Access-Request packet from host 10.104.254.73:1645, >
> This is NOT the full log. The full log would have started with
the line> /path/to/radiusd -X> > Some important stuff is
printed out there, it helps us help you. > > > >
rlm_mschap: NT Domain delimeter found, should we have > >
enabled with_ntdomain_hack? > > rlm_mschap: NT Domain
delimeter found, should we have > > enabled with_ntdomain_hack?
> > Did you enable Ntdomain Hack in the MSCHAP module?
(See below)> > > Including your radius.conf file
would help.> > > > > HOWEVER, first you may want to
check your mschap module definition:> > > > > >
modules {> > > mschap {> > >
ntlm_auth = "/usr/bin/ntlm_auth \> > >
--request-nt-key \> > >
--username=%{mschap:User-Name:-None} \> > >
--domain=%{mschap:NT-Domain:-None} \> > >
--challenge=%{mschap:Challenge:-00} \> > >
--nt-response=%{mschap:NT-Response:-00}"> > > > > >
...all on one line of course. Note the use of the > >
"mschap:User-Name" > > > and "mschap:NT-Domain" values.>
> Mine radiusd.conf file's mschap section looks like this:> NOTE
that I do NOT have the :-00 and the :-None statements, and I DO> have
with_ntdomain_hack=yes> > > #
Microsoft CHAP authentication> #>
# This module supports MS-CHAP and MS-CHAPv2
authentication.> # It also enforces
the SMB-Account-Ctrl attribute.> #>
mschap {>
with_ntdomain_hack = yes>
ntlm_auth = "/usr/bin/ntlm_auth \>
--request-nt-key \>
--username=%{mschap:User-Nam
RE: freeradius and ntlm_auth howto
Let's see if we can get this solved...
> -Original Message-
> Here's the full log:
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.104.254.73:1645,
This is NOT the full log. The full log would have started with the line
/path/to/radiusd -X
Some important stuff is printed out there, it helps us help you.
> rlm_mschap: NT Domain delimeter found, should we have
> enabled with_ntdomain_hack?
> rlm_mschap: NT Domain delimeter found, should we have
> enabled with_ntdomain_hack?
Did you enable Ntdomain Hack in the MSCHAP module? (See below)
Including your radius.conf file would help.
> > HOWEVER, first you may want to check your mschap module definition:
> >
> > modules {
> >mschap {
> > ntlm_auth = "/usr/bin/ntlm_auth \
> > --request-nt-key \
> > --username=%{mschap:User-Name:-None} \
> > --domain=%{mschap:NT-Domain:-None} \
> > --challenge=%{mschap:Challenge:-00} \
> > --nt-response=%{mschap:NT-Response:-00}"
> >
> > ...all on one line of course. Note the use of the
> "mschap:User-Name"
> > and "mschap:NT-Domain" values.
