[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: FreeRADIUS with NTLM Auth not returning VSA after successful auth
From: "Sipes, Nathan" <Nathan_Sipes () kindermorgan ! com>
Date: 2010-11-23 22:59:30
Message-ID: F78E80C344571B4EBCEE766E2A0D56B004A2416023 () lkwex2 ! kindermorgan ! com
[Download RAW message or body]
I am having two problems and not sure where to look
> From the Users file
userjeff Cleartext-Password := "BADPASS"
Juniper-Local-User-Name = "engineer",
Service-Type = Login-User,
Reply-Message = "Hello, %{User-Name}",
Fall-Through = Yes
1. With the DEFAULT Auth-Type = ntlm_auth
a. The nas gets an accept back but the attribute Juniper-Local-User-Name is not \
passed back cat /var/log/radius/radacct/10.34.250.14/reply-detail-20101123
Tue Nov 23 15:44:34 2010
Packet-Type = Access-Accept
2. With the DEFAULT Auth-Type = ntlm_auth commented out PAP isn't happy and I \
get
eady to process requests.
rad_recv: Access-Request packet from host 10.34.250.14 port 62435, id=126, length=71
User-Name = "userjeff"
User-Password = "some_password"
NAS-Identifier = "LKWDCO93S14-lab"
NAS-IP-Address = 10.34.250.14
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: \
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> \
/var/log/radius/radacct/10.34.250.14/auth-detail-20101123
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to \
/var/log/radius/radacct/10.34.250.14/auth-detail-20101123
[auth_log] expand: %t -> Tue Nov 23 15:57:13 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "userjeff", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "userjeff", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry userjeff at line 107
[files] expand: Hello, %{User-Name} -> Hello, userjeff
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
Login incorrect: [userjeff/some_password] (from client default-network port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> userjeff
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 126 to 10.34.250.14 port 62435
Reply-Message = "Hello, userjeff"
> From radius -X
ad_recv: Access-Request packet from host 10.34.250.14 port 51941, id=158, length=71
User-Name = "userjeff"
User-Password = "some_password"
NAS-Identifier = "LKWDCO93S14-lab"
NAS-IP-Address = 10.34.250.14
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: \
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> \
/var/log/radius/radacct/10.34.250.14/auth-detail-20101123 [auth_log] \
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to \
/var/log/radius/radacct/10.34.250.14/auth-detail-20101123 [auth_log] expand: %t \
-> Tue Nov 23 15:44:34 2010 ++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "userjeff", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "userjeff", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 94
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=userjeff
[ntlm_auth] expand: --password=%{User-Password} -> --password=some_password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [userjeff] (from client default-network port 0)
+- entering group post-auth {...}
[reply_log] expand: \
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> \
/var/log/radius/radacct/10.34.250.14/reply-detail-20101123 [reply_log] \
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to \
/var/log/radius/radacct/10.34.250.14/reply-detail-20101123 [reply_log] expand: %t \
-> Tue Nov 23 15:44:34 2010 ++[reply_log] returns ok
++[exec] returns noop
Sending Access-Accept of id 158 to 10.34.250.14 port 51941
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 158 with timestamp +15
Ready to process requests.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type \
content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 \
(filtered medium)"><style><!-- /* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1476339499;
mso-list-type:hybrid;
mso-list-template-ids:-798359058 67698703 67698713 67698715 67698703 67698713 \
67698715 67698703 67698713 67698715;} @list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal>I am having two problems and not sure where to \
look <o:p></o:p></p><p class=MsoNormal>From the Users file<o:p></o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>userjeff Cleartext-Password \
:= "BADPASS"<o:p></o:p></p><p \
class=MsoNormal> \
Juniper-Local-User-Name = "engineer",<o:p></o:p></p><p \
class=MsoNormal> \
Service-Type = Login-User,<o:p></o:p></p><p \
class=MsoNormal> \
Reply-Message = "Hello, %{User-Name}",<o:p></o:p></p><p \
class=MsoNormal> \
Fall-Through = Yes<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph \
