AW: freeradius and ntlm_auth howto

Stieven.Struyf at komatsu.eu Stieven.Struyf at komatsu.eu
Thu Nov 16 09:42:15 CET 2006


I finally managed to filter out the last issues with my setup. When i have 
more time i will post a small howto that worked for me.
Although people on the list told me that there are plenty guides already, 
i couldn't find one that worked.

Thanks everyone for all hints that helped me.

Stieven Struyf
M.I.S. Division - System Operations 
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf at komatsu.eu
Tel. +32 (0)2 2552551

freeradius-users-bounces+stieven.struyf=komatsu.eu at lists.freeradius.org 
wrote on 11/06/2006 04:36:25 PM:

> Actually this is the exact same problem I have. I need to type my 
> credentials in for authentication to work. If I let windows do it, I
> won't get in. 
> 
> If any of you could please help us out with this issue, that'd be great
> 
> Cheers
> 
> Héctor
> 
> 
> 
> Von: freeradius-users-bounces+hector.ortiz=swisscom.com at lists.
> freeradius.org [mailto:freeradius-users-bounces+hector.
> ortiz=swisscom.com at lists.freeradius.org] Im Auftrag von Stieven.
> Struyf at komatsu.eu
> Gesendet: Montag, 6. November 2006 16:17
> An: King, Michael
> Cc: freeradius-users at lists.freeradius.org
> Betreff: RE: freeradius and ntlm_auth howto

> 
> michael, 
> The configuration works when i type in my username as 
> 'username at domain', when i let windows fill it in i don't get in. 
> My password gets locked after 3 attempts, and the wifi retries 
> several times. If you look higher in the file you will see another 
> error:(logon failure) 
> 
> It works with the standard certs, so for finding a good working 
> configuration this is ok for now. Obviously i will change this for 
production.
> 
> Stieven Struyf
> M.I.S. Division - System Operations 
> Komatsu Europe International NV
> Mechelsesteenweg 586
> B-1800 Vilvoorde
> Stieven.Struyf at komatsu.eu
> Tel. +32 (0)2 2552551 
> 

> 
> "King, Michael" <MKing at bridgew.edu> 
> 11/06/2006 04:04 PM 
> 
> To
> 
> <Stieven.Struyf at komatsu.eu>, "FreeRadius users mailing list" 
> <freeradius-users at lists.freeradius.org> 
> 
> cc
> 
> Subject
> 
> RE: freeradius and ntlm_auth howto
> 
> 
> 
> 
> Some things I've noticed from your attached files 
> 
> Module: Loaded MS-CHAP 
> mschap: use_mppe = yes
> mschap: require_encryption = yes
> mschap: require_strong = yes 
> 
> I've never enabled these before, I'm unaware what affect they will have 
> 
> 
> tls: pem_file_type = yes
> tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
> tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
> tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/etc/raddb/certs/dh"
> tls: random_file = "/etc/raddb/certs/random" 
> 
> Did you generate your OWN certs...  They one's that ship with the 
> server ARE NOT vailid. You have to generate your own. 
> 
> rlm_eap: Loaded and initialized type peap
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2 
> 
> That doesn't look right 
> 
> 
> 
> BUT YOUR FINAL ANSWER: 
> 
> 
> xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf 
> --challenge=b9ee04ca891c7b7d --nt-
> response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0
> Exec-Program output: Account locked out (0xc0000234) 
> Exec-Program-Wait: plaintext: Account locked out (0xc0000234) 
> Exec-Program: returned: 1
>  rlm_mschap: External script failed.
>  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect 
> 
> 
> Your account in the domain is not correct. 
> 
> Looks like it's been disabled or something. 
> 
> Fix that first before you change anymore config files. 
> 
> From: Stieven.Struyf at komatsu.eu [mailto:Stieven.Struyf at komatsu.eu] 
> Sent: Monday, November 06, 2006 3:16 AM
> To: King, Michael
> Subject: Fw: freeradius and ntlm_auth howto
> 
> 
> Michael, 
> I sent my reply already to the list, but due to the size(larger than
> 100k) it had to be reviewed by the admin and after a week it was 
rejected. 
> Below you can find the mail. Thanks for helping me. 
> 
> Stieven Struyf
> M.I.S. Division - System Operations 
> Komatsu Europe International NV
> Mechelsesteenweg 586
> B-1800 Vilvoorde
> Stieven.Struyf at komatsu.eu
> Tel. +32 (0)2 2552551 
> ----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM 
-----
> 
> Stieven Struyf/KEISA/BE/KOMEUR 
> 11/02/2006 08:55 AM 
> 
> To
> 
> FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
> 
> cc
> 
> Subject
> 
> RE: freeradius and ntlm_auth howtoLink
> 
> 

