problems with machine authetication

wekz fbl.list at gmail.com
Tue May 9 18:03:01 CEST 2006


Hello everybody,

last week I was working out a freeradius 1.1.1 + ldap with domain
authentication. I got it running with the help of Phil Mayers with this
configuration:

authorize {
  preprocess
  ntdomain
  # other modules
}

realm MYDOMAIN {
  type = radius
  authhost = LOCAL
  accthost = LOCAL
  strip
}

But it didn't work till I enable ntdomain_hack in the mschap module:

with_ntdomain_hack = yes

The truth is I don't understand it at all. Here's my thinking:

When someone is trying to authenticate and he belongs to a domain, in the
request packet windows sends a string like:

                MYDOMAIN\\username

In the authorization part, using the realm ntdomain, the server can strip
the User-Name and use only username so it can find it in ldap.
But when it comes to the authorization module it fails. Here's part of the
log:

Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
...............
rad_recv: Access-Request packet from host 192.168.51.162:1024, id=50,
length=279
        Acct-Session-Id = "2a6bb0b4-00000017"
        NAS-Port = 8
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1496
        Framed-IP-Address = 255.255.255.254
        User-Name = "MYDOMAIN\\prueba_freeradius"
        Calling-Station-Id = "00-04-23-8D-4B-0E"
        Service-Type = Framed-User
        EAP-Message =
0x02b1006c190017030100610d895f029ebe43af255559638cf1e7e9d0639a11e7d7dfec4a794bee5fbee0a2bf64947cd8a99ad354fa03d6a0913904068c58dd975f8a122a929bc477b2af67b8907c9a4c6a2765188e878ca77f07e45a5329a20fd473989289fdfe3c23eb646b

        State = 0x908673323bd5eac7e882e906e316049f
        Colubris-AVPair = "ssid=aamm"
        Message-Authenticator = 0x8e2b19ea1dfd0d6f0f5b4c895f619818
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
  modcall[authorize]: module "preprocess" returns ok for request 14
    rlm_realm: Looking up realm "MYDOMAIN" for User-Name =
"MYDOMAIN\prueba_freeradius"
    rlm_realm: Found realm "MYDOMAIN"
    rlm_realm: Adding Stripped-User-Name = "prueba_freeradius"
    rlm_realm: Proxying request from user prueba_freeradius to realm
MYDOMAIN
    rlm_realm: Adding Realm = "MYDOMAIN"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "ntdomain" returns noop for request 14
radius_xlat:
'/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509'

rlm_detail:
/usr/local/radius_regex/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509

  modcall[authorize]: module "auth_log" returns ok for request 14
  modcall[authorize]: module "chap" returns noop for request 14
  modcall[authorize]: module "mschap" returns noop for request 14
    rlm_realm: Request already proxied.  Ignoring.
  modcall[authorize]: module "suffix" returns noop for request 14
  rlm_eap: EAP packet type response id 177 length 108
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 14
rlm_ldap: - authorize
rlm_ldap: performing user authorization for prueba_freeradius
radius_xlat:  '(uid=prueba_freeradius)'
radius_xlat:  'ou=Central,dc=bcn,dc=es'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Central,dc=bcn,dc=es, with filter
(uid=prueba_freeradius)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value xxx & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user prueba_freeradius authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 14
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 171
  modcall[authorize]: module "files" returns ok for request 14
modcall: leaving group authorize (returns updated) for request 14
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
        EAP-Message =
0x02b100551a02b1005031d780cac8a727745249e57389beb21e6800000000000000004a4d93fb40b1108062905326a78ff4081fea67b75e569815004d59444f4d41494e5c7072756562615f66726565726164697573

  PEAP: Setting User-Name to MYDOMAIN\prueba_freeradius
  PEAP: Adding old state with dc 47
  PEAP: Sending tunneled request
        EAP-Message =
0x02b100551a02b1005031d780cac8a727745249e57389beb21e6800000000000000004a4d93fb40b1108062905326a78ff4081fea67b75e569815004d59444f4d41494e5c7072756562615f66726565726164697573
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "MYDOMAIN\\prueba_freeradius"
        State = 0xdc47453244df028b4a9c81ff38a17be9
        Acct-Session-Id = "2a6bb0b4-00000017"
        NAS-Port = 8
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1496
        Framed-IP-Address = 255.255.255.254
        Calling-Station-Id = "00-04-23-8D-4B-0E"
        Service-Type = Framed-User
        Colubris-AVPair = "ssid=aamm"
        NAS-IP-Address = 192.168.51.162
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
  modcall[authorize]: module "preprocess" returns ok for request 14
    rlm_realm: Looking up realm "MYDOMAIN" for User-Name =
"MYDOMAIN\prueba_freeradius"
    rlm_realm: Found realm "MYDOMAIN"
    rlm_realm: Adding Stripped-User-Name = "prueba_freeradius"
    rlm_realm: Proxying request from user prueba_freeradius to realm
MYDOMAIN
    rlm_realm: Adding Realm = "MYDOMAIN"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "ntdomain" returns noop for request 14
radius_xlat:
'/usr/local/radius_regex/var/log/radius/radacct/127.0.0.1/auth-detail-20060509'

rlm_detail:
/usr/local/radius_regex/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius_regex/var/log/radius/radacct/127.0.0.1/auth-detail-20060509