style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span \
style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New \
Roman"'> </span></span><![endif]>With the DEFAULT \
Auth-Type = ntlm_auth <o:p></o:p></p><p class=MsoListParagraph \
style='margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo1'><![if \
!supportLists]><span style='mso-list:Ignore'>a.<span style='font:7.0pt "Times New \
Roman"'> </span></span><![endif]>The nas gets an \
accept back but the attribute Juniper-Local-User-Name is not passed back <br>cat \
/var/log/radius/radacct/10.34.250.14/reply-detail-20101123 <o:p></o:p></p><p \
class=MsoListParagraph style='margin-left:1.0in'>Tue Nov 23 15:44:34 \
2010<o:p></o:p></p><p class=MsoListParagraph \
style='margin-left:1.0in'> \
Packet-Type = Access-Accept<o:p></o:p></p><p class=MsoListParagraph \
style='margin-left:1.0in'><o:p> </o:p></p><p class=MsoListParagraph \
style='margin-left:1.0in'><o:p> </o:p></p><p class=MsoListParagraph \
style='margin-left:1.0in'><o:p> </o:p></p><p class=MsoListParagraph \
style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span \
style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New \
Roman"'> </span></span><![endif]>With the DEFAULT \
Auth-Type = ntlm_auth commented out PAP isn’t happy and I get <o:p></o:p></p><p \
class=MsoListParagraph><o:p> </o:p></p><p class=MsoListParagraph>eady to process \
requests.<o:p></o:p></p><p class=MsoListParagraph>rad_recv: Access-Request packet \
from host 10.34.250.14 port 62435, id=126, length=71<o:p></o:p></p><p \
class=MsoListParagraph> User-Name = \
"userjeff"<o:p></o:p></p><p \
class=MsoListParagraph> User-Password = \
"some_password"<o:p></o:p></p><p \
class=MsoListParagraph> NAS-Identifier = \
"LKWDCO93S14-lab"<o:p></o:p></p><p \
class=MsoListParagraph> NAS-IP-Address = \
10.34.250.14<o:p></o:p></p><p class=MsoListParagraph>+- entering group authorize \
{...}<o:p></o:p></p><p class=MsoListParagraph>++[preprocess] returns \
ok<o:p></o:p></p><p class=MsoListParagraph>[auth_log] \
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> \
/var/log/radius/radacct/10.34.250.14/auth-detail-20101123<o:p></o:p></p><p \
class=MsoListParagraph>[auth_log] \
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to \
/var/log/radius/radacct/10.34.250.14/auth-detail-20101123<o:p></o:p></p><p \
class=MsoListParagraph>[auth_log] expand: %t -> Tue \
Nov 23 15:57:13 2010<o:p></o:p></p><p class=MsoListParagraph>++[auth_log] returns \
ok<o:p></o:p></p><p class=MsoListParagraph>++[chap] returns noop<o:p></o:p></p><p \
class=MsoListParagraph>++[mschap] returns noop<o:p></o:p></p><p \
class=MsoListParagraph>[suffix] No '@' in User-Name = "userjeff", looking \
up realm NULL<o:p></o:p></p><p class=MsoListParagraph>[suffix] No such realm \
"NULL"<o:p></o:p></p><p class=MsoListParagraph>++[suffix] returns \
noop<o:p></o:p></p><p class=MsoListParagraph>[ntdomain] No '\' in User-Name = \
"userjeff", looking up realm NULL<o:p></o:p></p><p \
class=MsoListParagraph>[ntdomain] No such realm "NULL"<o:p></o:p></p><p \
class=MsoListParagraph>++[ntdomain] returns noop<o:p></o:p></p><p \
class=MsoListParagraph>[eap] No EAP-Message, not doing EAP<o:p></o:p></p><p \
class=MsoListParagraph>++[eap] returns noop<o:p></o:p></p><p \
class=MsoListParagraph>++[unix] returns notfound<o:p></o:p></p><p \
class=MsoListParagraph>[files] users: Matched entry userjeff at line \
107<o:p></o:p></p><p \
class=MsoListParagraph>[files] \
expand: Hello, %{User-Name} -> Hello, userjeff<o:p></o:p></p><p \
class=MsoListParagraph>++[files] returns ok<o:p></o:p></p><p \
class=MsoListParagraph>++[expiration] returns noop<o:p></o:p></p><p \
class=MsoListParagraph>++[logintime] returns noop<o:p></o:p></p><p \
class=MsoListParagraph>WARNING: Please update your configuration, and remove \
'Auth-Type = Local'<o:p></o:p></p><p class=MsoListParagraph>WARNING: Use the PAP or \
CHAP modules instead.<o:p></o:p></p><p class=MsoListParagraph>User-Password in the \
request does NOT match "known good" password.<o:p></o:p></p><p \
class=MsoListParagraph>Failed to authenticate the user.<o:p></o:p></p><p \
class=MsoListParagraph>Login incorrect: [userjeff/some_password] (from client \
default-network port 0)<o:p></o:p></p><p class=MsoListParagraph>Using Post-Auth-Type \
Reject<o:p></o:p></p><p class=MsoListParagraph>+- entering group REJECT \
{...}<o:p></o:p></p><p \
class=MsoListParagraph>[attr_filter.access_reject] expand: \
%{User-Name} -> userjeff<o:p></o:p></p><p class=MsoListParagraph> attr_filter: \
Matched entry DEFAULT at line 11<o:p></o:p></p><p \
