802.1x machine authentication ads peap domainname

orzeh orz3h at tlen.pl
Thu Jan 29 13:18:52 CET 2009


thanks for reply
i'm not splitting user name from realm (well i don't know), below is
an example with NT-Domain expand: (not working host/host.domain.local
eap/peap but works ppp authorization from all domains User-name is
DOMAIN\\user and domain is correctly expanded it works also with
OTHERDOMAIN\\otheruser  - another trusted ads domain)

<code>
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
    rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
  rlm_eap: EAP packet type response id 9 length 89
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
NT-Password
	expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
	expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- here
 mschap2: fa
	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=19601d7be2fxxxxx
	expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=3a04766fxxxxxxxbfaedba4977c0xxxxxxx
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
</code>

and here is an example without NT-Domain expand for ntlm_auth (it is
working well for only "domain.local" and "DOMAIN\\user" but not for
thrusted OTHERDOMAIN\\otheruser ):

<code>
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
    rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
  rlm_eap: EAP packet type response id 7 length 89
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
NT-Password
	expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
 mschap2: 96
	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2dff1a169cxxxxx
	expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=7fa7664801defd917c241937bd4xxxxxxx
Exec-Program output: NT_KEY: 7C54FDDBA668A77xxxxxxxx
Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxxxxxx
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
</code>

thanks for help!
Lukasz

2009/1/28  <tnt at kalik.net>:
>>i know about this expand but it's expanding to only first section of
>>domain (eg. domain.com mschap expand gives only "domain")
>>i'm wondering it is possible to get to work correct expand beceause
>>sometimes radius must authorize users from other thrusted domains.
>>
>
> Can you post an example. If you are splitting the User-Name with
> something from the realm module (suffix, ntdomain etc.) you get
> Stripped-User-Name and Realm. Perhaps %{Realm} would work for you.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list