Mine radiusd.conf file's mschap section looks like this:
NOTE that I do NOT have the :-00 and the :-None statements, and I DO
have with_ntdomain_hack=yes
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth \
--request-nt-key \
--username=%{mschap:User-Name} \
--challenge=%{mschap:Challenge} \
--nt-response=%{mschap:NT-Response}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote on 10/27/2006 02:54:52 PM: > Did you notice the response from ntlm_auth: > > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf > --challenge=decc4450c3b83d2c --nt- > response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345 > Exec-Program output: Logon failure (0xc06d) > > This indicates an invalid username or password. Try running > “/usr/bin/ntlm_auth --username=sstruyf” and entering the same > password you used in your previous test when prompted. Is the > username correct? Is samba going to the correct domain by default? > Did you enter the correct password? If you can’t authenticate from > the command line, you won’t be able to do so from freeradius either.- > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html from the commandline everything is working, and the same username/realm works if i enter pass it as [EMAIL PROTECTED] instead of realm\username. So i am absolutely sure the user is ok. I will check with our AD admin if he sees something in his logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
Did you notice the response from ntlm_auth: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=decc4450c3b83d2c --nt-response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345 Exec-Program output: Logon failure (0xc06d) This indicates an invalid username or password. Try running “/usr/bin/ntlm_auth --username=sstruyf” and entering the same password you used in your previous test when prompted. Is the username correct? Is samba going to the correct domain by default? Did you enter the correct password? If you can’t authenticate from the command line, you won’t be able to do so from freeradius either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645, id=67, length=259 User-Name = "KMT-EU.KMTG.NET\\sstruyf" Framed-MTU = 1400 Called-Station-Id = "0016.469b.7cd0" Calling-Station-Id = "0011.851a.cc37" Service-Type = Login-User Message-Authenticator = 0xfeb711c4400f8f34b9fef7c2be7f77bc EAP-Message = 0x020900691900170301005e5971fff2b46b2f81e88ed248772a59c1860abf0ebe40379c9e20c0ac6edd9cb19abe8ebfe82595c54bc12a979c51182f9b58d130708870f1b6bb17c1cd8249a64ddae5750e9411d4e337bd0876f393e83f2015b4c783ee35db02041bad3 NAS-Port-Type = Wireless-802.11 NAS-Port = 2936 State = 0x5d8298849858ea61aec0380c81af200d NAS-IP-Address = 10.104.254.73 NAS-Identifier = "WAP07KE" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 105 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f13681af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with 46 61 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f13681af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "KMT-EU.KMTG.NET\\sstruyf" State = 0x4661e4398678b434bf08ae113a631207 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter
Re: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote:
All,
I finally got it working, but not yet as i want.
The trick that made it work is settings auth-type := MSCHAPv2 for the
You should not do that, and should not *have* to do that.
Most likely you have not put the mschap module in the authorize section,
*or* you have put another module higher up that it setting the auth-type
first e.g. LDAP.
You should have:
authorize {
preprocess
mschap
# other modules, maybe files?
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
user(s) and i also started radiusd as root(changed the rights without
success to radiusd, but once everything is working i will try to run
again with radiusd user)
That's probably permissions on the winbind socket - see
[EMAIL PROTECTED] var]$ ls -ld /var/cache/samba/winbindd_privileged/
drwxr-x--- 2 root root 4096 Jul 24 21:36
/var/cache/samba/winbindd_privileged/
...radius will need to be able to get into that directory and access the
unix socket inside.
Many distributions have the unix group "squid" setup to be able to read
it for the purposes of Squid+ntlm. If so, just add the "radiusd" user to
the "squid" group. Or, create an "ntlmauth" group and set permissions
appropriately.
If you are on an SELinux distribution, watch for that.
If i connect my user(s)s with [EMAIL PROTECTED] it works,
but if i use realm\userame the realm is found but no ntlm is used(and
authentication fails).
Below you find an extract from the debug where you can see that the
An extract is no use. Please show the full debug output for a failing
session.