> 
> 
> 
> 
> I added the debuglog as attachment(as it is a little large to paste 
here). 
> This is the mschap config: 
> mschap { 
>                authtype = MS-CHAP 
>                use_mppe = yes 
>                require_strong = yes 
>                with_ntdomain_hack = yes 
>                require_encryption = yes 
>                ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --
> username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-
> response=%{mschap:NT-Response}" 
>        } 
> 
> 
> Stieven Struyf
> M.I.S. Division - System Operations 
> Komatsu Europe International NV
> Mechelsesteenweg 586
> B-1800 Vilvoorde
> Stieven.Struyf at komatsu.eu
> Tel. +32 (0)2 2552551 
> 
> freeradius-users-bounces+stieven.struyf=komatsu.eu at lists.freeradius.
> org wrote on 10/27/2006 04:36:00 PM:
> 
> > Let's see if we can get this solved... 
> > 
> > > -----Original Message-----
> > > Here's the full log: 
> > > Waking up in 6 seconds... 
> > > rad_recv: Access-Request packet from host 10.104.254.73:1645, 
> > 
> > This is NOT the full log.  The full log would have started with the 
line
> > /path/to/radiusd -X
> > 
> > Some important stuff is printed out there, it helps us help you. 
> > 
> > 
> > >   rlm_mschap: NT Domain delimeter found, should we have 
> > > enabled with_ntdomain_hack? 
> > >   rlm_mschap: NT Domain delimeter found, should we have 
> > > enabled with_ntdomain_hack? 
> > 
> > Did you enable Ntdomain Hack in the MSCHAP module?  (See below)
> > 
> > 
> > Including your radius.conf file would help.
> > 
> > 
> > > > HOWEVER, first you may want to check your mschap module 
definition:
> > > > 
> > > > modules {
> > > >    mschap {
> > > >      ntlm_auth = "/usr/bin/ntlm_auth \
> > > >   --request-nt-key \
> > > >   --username=%{mschap:User-Name:-None} \
> > > >   --domain=%{mschap:NT-Domain:-None} \
> > > >   --challenge=%{mschap:Challenge:-00} \
> > > >   --nt-response=%{mschap:NT-Response:-00}"
> > > > 
> > > > ...all on one line of course. Note the use of the 
> > > "mschap:User-Name" 
> > > > and "mschap:NT-Domain" values.
> > 
> > Mine radiusd.conf file's mschap section looks like this:
> > NOTE that I do NOT have the :-00 and the :-None statements, and I DO
> > have with_ntdomain_hack=yes
> > 
> > 
> >         # Microsoft CHAP authentication
> >         #
> >         #  This module supports MS-CHAP and MS-CHAPv2 authentication.
> >         #  It also enforces the SMB-Account-Ctrl attribute.
> >         #
> >         mschap {
> >                 with_ntdomain_hack = yes
> >          ntlm_auth = "/usr/bin/ntlm_auth \
> >          --request-nt-key \
> >          --username=%{mschap:User-Name} \
> >          --challenge=%{mschap:Challenge} \
> >          --nt-response=%{mschap:NT-Response}
> >         }
> > 
> > 
> > - 
> > List info/subscribe/unsubscribe? See http://www.freeradius.
> org/list/users.html - 
> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061116/4b827bf3/attachment.html>


More information about the Freeradius-Users mailing list