PEAP-MSCHAPv2 against AD

Jonathan De Graeve Jonathan.DeGraeve at imelda.be
Mon Sep 25 17:51:19 CEST 2006 

Never mind, found the solutions as:

ntlm_auth --username=%{mschap:User-Name} --foobar

J.

-- 
Jonathan De Graeve
Network/System Engineer
Imelda vzw
Informatica Dienst
+32 15/50.52.98
jonathan.de.graeve at imelda.be

---------
Always read the manual for the correct way to do things because the
number of incorrect ways to do things is almost infinite
---------

> -----Oorspronkelijk bericht-----
> Van: freeradius-users-
> bounces+jonathan.degraeve=imelda.be at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+jonathan.degraeve=imelda.be at lists.freeradius.org] Namens
Jonathan
> De Graeve
> Verzonden: maandag 25 september 2006 17:34
> Aan: FreeRadius users mailing list
> Onderwerp: PEAP-MSCHAPv2 against AD
> 
> I'm trying todo PEAP-MSCHAPv2 with authentication against an AD
> 
> Currently I have the following problem:
> 
> When the domain is in the username the authentication fails, if the
> domainname isn't in the authentication the authentication succeeds.
I'm
> using the following ntlm_auth line in radiusd.conf:
> 
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}
> --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134
> --domain=%{mschap:NT-Domain:-IMZ}"
> 
> The with_ntdomain_hack = yes is enabled in the mschap {}
> 
> Output from shell:
> radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key
> --username=IMZ\\beheerder --challenge=e456e008c25a9ac7
> --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580
> --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134
> --domain=IMZ
> Logon failure (0xc000006d)
> radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key
> --username=beheerder --challenge=e456e008c25a9ac7
> --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580
> --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134
> --domain=IMZ
> NT_KEY: EB23807FB13B1CAB06F4F0BBE5C199D0
> 
> 
> Debugging information (with a different user)
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 252
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/peap
>   rlm_eap: processing type peap
>   rlm_eap_peap: Authenticate
>   rlm_eap_tls: processing TLS
>   eaptls_verify returned 7
>   rlm_eap_tls: Done initial handshake
>   eaptls_process returned 7
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_peap: EAP type mschapv2
>   rlm_eap_peap: Tunneled data is valid.
>   PEAP: Got tunneled EAP-Message
>         EAP-Message =
>
0x020800471a0208004231f622919de18b1fdab0ca9902b9729d49000000000000000013
>
37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e
>   PEAP: Setting User-Name to IMZ\jonathan
>   PEAP: Adding old state with 8f f9
>   PEAP: Sending tunneled request
>         EAP-Message =
>
0x020800471a0208004231f622919de18b1fdab0ca9902b9729d49000000000000000013
>
37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e
>         FreeRADIUS-Proxied-To = 127.0.0.1
>         User-Name = "IMZ\\jonathan"
>         State = 0x8ff913e6997d7ca8d6a9b4832ff5c931
>         NAS-IP-Address = 194.8.52.161
>         Connect-Info = "CONNECT 802.11"
>         Called-Station-Id = "000fb5df0524"
>         Calling-Station-Id = "004096ab4eed"
>         NAS-Identifier = "ap"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 4
>         NAS-Port-Id = "4"
>         Framed-MTU = 1400
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 252
>   modcall[authorize]: module "preprocess" returns ok for request 252
>   modcall[authorize]: module "attr_filter" returns noop for request
252
>   modcall[authorize]: module "chap" returns noop for request 252
>   modcall[authorize]: module "mschap" returns noop for request 252
>   modcall[authorize]: module "digest" returns noop for request 252
>     rlm_realm: No '@' in User-Name = "IMZ\jonathan", looking up realm
> NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 252
>   rlm_eap: EAP packet type response id 8 length 71
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 252
>   modcall[authorize]: module "files" returns notfound for request 252
> radius_xlat:  'IMZ\\jonathan'
> rlm_sql (sql): sql_set_user escaped user --> 'IMZ\\jonathan'
> radius_xlat:  'SELECT id, UserName, Attribute, Value, op
FROM
> radcheck           WHERE Username = 'IMZ=5C=5C=5C=5Cjonathan'
> ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 3
> rlm_sql (sql): User IMZ\\jonathan not found in radcheck
> radius_xlat:  'SELECT
>
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
> pcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
> usergroup.Username = 'IMZ=5C=5C=5C=5Cjonathan' AND usergroup.GroupName
=
> radgroupcheck.GroupName ORDER BY radgroupcheck.id'
> radius_xlat:  'SELECT
>
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
> preply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
> usergroup.Username = 'IMZ=5C=5C=5C=5Cjonathan' AND usergroup.GroupName
=
> radgroupreply.GroupName ORDER BY radgroupreply.id'
> rlm_sql (sql): User IMZ\\jonathan not found in radgroupcheck
> rlm_sql (sql): Released sql socket id: 3
> rlm_sql (sql): User not found
>   modcall[authorize]: module "sql" returns notfound for request 252
> rlm_sqlcounter: Entering module authorize code
> rlm_sqlcounter: Could not find Check item value pair
>   modcall[authorize]: module "validfromlogin" returns noop for request
> 252
> rlm_sqlcounter: Entering module authorize code
> rlm_sqlcounter: Could not find Check item value pair
>   modcall[authorize]: module "validfromcreation" returns noop for
> request 252
> rlm_sqlcounter: Entering module authorize code
> rlm_sqlcounter: Could not find Check item value pair
>   modcall[authorize]: module "uploadlimit" returns noop for request
252
> rlm_sqlcounter: Entering module authorize code
> rlm_sqlcounter: Could not find Check item value pair
>   modcall[authorize]: module "volumelimit" returns noop for request
252
> rlm_sqlcounter: Entering module authorize code
> rlm_sqlcounter: Could not find Check item value pair
>   modcall[authorize]: module "prepaidcounter" returns noop for request
> 252
> modcall: leaving group authorize (returns updated) for request 252
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 252
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
>   Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 252
>   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for jonathan with NT-Password
> radius_xlat: Running registered xlat function of module mschap for
> string 'Challenge'
>  mschap2: 05
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Response'
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Domain'
> radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key
> --username=IMZ\\jonathan --challenge=d13cab581e1c3097
> --nt-response=1337f654a247b82ba252becd3320cdd94974567666fa0818
> --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134
> --domain=IMZ'
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key
> --username=IMZ\\jonathan --challenge=d13cab581e1c3097
> --nt-response=1337f654a247b82ba252becd3320cdd94974567666fa0818
> --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134
> --domain=IMZ
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
>   rlm_mschap: External script failed.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request
252
> modcall: leaving group MS-CHAP (returns reject) for request 252
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns reject for request 252
> modcall: leaving group authenticate (returns reject) for request 252
> auth: Failed to validate the user.
> Login incorrect: [IMZ\\jonathan/<no User-Password attribute>] (from
> client localhost port 4 cli 004096ab4eed)
>   PEAP: Got tunneled reply RADIUS code 3
>         MS-CHAP-Error = "\010E=691 R=1"
>         EAP-Message = 0x04080004
>         Message-Authenticator = 0x00000000000000000000000000000000
>   PEAP: Processing from tunneled session code 0x8978750 3
>         MS-CHAP-Error = "\010E=691 R=1"
>         EAP-Message = 0x04080004
>         Message-Authenticator = 0x00000000000000000000000000000000
>   PEAP: Tunneled authentication was rejected.
>   rlm_eap_peap: FAILURE
> 
> Anyone out there who nows how to solve this problem?
> 
> PS I'm running freeradius 1.1.3
> 
> Thx in advance,
> 
> 
> J.
> 
> --
> Jonathan De Graeve
> Network/System Engineer
> Imelda vzw
> Informatica Dienst
> +32 15/50.52.98
> jonathan.de.graeve at imelda.be
> 
> ---------
> Always read the manual for the correct way to do things because the
> number of incorrect ways to do things is almost infinite
> ---------
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list