HOWEVER, first you may want to check your mschap module definition:
modules {
mschap {
ntlm_auth = "/usr/bin/ntlm_auth \
--request-nt-key \
--username=%{mschap:User-Name:-None} \
--domain=%{mschap:NT-Domain:-None} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}"
...all on one line of course. Note the use of the "mschap:User-Name" and
"mschap:NT-Domain" values.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
All, I finally got it working, but not yet as i want. The trick that made it work is settings auth-type := MSCHAPv2 for the user(s) and i also started radiusd as root(changed the rights without success to radiusd, but once everything is working i will try to run again with radiusd user) If i connect my user(s)s with [EMAIL PROTECTED] it works, but if i use realm\userame the realm is found but no ntlm is used(and authentication fails). Below you find an extract from the debug where you can see that the correct realm is found. Do i need some options? (btw i need this to work because automatic logon to the wifi from windows xp with windows credentials is in this format) modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 69 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 10/26/2006 05:05:44 PM: > [EMAIL PROTECTED] wrote: > > I am trying to authenticate my wifi users via our AD. I'm finding bits and > > pieces on the internet to configure things, but no completely usable > > howto. > > What's missing from any of the HOWTO's? There's some on the Wiki, > and one on my site. > > > Exec-Program-Wait: plaintext: winbind client not authorized to use > > winbindd_pam_auth_crap. Ensure permissions on > > /var/cache/samba/winbindd_privileged are set correctly. (0xc022) > > You're running the server as non-root, and the programs it executes > don't run as root, so they don't have permissions to read that > directory. Make the server run as root, or fix the permissions. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote: > I am trying to authenticate my wifi users via our AD. I'm finding bits and > pieces on the internet to configure things, but no completely usable > howto. What's missing from any of the HOWTO's? There's some on the Wiki, and one on my site. > Exec-Program-Wait: plaintext: winbind client not authorized to use > winbindd_pam_auth_crap. Ensure permissions on > /var/cache/samba/winbindd_privileged are set correctly. (0xc022) You're running the server as non-root, and the programs it executes don't run as root, so they don't have permissions to read that directory. Make the server run as root, or fix the permissions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The debugging output is exactly saying whats wrong Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) This dir should be readable by freeradius AND winbind. I thought 750 would work J. - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 > -Oorspronkelijk bericht- > Van: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] Namens > [EMAIL PROTECTED] > Verzonden: donderdag 26 oktober 2006 16:24 > Aan: freeradius-users@lists.freeradius.org > Onderwerp: freeradius and ntlm_auth howto > > > All, > I am trying to authenticate my wifi users via our AD. I'm finding bits and > pieces on the internet to configure things, but no completely usable > howto. > Can someone of the users look at the ouput below and point me to the > correct solution/howto? > > I setup smb.conf,krb5.conf and freeradius. I joined the server to the > domain and tested the connection with ntlm_auth: > [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf > --domain=KMT-EU.KMTG.NET > password: > NT_STATUS_OK: Success (0x0) > [EMAIL PROTECTED] ~]# > > rights of the winbind pipe: > ls -l /var/cache/samba/winbindd_privileged > total 0 > srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe > > below is the debug output of freeradius > > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > eaptls_verify returned 7 > rlm_eap_tls: Done initial handshake > eaptls_process returned 7 > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_peap: EAP type mschapv2 > rlm_eap_peap: Tunneled data is valid. > PEAP: Got tunneled EAP-Message > EAP-Message = > 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 > 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 > 2e4b4d54472e4e45545c73737472757966 > PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf > PEAP: Adding old state with a4 c3 > PEAP: Sending tunneled request > EAP-Message = > 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 > 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 > 2e4b4d54472e4e45545c73737472757966 > FreeRADIUS-Proxied-To = 127.0.0.1 > User-Name = "KMT-EU.KMTG.NET\\sstruyf" > State = 0xa4c337a92357e8d90a5f8c64b37d2df1 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 7 > modcall[authorize]: module "preprocess" returns ok for request 7 > modcall[authorize]: module "mschap" returns noop for request 7 > rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up > realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 > rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT- > EU.KMTG.NET\sstruyf" > rlm_realm: Found realm "KMT-EU.KMTG.NET" > rlm_realm: Adding Stripped-User-Name = "sstruyf" > rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET > rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "ntdomain" returns noop for request 7 > rlm_eap: EAP packet type response id 9 length 82 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 7 > users: Matched sstruyf at 98 > modcall[authorize]: module "files" returns ok for request 7 > modcall: group authorize returns updated for request 7 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 7 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: NT Domain delimeter found, should we have enabled > with_ntdomain_hack? > rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT- > Password > radius_xlat: Running registered xlat function of module mschap for string > 'Challenge' > mschap2: 95 > rlm_mschap: NT Domain delimeter found, should we have enabled > with_ntdomain_hack? > radius_xlat: Running registered xlat
