AW: AW: PEAP+MSCHAP+AD (please help)

[Hector.Ortiz at swisscom.com]

Hi, I've followed Phil's advice and ran

netsh ras set tracing * enable

on the windows client. I tried first one automatic login and then a manual one. The CHAP log generated by Windows is as follows:


[356] 12-11 13:11:49:953: RasEapGetIdentity
[356] 12-11 13:11:49:953: ReadUserData
[356] 12-11 13:11:49:953: ReadConnectionData
[2052] 12-11 13:11:50:864: EapChapBeginMSChapV2
[2052] 12-11 13:11:50:864: ReadUserData
[2052] 12-11 13:11:50:864: ReadConnectionData
[2052] 12-11 13:11:50:864: EapChapBeginCommon
[2052] 12-11 13:11:50:864: ChapBegin(fS=0,bA=0x81)
[2052] 12-11 13:11:50:864: ChapBegin done.
[2052] 12-11 13:11:50:864: ChapMakeMessage,RBuf=00000000
[2052] 12-11 13:11:50:864: ChapCMakeMessage...
[2052] 12-11 13:11:50:864: CS_Initial
[2052] 12-11 13:11:50:864: EapMSChapv2MakeMessage
[2052] 12-11 13:11:50:864: EapMSChapv2CMakeMessage
[2052] 12-11 13:11:50:864: EMV2_Initial
[2052] 12-11 13:11:50:864: ChapMakeMessage,RBuf=10163023
[2052] 12-11 13:11:50:864: ChapCMakeMessage...
[2052] 12-11 13:11:50:864: CS_WaitForChallenge
[2052] 12-11 13:11:50:864: MakeResponseMessage...
[2052] 13:11:50:864: GetChallengeResponse
[2052] 13:11:50:864: RegisterLSA
[2052] 13:11:50:864: GetChallengeResponse Success
[2052] 13:11:50:864: GetChallengeResponse
[2052] 13:11:50:864: RegisterLSA
[2052] 13:11:50:864: GetChallengeResponse Success
[2052] 12-11 13:11:50:864: GetChallengeResponse=0
02 09 00 47 31 16 91 4A BB 0F C1 CF 81 D2 AD 9F |...G1..J........|
C6 FD FD D8 18 00 00 00 00 00 00 00 00 88 DF 78 |...............x|
8C 30 79 E0 53 C7 4C A6 19 5D EE 1A 00 8D 7C 2A |.0y.S.L..]....|*|
C7 90 FF 88 36 00 44 4F 4D 41 49 4E 5C 54 45 53 |....6.DOMAIN\TES|
54 55 53 45 52 00 00 00 00 00 00 00 00 00 00 00 |TUSER...........|
[2052] 12-11 13:11:58:985: EapMSChapv2MakeMessage
[2052] 12-11 13:11:58:985: EapMSChapv2CMakeMessage
[2052] 12-11 13:11:58:985: EMV2_ResponseSend
[2052] 12-11 13:11:58:985: Got a Code Failure when expecting Response.  Failing Auth
[348] 12-11 13:12:22:314: EapMSChapv2End
[348] 12-11 13:12:22:314: ChapEnd
[2052] 12-11 13:12:39:816: RasEapGetIdentity
[2052] 12-11 13:12:39:816: ReadUserData
[2052] 12-11 13:12:39:816: ReadConnectionData
[3496] 12-11 13:12:39:966: EapChapBeginMSChapV2
[3496] 12-11 13:12:39:966: ReadUserData
[3496] 12-11 13:12:39:966: ReadConnectionData
[3496] 12-11 13:12:39:966: EapChapBeginCommon
[3496] 12-11 13:12:39:966: ChapBegin(fS=0,bA=0x81)
[3496] 12-11 13:12:39:966: ChapBegin done.
[3496] 12-11 13:12:39:966: ChapMakeMessage,RBuf=00000000
[3496] 12-11 13:12:39:966: ChapCMakeMessage...
[3496] 12-11 13:12:39:966: CS_Initial
[3496] 12-11 13:12:39:966: EapMSChapv2MakeMessage
[3496] 12-11 13:12:39:966: EapMSChapv2CMakeMessage
[3496] 12-11 13:12:39:966: EMV2_Initial
[3496] 12-11 13:12:39:966: ChapMakeMessage,RBuf=10163023
[3496] 12-11 13:12:39:966: ChapCMakeMessage...
[3496] 12-11 13:12:39:966: CS_WaitForChallenge
[3496] 12-11 13:12:39:966: MakeResponseMessage...
[3496] 13:12:39:966: GetChallengeResponse
[3496] 13:12:39:966: GetDESChallengeResponse
[3496] 13:12:39:966: GetDESChallengeResponse Success
[3496] 13:12:39:966: GetMD5ChallengeResponse Success
[3496] 13:12:39:966: GetMD5ChallengeResponse Success
[3496] 13:12:39:966: GetChallengeResponse Success
[3496] 12-11 13:12:39:966: GetChallengeResponse=0
02 09 00 47 31 94 01 2F 4B 82 44 97 AE AC 27 F6 |...G1../K.D...'.|
0E 95 AD C5 69 00 00 00 00 00 00 00 00 7D B8 B6 |....i........}..|
08 24 86 E1 D0 C4 3B FA CC 43 FB FA 6E F5 5D 9F |.$....;..C..n.].|
3E EE 9E A8 11 00 44 4F 4D 41 49 4E 5C 74 65 73 |>.....DOMAIN\tes|
74 75 73 65 72 00 00 00 00 00 00 00 00 00 00 00 |tuser...........|
[3496] 12-11 13:12:40:176: EapMSChapv2MakeMessage
[3496] 12-11 13:12:40:176: EapMSChapv2CMakeMessage
[3496] 12-11 13:12:40:176: EMV2_ResponseSend
[3496] 12-11 13:12:40:176: ChapMakeMessage,RBuf=10163023
[3496] 12-11 13:12:40:176: ChapCMakeMessage...
[3496] 12-11 13:12:40:176: CS_ResponseSent
[3496] 12-11 13:12:40:176: Message received...
03 09 00 2E 53 3D 30 36 42 39 38 32 31 34 43 38 |....S=06B98214C8|
43 36 30 44 43 37 42 37 32 38 34 44 34 34 41 41 |C60DC7B7284D44AA|
39 43 46 38 35 44 38 34 30 37 36 38 34 44 00 00 |9CF85D8407684D..|
[3496] 12-11 13:12:40:176: Done :)
[3496] 12-11 13:12:40:176: GetClientMPPEKeys
[3496] 12-11 13:12:40:186: EapMSChapv2MakeMessage
[3496] 12-11 13:12:40:186: EapMSChapv2CMakeMessage
[3496] 12-11 13:12:40:186: EMV2_CHAPAuthSuccess
[3496] 12-11 13:12:40:186: AllocateUserDataWithEncPwd
[3496] 12-11 13:12:40:237: EapMSChapv2End
[3496] 12-11 13:12:40:237: ChapEnd

