Re: FreeRadius+AD integration

[Jacob Jarick]

The deploying freeradius + AD is an excellent guide for the ntlm_auth method.

Im guessing it is because your ntlm_auth command is commented out in
the mschap part

On 5/2/07, Danner, Mearl <[EMAIL PROTECTED]> wrote:
> Why not try this? Worked for us.
>
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
>
>
> Note that the first thing configured is the Samba server. It doesn't
> even mention installing the Freeradius server until after the Samba
> configuration is completed.
>
>
> Hi,
> > It must be you. so your are the right person to tell me what is
> > causing ntlm_auth to send OK.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius+AD integration

[Danner, Mearl]

Why not try this? Worked for us.

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO


Note that the first thing configured is the Samba server. It doesn't
even mention installing the Freeradius server until after the Samba
configuration is completed.


Hi,
> It must be you. so your are the right person to tell me what is
> causing ntlm_auth to send OK.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[A . L . M . Buxey]

Hi,
> It must be you. so your are the right person to tell me what is
> causing ntlm_auth to send OK.

huh?

ntlm_auth is part of the SAMBA package.  just do a 'man ntlm_auth'
or somesuch. check freeradius source code. there is no ntlm_auth.


if your SAMBA is configured in a different way, then it will be using
another authenticaion file - check your /etc/smb.conf or whatever it
is on your system! your SAMBA might be using PAM to authenticate
and the user is a valid user!

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[Alan DeKok]

shrikant Bhat wrote:
> It must be you. so your are the right person to tell me what is
> causing ntlm_auth to send OK.

  Umm... no.

  10 seconds of reading documentation would lead you to conclude that
ntlm_auth is part of the Samba project.  I am not part of the Samba project.

  Start reading documentation.  Stop asking questions on this list about
ntlm_auth.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[shrikant Bhat]

It must be you. so your are the right person to tell me what is
causing ntlm_auth to send OK.
SB

On 5/2/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> shrikant Bhat wrote:
> > Hello All,
> > Could some one please tell me why ntlm_auth resurning OK with out
> > looking up the ADS .
>
>   Ask the people who wrote ntlm_auth?
>
>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[shrikant Bhat]

Sorry I forgot to attach the radiusd.conf and debug results
***
..
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

#
#  The logging messages for the server are appended to the
#  tail of this file.
#
log_file = ${logdir}/radius.log

libdir = /usr/local/lib

pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
#
max_requests = 1024
#
bind_address = *
#
port = 0
#
hostname_lookups = no
#
allow_core_dumps = no

#  Regular expressions
#
regular_expressions = yes
extended_expressions= yes

#  Log the full User-Name attribute, as it was found in the request.
#
log_stripped_names = no

#  Log authentication requests to the log file.
#
#  allowed values: {no, yes}
#
log_auth = no

#  Log passwords with the authentication requests.
#  log_auth_badpass  - logs password if it's rejected
#  log_auth_goodpass - logs password if it's correct
#
#  allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
#
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
#
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
$INCLUDE  ${confdir}/clients.conf
# SNMP CONFIGURATION
snmp= no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
start_servers = 5

max_servers = 32
#
min_spare_servers = 3
max_spare_servers = 10

#  There may be memory leaks or resource allocation problems with

max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
  exec ntlm_auth {
   wait = no
program = "/usr/bin/ntlm_auth  --request-nt-key
--domain=MYDOMAIN.ORG --username=%{mschap:User-Name}
--password=%{User-Password}"
}
#
pap {
encryption_scheme = crypt
}

chap {
authtype = CHAP
}

$INCLUDE ${confdir}/eap.conf
mschap {
#
authtype = MS-CHAP
#   ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-MYDOMAIN.ORG}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}

checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
expr {
}
exec 

Re: FreeRadius+AD integration

[Alan DeKok]

shrikant Bhat wrote:
> Hello All,
> Could some one please tell me why ntlm_auth resurning OK with out
> looking up the ADS .

  Ask the people who wrote ntlm_auth?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[shrikant Bhat]

Hello All,
Could some one please tell me why ntlm_auth resurning OK with out
looking up the ADS .
I couldnt understand the debug.

On 5/1/07, shrikant Bhat <[EMAIL PROTECTED]> wrote:
> Alan,
> My intention is not argue, since I coudnt understand the debug I
> posted the messege.
>
> On 4/30/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> > shrikant Bhat wrote:
> > > I dont have the user in Active directory, yet  free radius sends a
> > > accept packet.
> >
> >   I did read the debug output, unlike you.  It shows why.  I told you
> > why.  Stop arguing and read the debug output again, and my responses.
> >
> >   It's not FreeRADIUS.  You have configured FreeRADIUS to reply with an
> > Access-Accept if the ntlm_auth module returns OK.  For some reason, the
> > ntlm_auth is returning OK.  Go find out why that's happening, and fix it.
> >
> >   Do NOT reply with "but freeradius sends an access accept".  That reply
> > indicates that you're not reading the messages here.  If you're not
> > going to read the answers to your questions, I suggest you stop asking
> > the questions.  You're wasting your time, and ours.
> >
> >   Alan DeKok.
> > --
> >   http://deployingradius.com   - The web site of the book
> >   http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/users.html
> >
>
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[shrikant Bhat]

Alan,
My intention is not argue, since I coudnt understand the debug I
posted the messege.

On 4/30/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> shrikant Bhat wrote:
> > I dont have the user in Active directory, yet  free radius sends a
> > accept packet.
>
>   I did read the debug output, unlike you.  It shows why.  I told you
> why.  Stop arguing and read the debug output again, and my responses.
>
>   It's not FreeRADIUS.  You have configured FreeRADIUS to reply with an
> Access-Accept if the ntlm_auth module returns OK.  For some reason, the
> ntlm_auth is returning OK.  Go find out why that's happening, and fix it.
>
>   Do NOT reply with "but freeradius sends an access accept".  That reply
> indicates that you're not reading the messages here.  If you're not
> going to read the answers to your questions, I suggest you stop asking
> the questions.  You're wasting your time, and ours.
>
>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[Alan DeKok]

shrikant Bhat wrote:
> I dont have the user in Active directory, yet  free radius sends a
> accept packet.