  modcall[authorize]: module "auth_log" returns ok for request 14
  modcall[authorize]: module "chap" returns noop for request 14
  modcall[authorize]: module "mschap" returns noop for request 14
    rlm_realm: Request already proxied.  Ignoring.
  modcall[authorize]: module "suffix" returns noop for request 14
  rlm_eap: EAP packet type response id 177 length 85
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 14
rlm_ldap: - authorize
rlm_ldap: performing user authorization for prueba_freeradius
radius_xlat:  '(uid=prueba_freeradius)'
radius_xlat:  'ou=Central,dc=bcn,dc=es'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Central,dc=bcn,dc=es, with filter
(uid=prueba_freeradius)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value xxx & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user prueba_freeradius authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 14
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 171
  modcall[authorize]: module "files" returns ok for request 14
modcall: leaving group authorize (returns updated) for request 14
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 14
  rlm_mschap: NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
  rlm_mschap: Told to do MS-CHAPv2 for MYDOMAIN\prueba_freeradius with
NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 14
modcall: leaving group MS-CHAP (returns reject) for request 14
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 14
modcall: leaving group authenticate (returns reject) for request 14
auth: Failed to validate the user.
Login incorrect: [prueba_freeradius/<no User-Password attribute>] (from
client localhost port 8 cli 00-04-23-8D-4B-0E)
  PEAP: Got tunneled reply RADIUS code 3
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        MS-CHAP-Error = "\261E=691 R=1"
        EAP-Message = 0x04b10004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Processing from tunneled session code 0x8153428 3
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        MS-CHAP-Error = "\261E=691 R=1"
        EAP-Message = 0x04b10004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 14
modcall: leaving group authenticate (returns handled) for request 14
Sending Access-Challenge of id 50 to 192.168.51.162 port 1024
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message =
0x01b200261900170301001b6c9a8c161b62aec589f4a4f92e58f4c76ec7ae250761970d9213c7

        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa18cd510394250c8136571f619e429e0
Finished request 14
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.51.162:1024, id=36,
length=209
        Acct-Session-Id = "2a6bb0b4-00000017"
        NAS-Port = 8
        NAS-Port-Type = Wireless-802.11
        Framed-MTU = 1496
        Framed-IP-Address = 255.255.255.254
        User-Name = "MYDOMAIN\\prueba_freeradius"
        Calling-Station-Id = "00-04-23-8D-4B-0E"
        Service-Type = Framed-User
        EAP-Message =
0x02b200261900170301001bd89d386a7c80dcf210c271671421915148555085d02e7c2a34149e

        State = 0xa18cd510394250c8136571f619e429e0
        Colubris-AVPair = "ssid=aamm"
        Message-Authenticator = 0xacf972ea063d9318ee2b2dad1613cc3c
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
  modcall[authorize]: module "preprocess" returns ok for request 15
    rlm_realm: Looking up realm "MYDOMAIN" for User-Name =
"MYDOMAIN\prueba_freeradius"
    rlm_realm: Found realm "MYDOMAIN"
    rlm_realm: Adding Stripped-User-Name = "prueba_freeradius"
    rlm_realm: Proxying request from user prueba_freeradius to realm
MYDOMAIN
    rlm_realm: Adding Realm = "MYDOMAIN"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "ntdomain" returns noop for request 15
radius_xlat:
'/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509'

rlm_detail:
/usr/local/radius_regex/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509

  modcall[authorize]: module "auth_log" returns ok for request 15
  modcall[authorize]: module "chap" returns noop for request 15
  modcall[authorize]: module "mschap" returns noop for request 15
    rlm_realm: Request already proxied.  Ignoring.
  modcall[authorize]: module "suffix" returns noop for request 15
  rlm_eap: EAP packet type response id 178 length 38
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 15
rlm_ldap: - authorize
rlm_ldap: performing user authorization for prueba_freeradius
radius_xlat:  '(uid=prueba_freeradius)'
radius_xlat:  'ou=Central,dc=bcn,dc=es'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Central,dc=bcn,dc=es, with filter
(uid=prueba_freeradius)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value xxx & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user prueba_freeradius authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 15
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 171
  modcall[authorize]: module "files" returns ok for request 15
modcall: leaving group authorize (returns updated) for request 15
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure.  User was rejcted rejected earlier in
this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 15
modcall: leaving group authenticate (returns invalid) for request 15
auth: Failed to validate the user.
Login incorrect: [prueba_freeradius/<no User-Password attribute>] (from
client ap port 8 cli 00-04-23-8D-4B-0E)
Delaying request 15 for 1 seconds
Finished request 15
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 36 to 192.168.51.162 port 1024

After reading the comments of with_ntdomain_hack, what i get is this:  The
first time windows sends the id, the User-Name = MYDOMAIN\\username, but
when he response the access-challenge the User-Name = username.

I wonder why the server expects MYDOMAIN\\username.

After the realm the server will only see User-Name = username in
ldap-authorization. And as windows sends for replying the challenge only
username, I thought this second time realm was not going to be aplicable.

So I think I don't understand this operation.

And as I don't understand it I can't work out a new configuration like:
freeradius 1.1.1 + ldap + machine authentication.

                  User-Name = host/username

I have tried it making a new realm with this configuration

radiusd.conf
        realm hostdm {
                format = prefix
                delimiter = "/"
                ignore_default = no
                ignore_null = no
        }

        authorize {
                preprocess
                hostdm
               # other modules
        }

proxy.conf:

        realm host {
               type = radius
               authhost = LOCAL
               accthost = LOCAL
               strip
         }

But I got me into the same situation as with ntdomain +
with_ntdomain_hack=no.

Then I try with the hints file:

           DEFAULT User-Name =~ "^([^/]+)/([^/]+)"
                          User-Name := `%{2}`

But the same. So I don't know what to do. Is there another feature like
with_ntdomain_hack for this ?
I could put some logs if needed.

If there is something unintelligible please tell me, because my english is
terrible, as you can notice.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060509/d83a243c/attachment.html>


More information about the Freeradius-Users mailing list