RE: freeradius and ntlm_auth howto


michael,
The configuration works when i type in my username as 'username@domain', when i let windows fill it in i don't get in.
My password gets locked after 3 attempts, and the wifi retries several times. If you look higher in the file you will see another error:(logon failure)

It works with the standard certs, so for finding a good working configuration this is ok for now. Obviously i will change this for production.

Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf@komatsu.eu
Tel. +32 (0)2 2552551


"King, Michael" <MKing@bridgew.edu>

11/06/2006 04:04 PM

To
<Stieven.Struyf@komatsu.eu>, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
cc
Subject
RE: freeradius and ntlm_auth howto





Some things I've noticed from your attached files
 
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
 
I've never enabled these before, I'm unaware what affect they will have
 
 
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
 
Did you generate your OWN certs...  They one's that ship with the server ARE NOT vailid. You have to generate your own.
 
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
 
That doesn't look right
 
 
 
BUT YOUR FINAL ANSWER:
 
 
xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0
Exec-Program output: Account locked out (0xc0000234)
Exec-Program-Wait: plaintext: Account locked out (0xc0000234)
Exec-Program: returned: 1
 rlm_mschap: External script failed.
 rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
 
 
Your account in the domain is not correct.
 
Looks like it's been disabled or something.
 
Fix that first before you change anymore config files.

From: Stieven.Struyf@komatsu.eu [mailto:Stieven.Struyf@komatsu.eu]
Sent: Monday, November 06, 2006 3:16 AM
To: King, Michael
Subject: Fw: freeradius and ntlm_auth howto

Michael,
I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was rejected.
Below you can find the mail. Thanks for helping me.

Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf@komatsu.eu
Tel. +32 (0)2 2552551
----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM -----
Stieven Struyf/KEISA/BE/KOMEUR

11/02/2006 08:55 AM


To
FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
cc
Subject
RE: freeradius and ntlm_auth howtoLink






I added the debuglog as attachment(as it is a little large to paste here).
This is the mschap config:
mschap {
               authtype = MS-CHAP
               use_mppe = yes
               require_strong = yes
               with_ntdomain_hack = yes
               require_encryption = yes
               ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}"
       }


Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf@komatsu.eu
Tel. +32 (0)2 2552551

freeradius-users-bounces+stieven.struyf=komatsu.eu@lists.freeradius.org wrote on 10/27/2006 04:36:00 PM:

> Let's see if we can get this solved...
>
> > -----Original Message-----
> > Here's the full log:
> > Waking up in 6 seconds...
> > rad_recv: Access-Request packet from host 10.104.254.73:1645,
>
> This is NOT the full log.  The full log would have started with the line
> /path/to/radiusd -X
>
> Some important stuff is printed out there, it helps us help you.  
>
>
> >   rlm_mschap: NT Domain delimeter found, should we have
> > enabled with_ntdomain_hack?
> >   rlm_mschap: NT Domain delimeter found, should we have
> > enabled with_ntdomain_hack?
>
> Did you enable Ntdomain Hack in the MSCHAP module?  (See below)
>
>
> Including your radius.conf file would help.
>
>
> > > HOWEVER, first you may want to check your mschap module definition:
> > >
> > > modules {
> > >    mschap {
> > >      ntlm_auth = "/usr/bin/ntlm_auth \
> > >   --request-nt-key \
> > >   --username=%{mschap:User-Name:-None} \
> > >   --domain=%{mschap:NT-Domain:-None} \
> > >   --challenge=%{mschap:Challenge:-00} \
> > >   --nt-response=%{mschap:NT-Response:-00}"
> > >
> > > ...all on one line of course. Note the use of the
> > "mschap:User-Name"
> > > and "mschap:NT-Domain" values.
>
> Mine radiusd.conf file's mschap section looks like this:
> NOTE that I do NOT have the :-00 and the :-None statements, and I DO
> have with_ntdomain_hack=yes
>
>
>         # Microsoft CHAP authentication
>         #
>         #  This module supports MS-CHAP and MS-CHAPv2 authentication.
>         #  It also enforces the SMB-Account-Ctrl attribute.
>         #
>         mschap {
>                 with_ntdomain_hack = yes
>          ntlm_auth = "/usr/bin/ntlm_auth \
>          --request-nt-key \
>          --username=%{mschap:User-Name} \
>          --challenge=%{mschap:Challenge} \
>          --nt-response=%{mschap:NT-Response}
>         }
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.