Hi all,
I've got a small problem with FreeRadius, I'm trying to forward NTLM
authentication to a NT domain by using ntlm_auth but the %{Stripped-User-Name}
is empty.
I've enabled ntdomain in authorize { } and preacct { }, but it doesn't seem to
translate %{User-name} as NTCORP01\\USER to
Hand, Chris [EMAIL PROTECTED] wrote:
I'm still not seeing it.
If it's listed in the authorize section, it will be printed out in
debugging mode.
Are you willing to provide debug logs?
Let's start over. What is the best way of authenticating users to an
NT domain over PEAP? Am I even on
Hand, Chris [EMAIL PROTECTED] wrote:
Yes, I am using the ntdomain realm. However, I do not see it show up in
the debugging output. Do I need to do anything other than list
ntdomain in the 'authorize' section to make freeradius use it?
If it's listed there, you should see it printed out in
AM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Yes, I am using the ntdomain realm. However, I do not see it show up
in
the debugging output. Do I need to do anything other than list
ntdomain
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use
I retyped the config. That is a typo. It should be '--challenge'.
-Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Bender
Sent: Monday, August 23, 2004 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth
Hand, Chris [EMAIL PROTECTED] wrote:
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Where's the username?
PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, August 23, 2004 4:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge
Hand, Chris [EMAIL PROTECTED] wrote:
Exactly... The username is not getting fed into ntlm_auth. It seems that
the stripping of the domain from the username is not working.
Are you using the ntdomain realm, as given in radiusd.conf?
Are you running it in debugging mode, to see that the
Of Alan
DeKok
Sent: Monday, August 23, 2004 5:19 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Exactly... The username is not getting fed into ntlm_auth. It seems
that
the stripping of the domain from
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
Ok, but isn't the with_ntdomain_hack =3D yes directive in the
raidusd.conf file suppose to correct this behavior?
Theoretically, yes. But when you're calling ntlm_auth, the
with_ntdomain_hack isn't being used. Why would it? You're
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
To clarify things here, the --domain and --username arguments are right,
but the --challenge argument is incorrect.
Ah, OK.
The username being used in this function still contains the DOMAIN! This
is what is keeping the auth from working.
.
Brian D.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: Monday, May 03, 2004 1:07 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
I patched the rlm_mschap.c file (attached). I pulled code from
rlm_preprocess.c that handles the with_ntdomain_hack and modified it to
work.
Similar code already existed in rlm_mschap.c. The fix was 1 line.
The user_name argument being
Hello all,
We are in the process of testing 802.1x authentication for future
deployment on campus. Our test setup includes the following:
freeradius-snapshot-20040427 running on RHEL 3.0 AS
Configured for PEAP with MSCHAPv2 using SAMBA's winbind/ntlm_auth
Multiple AD domains (smb.conf points to
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
1. Keeping in mind that user1 in domain1 can auth as long
as domain1
isn't supplied why does supplying domain1 cause the auth to fail?
Because the MS client does the MS-CHAP calculations using
the username without the domain, but
17 matches
Mail list logo