class=MsoListParagraph>++[attr_filter.access_reject] returns updated<o:p></o:p></p><p \
class=MsoListParagraph>Delaying reject of request 0 for 1 seconds<o:p></o:p></p><p \
class=MsoListParagraph>Going to the next request<o:p></o:p></p><p \
class=MsoListParagraph>Waking up in 0.9 seconds.<o:p></o:p></p><p \
class=MsoListParagraph>Sending delayed reject for request 0<o:p></o:p></p><p \
class=MsoListParagraph>Sending Access-Reject of id 126 to 10.34.250.14 port \
62435<o:p></o:p></p><p \
class=MsoListParagraph> Reply-Message = \
"Hello, userjeff"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal>From radius –X <o:p></o:p></p><p class=MsoNormal>ad_recv: \
Access-Request packet from host 10.34.250.14 port 51941, id=158, \
length=71<o:p></o:p></p><p class=MsoNormal> \
User-Name = "userjeff"<o:p></o:p></p><p \
class=MsoNormal> User-Password = \
"some_password"<o:p></o:p></p><p \
class=MsoNormal> NAS-Identifier = \
"LKWDCO93S14-lab"<o:p></o:p></p><p class=MsoNormal> \
NAS-IP-Address = 10.34.250.14<o:p></o:p></p><p \
class=MsoNormal>+- entering group authorize {...}<o:p></o:p></p><p \
class=MsoNormal>++[preprocess] returns ok<o:p></o:p></p><p \
class=MsoNormal>[auth_log] expand: \
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> \
/var/log/radius/radacct/10.34.250.14/auth-detail-20101123<o:p></o:p></p><p \
class=MsoNormal>[auth_log] \
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to \
/var/log/radius/radacct/10.34.250.14/auth-detail-20101123<o:p></o:p></p><p \
class=MsoNormal>[auth_log] expand: %t -> Tue Nov 23 \
15:44:34 2010<o:p></o:p></p><p class=MsoNormal>++[auth_log] returns \
ok<o:p></o:p></p><p class=MsoNormal>++[chap] returns noop<o:p></o:p></p><p \
class=MsoNormal>++[mschap] returns noop<o:p></o:p></p><p class=MsoNormal>[suffix] No \
'@' in User-Name = "userjeff", looking up realm NULL<o:p></o:p></p><p \
class=MsoNormal>[suffix] No such realm "NULL"<o:p></o:p></p><p \
class=MsoNormal>++[suffix] returns noop<o:p></o:p></p><p class=MsoNormal>[ntdomain] \
No '\' in User-Name = "userjeff", looking up realm NULL<o:p></o:p></p><p \
class=MsoNormal>[ntdomain] No such realm "NULL"<o:p></o:p></p><p \
class=MsoNormal>++[ntdomain] returns noop<o:p></o:p></p><p class=MsoNormal>[eap] No \
EAP-Message, not doing EAP<o:p></o:p></p><p class=MsoNormal>++[eap] returns \
noop<o:p></o:p></p><p class=MsoNormal>++[unix] returns notfound<o:p></o:p></p><p \
class=MsoNormal>[files] users: Matched entry DEFAULT at line 94<o:p></o:p></p><p \
class=MsoNormal>++[files] returns ok<o:p></o:p></p><p class=MsoNormal>++[expiration] \
returns noop<o:p></o:p></p><p class=MsoNormal>++[logintime] returns \
noop<o:p></o:p></p><p class=MsoNormal>Found Auth-Type = ntlm_auth<o:p></o:p></p><p \
class=MsoNormal>+- entering group authenticate {...}<o:p></o:p></p><p \
class=MsoNormal>[ntlm_auth] expand: \
--username=%{mschap:User-Name} -> --username=userjeff<o:p></o:p></p><p \
class=MsoNormal>[ntlm_auth] expand: \
--password=%{User-Password} -> --password=some_password<o:p></o:p></p><p \
class=MsoNormal>Exec-Program output: NT_STATUS_OK: Success (0x0) <o:p></o:p></p><p \
class=MsoNormal>Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) \
<o:p></o:p></p><p class=MsoNormal>Exec-Program: returned: 0<o:p></o:p></p><p \
class=MsoNormal>++[ntlm_auth] returns ok<o:p></o:p></p><p class=MsoNormal>Login OK: \
[userjeff] (from client default-network port 0)<o:p></o:p></p><p class=MsoNormal>+- \
entering group post-auth {...}<o:p></o:p></p><p \
class=MsoNormal>[reply_log] expand: \
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> \
/var/log/radius/radacct/10.34.250.14/reply-detail-20101123<o:p></o:p></p><p \
class=MsoNormal>[reply_log] \
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to \
/var/log/radius/radacct/10.34.250.14/reply-detail-20101123<o:p></o:p></p><p \
class=MsoNormal>[reply_log] expand: %t -> Tue Nov 23 \
15:44:34 2010<o:p></o:p></p><p class=MsoNormal>++[reply_log] returns \
ok<o:p></o:p></p><p class=MsoNormal>++[exec] returns noop<o:p></o:p></p><p \
class=MsoNormal>Sending Access-Accept of id 158 to 10.34.250.14 port \
51941<o:p></o:p></p><p class=MsoNormal>Finished request 0.<o:p></o:p></p><p \
class=MsoNormal>Going to the next request<o:p></o:p></p><p class=MsoNormal>Waking up \
in 4.9 seconds.<o:p></o:p></p><p class=MsoNormal>Cleaning up request 0 ID 158 with \
timestamp +15<o:p></o:p></p><p class=MsoNormal>Ready to process \
requests.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--===============0165193303==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic