802.1x machine authentication patch help

Jamie Crawford crawford at cmsu1.cmsu.edu
Mon Nov 21 15:54:11 CET 2005 

I found my problem.  From Andrew Bartlett himself "This is not supported
against NT4.  Only Samba 3.0.21rc1 and AD support
this extra flag."  To do machine authentication with freeradius, your
workstation (supplicant) and samba server must be a member of a
2000/2003 domain.  I had the supplicant and samba server still a member
of the nt4 domain. Once I changed this, it worked great.  Were still in
the middle of a migration from nt4 to 2003 and all accounts still
authenticate fine.

Thanks for everyones help!!!!!!

jamie




>>> mgriego at utdallas.edu 11/18/2005 12:16:43 PM >>>
Make sure you used the rlm_MSchap module from the snapshot, not the 
rlm_chap module.  They're different.

--Mike


Jamie Crawford wrote:
> Hi,
> I am trying to get machine authentication working with freeradius. 
I
> have patched the samba code and freeradius code.  But am getting
this
> error when the machine tries to authenticate.  I patched the
rlm_chap
> module by taking last nights cvs snapshot and copying over the
rlm_chap
> folder overwriting the contents of the same folder in the
> freeradius-1.0.5 release and recompiling.  I see that it is trying
to
> pass the username as "host/IS--000031176".  I thought the updated
> rlm_mschap was suppposed to strip the "host/" part of the username. 
Do
> I need to create a realm to strip the "host/"?
> Any help would be appreciated!!!
> Thanks,
> jamie
>
>
> make clean
>
> ./configure --configure --with-raddbdir=/etc/radius
> --with-logdir=/var/log/radius --disable-snmp --without-rlm_sql
> --without-rlm_ldap --without-rlm_krb5
>
> make
>
> make install
>
> modcall: entering group Auth-Type for request 6
>   rlm_mschap: No User-Password configured.  Cannot create
LM-Password.
>   rlm_mschap: No User-Password configured.  Cannot create
NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for host/IS--000031176 with
> NT-Password
> radius_xlat: Running registered xlat function of module mschap for
> string 'User-Name'
> radius_xlat: Running registered xlat function of module mschap for
> string 'Challenge'
>  mschap2: d3
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Response'
> radius_xlat:  '/usr/bin/ntlm_auth --domain= --request-nt-key
> --username=host/IS--000031176 --challenge=12345ce0768615e
> --nt-response=123456f1011a2f799b5d62e04ba                            
   
>              d8bb39719fa48c3d11299e'
> Exec-Program: /usr/bin/ntlm_auth --domain= --request-nt-key
> --username=host/IS--000031176 --challenge=123453ce0768615e
> --nt-response=12345f1011a2f799b5d62e04bad8bb39719fa48c3d11299e
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
>   rlm_mschap: External script failed.
>
> - 
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html 
>   
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list