  I did read the debug output, unlike you.  It shows why.  I told you
why.  Stop arguing and read the debug output again, and my responses.

  It's not FreeRADIUS.  You have configured FreeRADIUS to reply with an
Access-Accept if the ntlm_auth module returns OK.  For some reason, the
ntlm_auth is returning OK.  Go find out why that's happening, and fix it.

  Do NOT reply with "but freeradius sends an access accept".  That reply
indicates that you're not reading the messages here.  If you're not
going to read the answers to your questions, I suggest you stop asking
the questions.  You're wasting your time, and ours.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[shrikant Bhat]

I dont have the user in Active directory, yet  free radius sends a
accept packet.
thanks


On 4/30/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> shrikant Bhat wrote:
> ...
>  Yes I figured that. thanks for that. But the issues is the user I am
>  trying to authenticate is not listed in users file or in AD, so I dont
>  understand how is it authenticating this user.
>  I have attached debug .
>
>   Have you read the debug output?
> ...
>  radius_xlat: Running registered xlat function of module mschap for
>  string 'User-Name'
>  radius_xlat:  '--username=raduser'
>  radius_xlat:  '--password=radpass'
>   modcall[authenticate]: module "ntlm_auth" returns ok for request 3
>
>   What part of that is unclear?
>
>   You think the user isn't in Active Directory.  Yet ntlm_auth is
> returning that the user is in AD.  Either the user is in AD, or
> ntlm_auth is doing something magical.
>
>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[Alan DeKok]

shrikant Bhat wrote:
...
 Yes I figured that. thanks for that. But the issues is the user I am
 trying to authenticate is not listed in users file or in AD, so I dont
 understand how is it authenticating this user.
 I have attached debug .

  Have you read the debug output?
...
 radius_xlat: Running registered xlat function of module mschap for
 string 'User-Name'
 radius_xlat:  '--username=raduser'
 radius_xlat:  '--password=radpass'
  modcall[authenticate]: module "ntlm_auth" returns ok for request 3

  What part of that is unclear?

  You think the user isn't in Active Directory.  Yet ntlm_auth is
returning that the user is in AD.  Either the user is in AD, or
ntlm_auth is doing something magical.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[shrikant Bhat]

Hi,
Any one who can help me with this ?
thanks in advance
SB

On 4/27/07, shrikant Bhat <[EMAIL PROTECTED]> wrote:
> On Line 154 I have default Auth-Type = ntlm_auth. If I comment this
> out I get the Access-reject packet.
> thanks,
> SB
>
> On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > Well, it matched something in the users file:
> >
> > users: Matched entry DEFAULT at line 154
> >
> >
> > Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> piše:
> >
> > >Yes I figured that. thanks for that. But the issues is the user I am
> > >trying to authenticate is not listed in users file or in AD, so I dont
> > >understand how is it authenticating this user.
> > >I have attached debug .
> > >thanks for the help.
> > >
> > >*
> > >rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, 
> > >length=59
> > >User-Name = "raduser"
> > >User-Password = "radpass"
> > >NAS-IP-Address = 255.255.255.255
> > >NAS-Port = 0
> > >  Processing the authorize section of radiusd.conf
> > >modcall: entering group authorize for request 3
> > >  modcall[authorize]: module "preprocess" returns ok for request 3
> > >  modcall[authorize]: module "chap" returns noop for request 3
> > >  modcall[authorize]: module "mschap" returns noop for request 3
> > >rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL
> > >rlm_realm: No such realm "NULL"
> > >  modcall[authorize]: module "suffix" returns noop for request 3
> > >  rlm_eap: No EAP-Message, not doing EAP
> > >  modcall[authorize]: module "eap" returns noop for request 3
> > >users: Matched entry DEFAULT at line 154
> > >  modcall[authorize]: module "files" returns ok for request 3
> > >modcall: leaving group authorize (returns ok) for request 3
> > >  rad_check_password:  Found Auth-Type ntlm_auth
> > >auth: type "ntlm_auth"
> > >  Processing the authenticate section of radiusd.conf
> > >modcall: entering group authenticate for request 3
> > >radius_xlat: Running registered xlat function of module mschap for
> > >string 'User-Name'
> > >radius_xlat:  '--username=raduser'
> > >radius_xlat:  '--password=radpass'
> > >  modcall[authenticate]: module "ntlm_auth" returns ok for request 3
> > >modcall: leaving group authenticate (returns ok) for request 3
> > >Sending Access-Accept of id 100 to 127.0.0.1 port 32779
> > >Finished request 3
> > >Going to the next request
> > >--- Walking the entire request list ---
> > >Waking up in 6 seconds...
> > >--- Walking the entire request list ---
> > >Cleaning up request 3 ID 100 with timestamp 4631d1f0
> > >Nothing to do.  Sleeping until we see a request.
> > >
> > >
> > >On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > >> Error seems to be because shared secret is testing123 not testing 123.
> > >> But you need to paste output od radiusd-X after Access-Request. Open two
> > >> ssh sessions and do radtest from one and radiusd -X from the other.
> > >>
> > >> Ivan Kalik
> > >> Kalik Informatika ISP
> > >>
> > >>
> > >> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> pi e:
> > >>
> > >> >I get this error
> > >> >[EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123
> > >> >Sending Access-Request of id 47 to 127.0.0.1 port 1812
> > >> >User-Name = "raduser"
> > >> >User-Password = "radpass"
> > >> >NAS-IP-Address = 255.255.255.255
> > >> >NAS-Port = 0
> > >> >Framed-Protocol = PPP
> > >> >rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, 
> > >> >length=20
> > >> >rad_verify: Received Access-Accept packet from client 127.0.0.1 port
> > >> >1812 with invalid signature (err=2)!  (Shared secret is incorrect.)
> > >> >
> > >> >On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > >> >> And what happens when you get Access-Request?
> > >> >>
> > >> >>
> > >> >> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> pi e:
> > >> >>
> > >> >> >Hello Alan,
> > >> >> >I have built and installed 1.1.6 version of FreeRadius. When I test
> > >> >> >using radtest it authenticates any user with any pasword, what I mean
> > >> >> >by this is it doesnt seem to contact the ADS to lookup the user
> > >> >> >information and authenticate. I have attached the debug
> > >> >> >*
> > >> >> >[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
> > >> >> >Starting - reading configuration files ...
> > >> >> >reread_config:  reading radiusd.conf
> > >> >> >Config:   including file: /etc/raddb/clients.conf
> > >> >> >Config:   including file: /etc/raddb/snmp.conf
> > >> >> >Config:   including file: /etc/raddb/eap.conf
> > >> >> >Config:   including file: /etc/raddb/sql.conf
> > >> >> > main: prefix = "/usr"
> >