Windows sends both domain and username, but only the manual login succeeds.

For the manual login, Windows uses DES and MD5 but for the automatic one uses Local Security Authority, but I don't think this has something to do with my problem, does it?

I've also tried other things on the client side:

Cleaned cached user credentials from regedit, just in case, but the result is the same. 
I've tried using different computers and the result is the same. 
Using a different supplicant (SecureW2) seemed to work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic and manual logins worked on my computer through SW2. Then I tried it on another computer, and didn't work.
Different accounts and the result is the same.

I haven't tried yet bumping the debugging level in Samba. I was just trying on the client side, but unfortunately nothing succeeded :( 

Well, now I have to try things on the server side.

Do you have any more ideas to try?

Héctor




-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+hector.ortiz=swisscom.com at lists.freeradius.org [mailto:freeradius-users-bounces+hector.ortiz=swisscom.com at lists.freeradius.org] Im Auftrag von Phil Mayers
Gesendet: Montag, 11. Dezember 2006 11:26
An: FreeRadius users mailing list
Betreff: Re: AW: PEAP+MSCHAP+AD (please help)

Hector.Ortiz at swisscom.com wrote:
> Hello. No, I haven't edited the debug output. Why would I do this if I 
> have a problem that want to get solved??. The debug output is exactly 
> what I get from FreeRadius.

People do some surprising things on this mailing list...

I saw that you had a domain called DOMAIN, which is not very common, and assumed "the worst" i.e. that you had edited the output.

> 
> There have been more people in this list with the same problem, being 
> the latest 
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.html.
> Even though he found a solution for his own problem, I followed his 
> howto but unfortunately didn't worked for me.
> 
> About the client, when I turn the computer on, I have to type in the 
> user credentials, the same ones that I use when testing FreeRadius.
> Windows sends FreeRadius the same user information in the two cases, 
> but the outcome is completely different and this of course makes no 
> sense.
> 
> There is no trick, this is a real problem I have.

I didn't imagine you were trying to trick us.

As far as I can tell, your FreeRadius configuration looks correct. It's able to answer at least some MS-CHAP requests, and as you say there's no real difference as far as the server is concerned between and automatic or manual client login.

This makes me suspect that there *is* a difference between such on the client side.

Couple of other things you could try:

netsh ras set tracing * enable

...on the windows client side, then inspect the logs (If memory serves they go do  %WINDIR%/system32/tracing)

Also - the client is in DOMAIN, the server is also in DOMAIN yes? As in, you're not trying to authenticate a trusted domain user?

Finally, I see you've got the ntlm_auth helper set to:

/opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}

You could try removing the --domain argument completely - though you should not need to.

You could obviously also bump the Samba debugging level for a failing login and inspect the samba logs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html