Discussion:
Enabling NTLM causes the daemon not to start...
(too old to reply)
Matthew Newton
2018-12-06 09:40:14 UTC
Permalink
On Thu, 2018-12-06 at 09:17 +0000, WAGHORN, Jason (NHS BORDERS) via
When I attempt to launch radiusd, it bombs out with the following
error "/etc/raddb/sites-enabled/inner-tunnel[59]: Errors parsing pap
sub-section."
...
pap {
ntlm_auth
}
}
Mistake on the wiki; I've fixed it.

This should be

Auth-Type pap {

not just

pap {
If I comment out the pap stanza and reinstate the "pap" line - it
launches, but with the side effect that AD authentication isn't
working (although that could easily be something else entirely :))
Probably something else, it's unlikely most devices are using EAP-
TTLS/PAP. Even without those pap parts of the config you should still
find that the MSCHAPv2 methods work, if configured correctly.
Any pointers most welcome - because I cannot for the life of me see
what might be wrong (and I'm a newbie at trying to decipher radius
debug output)
radius -X output below
You've certainly done something right - sending the "-X" output, not
-Xxxx or -Xx or whatever other people keep sending!
--
Matthew

-
List info/subscribe/unsubscribe? See http://www.fr
Matthew Newton
2018-12-06 09:58:43 UTC
Permalink
On Thu, 2018-12-06 at 09:47 +0000, WAGHORN, Jason (NHS BORDERS) via
Post by Matthew Newton
Mistake on the wiki; I've fixed it.
This should be
Auth-Type pap {
not just
pap {
Splendid - the daemon starts now - so anything else is my own fault
:)
Great.

You also need to edit this file and set the domain correctly:

# Loading module "ntlm_auth" from file /etc/raddb/mods-
enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2
--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-
Password}"
shell_escape = yes
}

(You can also run that command from the shell manually and check that
it authenticates.)
You've certainly done something right - sending the "-X" output,
Post by Matthew Newton
not -Xxxx or -Xx or whatever other people keep sending!
I try to follow the rules... I'm not Song Zou :)
Thanks, It's nice when someone actually reads them. Makes it easier for
everyone.
--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradiu
Loading...