Re: FreeRadius+AD integration

[tnt]

Well, it matched something in the users file:

users: Matched entry DEFAULT at line 154


Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> piše:

>Yes I figured that. thanks for that. But the issues is the user I am
>trying to authenticate is not listed in users file or in AD, so I dont
>understand how is it authenticating this user.
>I have attached debug .
>thanks for the help.
>
>*
>rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59
>User-Name = "raduser"
>User-Password = "radpass"
>NAS-IP-Address = 255.255.255.255
>NAS-Port = 0
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 3
>  modcall[authorize]: module "preprocess" returns ok for request 3
>  modcall[authorize]: module "chap" returns noop for request 3
>  modcall[authorize]: module "mschap" returns noop for request 3
>rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL
>rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 3
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 3
>users: Matched entry DEFAULT at line 154
>  modcall[authorize]: module "files" returns ok for request 3
>modcall: leaving group authorize (returns ok) for request 3
>  rad_check_password:  Found Auth-Type ntlm_auth
>auth: type "ntlm_auth"
>  Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 3
>radius_xlat: Running registered xlat function of module mschap for
>string 'User-Name'
>radius_xlat:  '--username=raduser'
>radius_xlat:  '--password=radpass'
>  modcall[authenticate]: module "ntlm_auth" returns ok for request 3
>modcall: leaving group authenticate (returns ok) for request 3
>Sending Access-Accept of id 100 to 127.0.0.1 port 32779
>Finished request 3
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 6 seconds...
>--- Walking the entire request list ---
>Cleaning up request 3 ID 100 with timestamp 4631d1f0
>Nothing to do.  Sleeping until we see a request.
>
>
>On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> Error seems to be because shared secret is testing123 not testing 123.
>> But you need to paste output od radiusd-X after Access-Request. Open two
>> ssh sessions and do radtest from one and radiusd -X from the other.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> piše:
>>
>> >I get this error
>> >[EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123
>> >Sending Access-Request of id 47 to 127.0.0.1 port 1812
>> >User-Name = "raduser"
>> >User-Password = "radpass"
>> >NAS-IP-Address = 255.255.255.255
>> >NAS-Port = 0
>> >Framed-Protocol = PPP
>> >rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20
>> >rad_verify: Received Access-Accept packet from client 127.0.0.1 port
>> >1812 with invalid signature (err=2)!  (Shared secret is incorrect.)
>> >
>> >On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> >> And what happens when you get Access-Request?
>> >>
>> >>
>> >> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> pi e:
>> >>
>> >> >Hello Alan,
>> >> >I have built and installed 1.1.6 version of FreeRadius. When I test
>> >> >using radtest it authenticates any user with any pasword, what I mean
>> >> >by this is it doesnt seem to contact the ADS to lookup the user
>> >> >information and authenticate. I have attached the debug
>> >> >*
>> >> >[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
>> >> >Starting - reading configuration files ...
>> >> >reread_config:  reading radiusd.conf
>> >> >Config:   including file: /etc/raddb/clients.conf
>> >> >Config:   including file: /etc/raddb/snmp.conf
>> >> >Config:   including file: /etc/raddb/eap.conf
>> >> >Config:   including file: /etc/raddb/sql.conf
>> >> > main: prefix = "/usr"
>> >> > main: localstatedir = "/var"
>> >> > main: logdir = "/var/log/radius"
>> >> > main: libdir = "/usr/lib"
>> >> > main: radacctdir = "/var/log/radius/radacct"
>> >> > main: hostname_lookups = no
>> >> > main: max_request_time = 30
>> >> > main: cleanup_delay = 5
>> >> > main: max_requests = 1024
>> >> > main: delete_blocked_requests = 0
>> >> > main: port = 0
>> >> > main: allow_core_dumps = no
>> >> > main: log_stripped_names = no
>> >> > main: log_file = "/var/log/radius/radius.log"
>> >> > main: log_auth = no
>> >> > main: log_auth_badpass = no
>> >> > main: log_auth_goodpass = no
>> >> > main: pidfile = "/var/run/radiusd/radiusd.pid"
>> >> > main: user = "radiusd"
>> >> > ma

Re: FreeRadius+AD integration

[shrikant Bhat]

On Line 154 I have default Auth-Type = ntlm_auth. If I comment this
out I get the Access-reject packet.
thanks,
SB

On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Well, it matched something in the users file:
>
> users: Matched entry DEFAULT at line 154
>
>
> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> piše:
>
> >Yes I figured that. thanks for that. But the issues is the user I am
> >trying to authenticate is not listed in users file or in AD, so I dont
> >understand how is it authenticating this user.
> >I have attached debug .
> >thanks for the help.
> >
> >*
> >rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59
> >User-Name = "raduser"
> >User-Password = "radpass"
> >NAS-IP-Address = 255.255.255.255
> >NAS-Port = 0
> >  Processing the authorize section of radiusd.conf
> >modcall: entering group authorize for request 3
> >  modcall[authorize]: module "preprocess" returns ok for request 3
> >  modcall[authorize]: module "chap" returns noop for request 3
> >  modcall[authorize]: module "mschap" returns noop for request 3
> >rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL
> >rlm_realm: No such realm "NULL"
> >  modcall[authorize]: module "suffix" returns noop for request 3
> >  rlm_eap: No EAP-Message, not doing EAP
> >  modcall[authorize]: module "eap" returns noop for request 3
> >users: Matched entry DEFAULT at line 154
> >  modcall[authorize]: module "files" returns ok for request 3
> >modcall: leaving group authorize (returns ok) for request 3
> >  rad_check_password:  Found Auth-Type ntlm_auth
> >auth: type "ntlm_auth"
> >  Processing the authenticate section of radiusd.conf
> >modcall: entering group authenticate for request 3
> >radius_xlat: Running registered xlat function of module mschap for
> >string 'User-Name'
> >radius_xlat:  '--username=raduser'
> >radius_xlat:  '--password=radpass'
> >  modcall[authenticate]: module "ntlm_auth" returns ok for request 3
> >modcall: leaving group authenticate (returns ok) for request 3
> >Sending Access-Accept of id 100 to 127.0.0.1 port 32779
> >Finished request 3
> >Going to the next request
> >--- Walking the entire request list ---
> >Waking up in 6 seconds...
> >--- Walking the entire request list ---
> >Cleaning up request 3 ID 100 with timestamp 4631d1f0
> >Nothing to do.  Sleeping until we see a request.
> >
> >
> >On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >> Error seems to be because shared secret is testing123 not testing 123.
> >> But you need to paste output od radiusd-X after Access-Request. Open two
> >> ssh sessions and do radtest from one and radiusd -X from the other.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> pi e:
> >>
> >> >I get this error
> >> >[EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123
> >> >Sending Access-Request of id 47 to 127.0.0.1 port 1812
> >> >User-Name = "raduser"
> >> >User-Password = "radpass"
> >> >NAS-IP-Address = 255.255.255.255
> >> >NAS-Port = 0
> >> >Framed-Protocol = PPP
> >> >rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20
> >> >rad_verify: Received Access-Accept packet from client 127.0.0.1 port
> >> >1812 with invalid signature (err=2)!  (Shared secret is incorrect.)
> >> >
> >> >On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >> >> And what happens when you get Access-Request?
> >> >>
> >> >>
> >> >> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> pi e:
> >> >>
> >> >> >Hello Alan,
> >> >> >I have built and installed 1.1.6 version of FreeRadius. When I test
> >> >> >using radtest it authenticates any user with any pasword, what I mean
> >> >> >by this is it doesnt seem to contact the ADS to lookup the user
> >> >> >information and authenticate. I have attached the debug
> >> >> >*
> >> >> >[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
> >> >> >Starting - reading configuration files ...
> >> >> >reread_config:  reading radiusd.conf
> >> >> >Config:   including file: /etc/raddb/clients.conf
> >> >> >Config:   including file: /etc/raddb/snmp.conf
> >> >> >Config:   including file: /etc/raddb/eap.conf
> >> >> >Config:   including file: /etc/raddb/sql.conf
> >> >> > main: prefix = "/usr"
> >> >> > main: localstatedir = "/var"
> >> >> > main: logdir = "/var/log/radius"
> >> >> > main: libdir = "/usr/lib"
> >> >> > main: radacctdir = "/var/log/radius/radacct"
> >> >> > main: hostname_lookups = no
> >> >> > main: max_request_time = 30
> >> >> > main: cleanup_delay = 5
> >> >> > main: max_requests = 1024
> >> >> > main:

Re: FreeRadius+AD integration

[shrikant Bhat]

Yes I figured that. thanks for that. But the issues is the user I am
trying to authenticate is not listed in users file or in AD, so I dont
understand how is it authenticating this user.
I have attached debug .
thanks for the help.

*
rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59
User-Name = "raduser"
User-Password = "radpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 3
users: Matched entry DEFAULT at line 154
  modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns ok) for request 3
  rad_check_password:  Found Auth-Type ntlm_auth
auth: type "ntlm_auth"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
radius_xlat: Running registered xlat function of module mschap for
string 'User-Name'
radius_xlat:  '--username=raduser'
radius_xlat:  '--password=radpass'
  modcall[authenticate]: module "ntlm_auth" returns ok for request 3
modcall: leaving group authenticate (returns ok) for request 3
Sending Access-Accept of id 100 to 127.0.0.1 port 32779
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 100 with timestamp 4631d1f0
Nothing to do.  Sleeping until we see a request.


On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Error seems to be because shared secret is testing123 not testing 123.
> But you need to paste output od radiusd-X after Access-Request. Open two
> ssh sessions and do radtest from one and radiusd -X from the other.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> piše:
>
> >I get this error
> >[EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123
> >Sending Access-Request of id 47 to 127.0.0.1 port 1812
> >User-Name = "raduser"
> >User-Password = "radpass"
> >NAS-IP-Address = 255.255.255.255
> >NAS-Port = 0
> >Framed-Protocol = PPP
> >rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20
> >rad_verify: Received Access-Accept packet from client 127.0.0.1 port
> >1812 with invalid signature (err=2)!  (Shared secret is incorrect.)
> >
> >On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >> And what happens when you get Access-Request?
> >>
> >>
> >> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> pi e:
> >>
> >> >Hello Alan,
> >> >I have built and installed 1.1.6 version of FreeRadius. When I test
> >> >using radtest it authenticates any user with any pasword, what I mean
> >> >by this is it doesnt seem to contact the ADS to lookup the user
> >> >information and authenticate. I have attached the debug
> >> >*
> >> >[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
> >> >Starting - reading configuration files ...
> >> >reread_config:  reading radiusd.conf
> >> >Config:   including file: /etc/raddb/clients.conf
> >> >Config:   including file: /etc/raddb/snmp.conf
> >> >Config:   including file: /etc/raddb/eap.conf
> >> >Config:   including file: /etc/raddb/sql.conf
> >> > main: prefix = "/usr"
> >> > main: localstatedir = "/var"
> >> > main: logdir = "/var/log/radius"
> >> > main: libdir = "/usr/lib"
> >> > main: radacctdir = "/var/log/radius/radacct"
> >> > main: hostname_lookups = no
> >> > main: max_request_time = 30
> >> > main: cleanup_delay = 5
> >> > main: max_requests = 1024
> >> > main: delete_blocked_requests = 0
> >> > main: port = 0
> >> > main: allow_core_dumps = no
> >> > main: log_stripped_names = no
> >> > main: log_file = "/var/log/radius/radius.log"
> >> > main: log_auth = no
> >> > main: log_auth_badpass = no
> >> > main: log_auth_goodpass = no
> >> > main: pidfile = "/var/run/radiusd/radiusd.pid"
> >> > main: user = "radiusd"
> >> > main: group = "radiusd"
> >> > main: usercollide = no
> >> > main: lower_user = "no"
> >> > main: lower_pass = "no"
> >> > main: nospace_user = "no"
> >> > main: nospace_pass = "no"
> >> > main: checkrad = "/usr/sbin/checkrad"
> >> > main: proxy_requests = y

Re: FreeRadius+AD integration

[tnt]

Error seems to be because shared secret is testing123 not testing 123.
But you need to paste output od radiusd-X after Access-Request. Open two
ssh sessions and do radtest from one and radiusd -X from the other.

Ivan Kalik
Kalik Informatika ISP


Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> piše:

>I get this error
>[EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123
>Sending Access-Request of id 47 to 127.0.0.1 port 1812
>User-Name = "raduser"
>User-Password = "radpass"
>NAS-IP-Address = 255.255.255.255
>NAS-Port = 0
>Framed-Protocol = PPP
>rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20
>rad_verify: Received Access-Accept packet from client 127.0.0.1 port
>1812 with invalid signature (err=2)!  (Shared secret is incorrect.)
>
>On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> And what happens when you get Access-Request?
>>
>>
>> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> piše:
>>
>> >Hello Alan,
>> >I have built and installed 1.1.6 version of FreeRadius. When I test
>> >using radtest it authenticates any user with any pasword, what I mean
>> >by this is it doesnt seem to contact the ADS to lookup the user
>> >information and authenticate. I have attached the debug
>> >*
>> >[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
>> >Starting - reading configuration files ...
>> >reread_config:  reading radiusd.conf
>> >Config:   including file: /etc/raddb/clients.conf
>> >Config:   including file: /etc/raddb/snmp.conf
>> >Config:   including file: /etc/raddb/eap.conf
>> >Config:   including file: /etc/raddb/sql.conf
>> > main: prefix = "/usr"
>> > main: localstatedir = "/var"
>> > main: logdir = "/var/log/radius"
>> > main: libdir = "/usr/lib"
>> > main: radacctdir = "/var/log/radius/radacct"
>> > main: hostname_lookups = no
>> > main: max_request_time = 30
>> > main: cleanup_delay = 5
>> > main: max_requests = 1024
>> > main: delete_blocked_requests = 0
>> > main: port = 0
>> > main: allow_core_dumps = no
>> > main: log_stripped_names = no
>> > main: log_file = "/var/log/radius/radius.log"
>> > main: log_auth = no
>> > main: log_auth_badpass = no
>> > main: log_auth_goodpass = no
>> > main: pidfile = "/var/run/radiusd/radiusd.pid"
>> > main: user = "radiusd"
>> > main: group = "radiusd"
>> > main: usercollide = no
>> > main: lower_user = "no"
>> > main: lower_pass = "no"
>> > main: nospace_user = "no"
>> > main: nospace_pass = "no"
>> > main: checkrad = "/usr/sbin/checkrad"
>> > main: proxy_requests = yes
>> > security: max_attributes = 200
>> > security: reject_delay = 1
>> > security: status_server = no
>> > main: debug_level = 0
>> >read_config_files:  reading dictionary
>> >read_config_files:  reading naslist
>> >Using deprecated naslist file.  Support for this will go away soon.
>> >read_config_files:  reading clients
>> >read_config_files:  reading realms
>> >radiusd:  entering modules setup
>> >Module: Library search path is /usr/lib
>> >Module: Loaded expr
>> >Module: Instantiated expr (expr)
>> >Module: Loaded exec
>> > exec: wait = no
>> > exec: program = "/usr/bin/ntlm_auth  --request-nt-key
>> >--domain=MYDOMAIN.COM --username=%{mschap:User-Name}
>> >--password=%{User-Password}"
>> > exec: input_pairs = "request"
>> > exec: output_pairs = "(null)"
>> > exec: packet_type = "(null)"
>> >Module: Instantiated exec (ntlm_auth)
>> >Module: Loaded CHAP
>> >Module: Instantiated chap (chap)
>> >Module: Loaded preprocess
>> > preprocess: huntgroups = "/etc/raddb/huntgroups"
>> > preprocess: hints = "/etc/raddb/hints"
>> > preprocess: with_ascend_hack = no
>> > preprocess: ascend_channels_per_line = 23
>> > preprocess: with_ntdomain_hack = no
>> > preprocess: with_specialix_jetstream_hack = no
>> > preprocess: with_cisco_vsa_hack = no
>> >Module: Instantiated preprocess (preprocess)
>> >Module: Loaded MS-CHAP
>> > mschap: use_mppe = yes
>> > mschap: require_encryption = no
>> > mschap: require_strong = no
>> > mschap: with_ntdomain_hack = yes
>> > mschap: passwd = "(null)"
>> > mschap: authtype = "MS-CHAP"
>> > mschap: ntlm_auth = "(null)"
>> >Module: Instantiated mschap (mschap)
>> >Module: Loaded realm
>> > realm: format = "suffix"
>> > realm: delimiter = "@"
>> > realm: ignore_default = no
>> > realm: ignore_null = no
>> >Module: Instantiated realm (suffix)
>> >Module: Loaded eap
>> > eap: default_eap_type = "md5"
>> > eap: timer_expire = 60
>> > eap: ignore_unknown_eap_types = no
>> > eap: cisco_accounting_username_bug = no
>> >rlm_eap: Loaded and initialized type md5
>> >rlm_eap: Loaded and initialized type leap
>> > gtc: challenge = "Password: "
>> > gtc: auth_type = "PAP"
>> >rlm_eap: Loaded and initialized type gtc
>> > mschapv2: with_ntdomain_hack = no
>> >rlm_eap: Loaded and initialized type mschapv2
>> >Module: Instantiated eap (eap)
>> >Module: Loaded files
>> > files: usersfile = "/etc

Re: FreeRadius+AD integration

[tnt]

And what happens when you get Access-Request?


Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> piše:

>Hello Alan,
>I have built and installed 1.1.6 version of FreeRadius. When I test
>using radtest it authenticates any user with any pasword, what I mean
>by this is it doesnt seem to contact the ADS to lookup the user
>information and authenticate. I have attached the debug
>*
>[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
>Starting - reading configuration files ...
>reread_config:  reading radiusd.conf
>Config:   including file: /etc/raddb/clients.conf
>Config:   including file: /etc/raddb/snmp.conf
>Config:   including file: /etc/raddb/eap.conf
>Config:   including file: /etc/raddb/sql.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/radius"
> main: libdir = "/usr/lib"
> main: radacctdir = "/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "radiusd"
> main: group = "radiusd"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/sbin/checkrad"
> main: proxy_requests = yes
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
>read_config_files:  reading dictionary
>read_config_files:  reading naslist
>Using deprecated naslist file.  Support for this will go away soon.
>read_config_files:  reading clients
>read_config_files:  reading realms
>radiusd:  entering modules setup
>Module: Library search path is /usr/lib
>Module: Loaded expr
>Module: Instantiated expr (expr)
>Module: Loaded exec
> exec: wait = no
> exec: program = "/usr/bin/ntlm_auth  --request-nt-key
>--domain=MYDOMAIN.COM --username=%{mschap:User-Name}
>--password=%{User-Password}"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
>Module: Instantiated exec (ntlm_auth)
>Module: Loaded CHAP
>Module: Instantiated chap (chap)
>Module: Loaded preprocess
> preprocess: huntgroups = "/etc/raddb/huntgroups"
> preprocess: hints = "/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
>Module: Instantiated preprocess (preprocess)
>Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = yes
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "(null)"
>Module: Instantiated mschap (mschap)
>Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
>Module: Instantiated realm (suffix)
>Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
>rlm_eap: Loaded and initialized type md5
>rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
>rlm_eap: Loaded and initialized type gtc
> mschapv2: with_ntdomain_hack = no
>rlm_eap: Loaded and initialized type mschapv2
>Module: Instantiated eap (eap)
>Module: Loaded files
> files: usersfile = "/etc/raddb/users"
> files: acctusersfile = "/etc/raddb/acct_users"
> files: preproxy_usersfile = "/etc/raddb/preproxy_users"
> files: compat = "cistron"
>[/etc/raddb/users]:1 Cistron compatibility checks for entry raduser ...
>[/etc/raddb/users]:153 Cistron compatibility checks for entry DEFAULT ...
>?Changing 'Auth-Type =' to 'Auth-Type +='
>[/etc/raddb/users]:172 Cistron compatibility checks for entry DEFAULT ...
>[/etc/raddb/users]:184 Cistron compatibility checks for entry DEFAULT ...
>[/etc/raddb/users]:191 Cistron compatibility checks for entry DEFAULT ...
>[/etc/raddb/users]:198 Cistron compatibility checks for entry DEFAULT ...
>Module: Instantiated files (files)
>Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>Client-IP-Address, NAS-Port"
>Module: Instantiated acct_unique (acct_unique)
>Module: Loaded detail
> detail: detailfile =
>"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
>Module: Instantiated detail (detail)
>Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "/etc/shadow"
> unix: group = "(null)"
> uni

Re: FreeRadius+AD integration

[shrikant Bhat]

I get this error
[EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123
Sending Access-Request of id 47 to 127.0.0.1 port 1812
User-Name = "raduser"
User-Password = "radpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20
rad_verify: Received Access-Accept packet from client 127.0.0.1 port
1812 with invalid signature (err=2)!  (Shared secret is incorrect.)

On 4/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> And what happens when you get Access-Request?
>
>
> Dana 27/4/2007, "shrikant Bhat" <[EMAIL PROTECTED]> piše:
>
> >Hello Alan,
> >I have built and installed 1.1.6 version of FreeRadius. When I test
> >using radtest it authenticates any user with any pasword, what I mean
> >by this is it doesnt seem to contact the ADS to lookup the user
> >information and authenticate. I have attached the debug
> >*
> >[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
> >Starting - reading configuration files ...
> >reread_config:  reading radiusd.conf
> >Config:   including file: /etc/raddb/clients.conf
> >Config:   including file: /etc/raddb/snmp.conf
> >Config:   including file: /etc/raddb/eap.conf
> >Config:   including file: /etc/raddb/sql.conf
> > main: prefix = "/usr"
> > main: localstatedir = "/var"
> > main: logdir = "/var/log/radius"
> > main: libdir = "/usr/lib"
> > main: radacctdir = "/var/log/radius/radacct"
> > main: hostname_lookups = no
> > main: max_request_time = 30
> > main: cleanup_delay = 5
> > main: max_requests = 1024
> > main: delete_blocked_requests = 0
> > main: port = 0
> > main: allow_core_dumps = no
> > main: log_stripped_names = no
> > main: log_file = "/var/log/radius/radius.log"
> > main: log_auth = no
> > main: log_auth_badpass = no
> > main: log_auth_goodpass = no
> > main: pidfile = "/var/run/radiusd/radiusd.pid"
> > main: user = "radiusd"
> > main: group = "radiusd"
> > main: usercollide = no
> > main: lower_user = "no"
> > main: lower_pass = "no"
> > main: nospace_user = "no"
> > main: nospace_pass = "no"
> > main: checkrad = "/usr/sbin/checkrad"
> > main: proxy_requests = yes
> > security: max_attributes = 200
> > security: reject_delay = 1
> > security: status_server = no
> > main: debug_level = 0
> >read_config_files:  reading dictionary
> >read_config_files:  reading naslist
> >Using deprecated naslist file.  Support for this will go away soon.
> >read_config_files:  reading clients
> >read_config_files:  reading realms
> >radiusd:  entering modules setup
> >Module: Library search path is /usr/lib
> >Module: Loaded expr
> >Module: Instantiated expr (expr)
> >Module: Loaded exec
> > exec: wait = no
> > exec: program = "/usr/bin/ntlm_auth  --request-nt-key
> >--domain=MYDOMAIN.COM --username=%{mschap:User-Name}
> >--password=%{User-Password}"
> > exec: input_pairs = "request"
> > exec: output_pairs = "(null)"
> > exec: packet_type = "(null)"
> >Module: Instantiated exec (ntlm_auth)
> >Module: Loaded CHAP
> >Module: Instantiated chap (chap)
> >Module: Loaded preprocess
> > preprocess: huntgroups = "/etc/raddb/huntgroups"
> > preprocess: hints = "/etc/raddb/hints"
> > preprocess: with_ascend_hack = no
> > preprocess: ascend_channels_per_line = 23
> > preprocess: with_ntdomain_hack = no
> > preprocess: with_specialix_jetstream_hack = no
> > preprocess: with_cisco_vsa_hack = no
> >Module: Instantiated preprocess (preprocess)
> >Module: Loaded MS-CHAP
> > mschap: use_mppe = yes
> > mschap: require_encryption = no
> > mschap: require_strong = no
> > mschap: with_ntdomain_hack = yes
> > mschap: passwd = "(null)"
> > mschap: authtype = "MS-CHAP"
> > mschap: ntlm_auth = "(null)"
> >Module: Instantiated mschap (mschap)
> >Module: Loaded realm
> > realm: format = "suffix"
> > realm: delimiter = "@"
> > realm: ignore_default = no
> > realm: ignore_null = no
> >Module: Instantiated realm (suffix)
> >Module: Loaded eap
> > eap: default_eap_type = "md5"
> > eap: timer_expire = 60
> > eap: ignore_unknown_eap_types = no
> > eap: cisco_accounting_username_bug = no
> >rlm_eap: Loaded and initialized type md5
> >rlm_eap: Loaded and initialized type leap
> > gtc: challenge = "Password: "
> > gtc: auth_type = "PAP"
> >rlm_eap: Loaded and initialized type gtc
> > mschapv2: with_ntdomain_hack = no
> >rlm_eap: Loaded and initialized type mschapv2
> >Module: Instantiated eap (eap)
> >Module: Loaded files
> > files: usersfile = "/etc/raddb/users"
> > files: acctusersfile = "/etc/raddb/acct_users"
> > files: preproxy_usersfile = "/etc/raddb/preproxy_users"
> > files: compat = "cistron"
> >[/etc/raddb/users]:1 Cistron compatibility checks for entry raduser ...
> >[/etc/raddb/users]:153 Cistron compatibility checks for entry DEFAULT ...
> >?Changing 'Auth-Type =' to 'Auth-Type +='
> >[/etc/raddb/users]:172 Cistron compatibility checks for entry DEFAULT ...

Re: FreeRadius+AD integration

[shrikant Bhat]

Hello Alan,
I have built and installed 1.1.6 version of FreeRadius. When I test
using radtest it authenticates any user with any pasword, what I mean
by this is it doesnt seem to contact the ADS to lookup the user
information and authenticate. I have attached the debug
*
[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded exec
 exec: wait = no
 exec: program = "/usr/bin/ntlm_auth  --request-nt-key
--domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--password=%{User-Password}"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
Module: Instantiated exec (ntlm_auth)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "cistron"
[/etc/raddb/users]:1 Cistron compatibility checks for entry raduser ...
[/etc/raddb/users]:153 Cistron compatibility checks for entry DEFAULT ...
?Changing 'Auth-Type =' to 'Auth-Type +='
[/etc/raddb/users]:172 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/users]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/users]:191 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/users]:198 Cistron compatibility checks for entry DEFAULT ...
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
 radutmp: filename = "/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: cas

Re: FreeRadius+AD integration

[Jacob Jarick]

nifty, this will be next on my list to figure out :P

On 4/23/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> shrikant Bhat wrote:
> > 1.The document says  adding exec ... to the modules section and then
> > listing ntlm_auth in the authenticate section. when I have exec
> > ntlm_auth in modules section and ntlm_auth listed in authenticate
> > section I get 'Unknown Auth-Type "exec" in authenticate section'
> > error
> > how do I fix this? please help.
> > I have attached my radiusd.conf file.
>
>   All I know is that it works for me in 1.1.6.
>
> > 2. To authenticate cisco telnet sessions, is it possible to use
> > freeRadius with AD integration
> > what I mean by this is can I telnet using my ad ID and password with
> > freeRadius being authentication server?
>
>   Yes.
>
>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[Alan DeKok]

shrikant Bhat wrote:
> 1.The document says  adding exec ... to the modules section and then
> listing ntlm_auth in the authenticate section. when I have exec
> ntlm_auth in modules section and ntlm_auth listed in authenticate
> section I get 'Unknown Auth-Type "exec" in authenticate section'
> error
> how do I fix this? please help.
> I have attached my radiusd.conf file.

  All I know is that it works for me in 1.1.6.

> 2. To authenticate cisco telnet sessions, is it possible to use
> freeRadius with AD integration
> what I mean by this is can I telnet using my ad ID and password with
> freeRadius being authentication server?

  Yes.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[Alan DeKok]

shrikant Bhat wrote:
> My apologies for that mistake..
> 
> I have  the following lines in modules  section
> exec ntlm_auth {
> wait = no
> program = "/usr/bin/ntlm_auth  --request-nt-key
> --domain=MYDOMAIN.COM
> --username=%{mschap:User-Name} --password=%{User-Password}"
> 
> and I have ntlm_auth listed in authenticate section

  No, you don't.  You listed "exec", not "ntlm_auth".

  Please follow the instructions.  If you are not going to follow the
instructions, then do not be surprised that it doesn't work.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[shrikant Bhat]

My apologies for that mistake..

I have  the following lines in modules  section
exec ntlm_auth {
wait = no
program = "/usr/bin/ntlm_auth  --request-nt-key
--domain=MYDOMAIN.COM
--username=%{mschap:User-Name} --password=%{User-Password}"

and I have ntlm_auth listed in authenticate section  while running radiusd -X
I get the following error.
*
[EMAIL PROTECTED] raddb]# /usr/sbin/radiusd -X -y
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
 exec: wait = no
 exec: program = "/usr/bin/ntlm_auth  --request-nt-key
--domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--password=%{User-Password}"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
Module: Instantiated exec (ntlm_auth)
radiusd.conf[1685] Unknown Auth-Type "exec" in authenticate section.

***

thanks for the help in advance.
SB
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[Alan DeKok]

shrikant Bhat wrote:
> I tried with the following in the authenticate section
> 
> Auth-Type ntlm_auth {
>mschap  am not sure about the
> protocol i need to use here

  The web page says to just put "ntlm_auth" in the "authenticate"
section.  It doesn't say you need "Auth-Type", and it doesn't say to put
"mschap" in it, either.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[shrikant Bhat]

I tried with the following in the authenticate section

Auth-Type ntlm_auth {
   mschap  am not sure about the
protocol i need to use here
}

I have attached the debug window output
**
rad_recv: Access-Request packet from host 127.0.0.1:32928, id=202, length=57
User-Name = "raduser"
User-Password = "radpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 214
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type ntlm_auth
auth: type "ntlm_auth"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: No MS-CHAP-Challenge in the request
  modcall[authenticate]: module "mschap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
***
All I want to do is authenticate my cisco device logins using ads id
and password.
I am novice to radius,please help.
thank you
regards
sb



On 4/23/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> shrikant Bhat wrote:
> > Hi,
> > I am trying to integrate freeradius with ADS 2003. I reffred to
> > http://deployingradius.com/documents/configuration/active_directory.html
> > .
> > everything works perfectly fine till ( $ ntlm_auth --request-nt-key
> > --domain=*MYDOMAIN* --username=*user* --password=*password*) I get
> > NT_STATUS_OK. I dont see NT_KEY output. I made changes to  exec module
> > in radius.conf as per the instructions, but radtest fails with
> > Access-Reject .I have attached the debug window output for reference.
>
>   You did not add the "ntlm_auth" entry to the "authenticate" section,
> as the web page says.
>
>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius+AD integration

[[EMAIL PROTECTED]]

Hello Alan,
I am trying to authenticate my cisco device login using freeradius,
freeradius should look into my win2003 ad for user information.
I agree I may  have missed out something from the instruactions, I
have attached my radius.conf  and eap.conf file.

why have you put the ntlm_auth line like that? how do you expect that to
ever be called? nothing is referencing it.

alan




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[Alan DeKok]

shrikant Bhat wrote:
> Hi,
> I am trying to integrate freeradius with ADS 2003. I reffred to
> http://deployingradius.com/documents/configuration/active_directory.html
> .
> everything works perfectly fine till ( $ ntlm_auth --request-nt-key
> --domain=*MYDOMAIN* --username=*user* --password=*password*) I get
> NT_STATUS_OK. I dont see NT_KEY output. I made changes to  exec module
> in radius.conf as per the instructions, but radtest fails with
> Access-Reject .I have attached the debug window output for reference.

  You did not add the "ntlm_auth" entry to the "authenticate" section,
as the web page says.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius+AD integration

[A . L . M . Buxey]

Hi,

> radius.conf as per the instructions, but radtest fails with Access-Reject .I
> have attached the debug window output for reference.

no you havent. you've attached a tiny snippet of the debug output.

> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user

but at least it shows this bit - how are you attempting to authenticate
and WHAT are you attempting to authenticate? 

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius+AD integration

[shrikant Bhat]

Hi,
I am trying to integrate freeradius with ADS 2003. I reffred to
http://deployingradius.com/documents/configuration/active_directory.html
. everything works perfectly fine till ( $ ntlm_auth --request-nt-key
--domain=*MYDOMAIN* --username=*user* --password=*password*) I get
NT_STATUS_OK. I dont see NT_KEY output. I made changes to  exec module in
radius.conf as per the instructions, but radtest fails with Access-Reject .I
have attached the debug window output for reference.


rad_recv: Access-Request packet from host 127.0.0.1:32928, id=44, length=57
   User-Name = "raduser"
   User-Password = "radpass"
   NAS-IP-Address = 255.255.255.255
   NAS-Port = 0
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
 modcall[authorize]: module "preprocess" returns ok for request 0
 modcall[authorize]: module "chap" returns noop for request 0
 modcall[authorize]: module "mschap" returns noop for request 0
   rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 0
 rlm_eap: No EAP-Message, not doing EAP
 modcall[authorize]: module "eap" returns noop for request 0
   users: Matched entry sbhat at line 1
 modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
_

Any help fixing this issue will be appreciated.
thank you!
SB
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html