802.1x machine authentication ads peap domainname

Thu Jan 29 13:47:17 CET 2009

>i'm not splitting user name from realm (well i don't know), below is
>an example with NT-Domain expand: (not working host/host.domain.local
>eap/peap but works ppp authorization from all domains User-name is
>DOMAIN\\user and domain is correctly expanded it works also with
>OTHERDOMAIN\\otheruser  - another trusted ads domain)
>
><code>
>server inner-tunnel {
>+- entering group authorize
>++[chap] returns noop
>++[mschap] returns noop
>++[unix] returns notfound
>    rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
>looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>++[control] returns noop
>  rlm_eap: EAP packet type response id 9 length 89
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[files] returns noop
>++[expiration] returns noop
>++[logintime] returns noop
>++[pap] returns noop
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/mschapv2
>  rlm_eap: processing type mschapv2
>+- entering group MS-CHAP
>  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
>  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
>  rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
>NT-Password
>	expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
>	expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- here
> mschap2: fa
>	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=19601d7be2fxxxxx
>	expand: --nt-response=%{mschap:NT-Response:-00} ->
>--nt-response=3a04766fxxxxxxxbfaedba4977c0xxxxxxx
>Exec-Program output: Logon failure (0xc000006d)
>Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
>Exec-Program: returned: 1
>  rlm_mschap: External script failed.
>  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>++[mschap] returns reject
></code>
>
>and here is an example without NT-Domain expand for ntlm_auth (it is
>working well for only "domain.local" and "DOMAIN\\user" but not for
>thrusted OTHERDOMAIN\\otheruser ):
>
><code>
>server inner-tunnel {
>+- entering group authorize
>++[chap] returns noop
>++[mschap] returns noop
>++[unix] returns notfound
>    rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
>looking up realm NULL
>    rlm_realm: No such realm "NULL"
>++[suffix] returns noop
>++[control] returns noop
>  rlm_eap: EAP packet type response id 7 length 89
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[files] returns noop
>++[expiration] returns noop
>++[logintime] returns noop
>++[pap] returns noop
>  rad_check_password:  Found Auth-Type EAP
>auth: type "EAP"
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/mschapv2
>  rlm_eap: processing type mschapv2
>+- entering group MS-CHAP
>  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
>  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
>  rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
>NT-Password
>	expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
> mschap2: 96
>	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2dff1a169cxxxxx
>	expand: --nt-response=%{mschap:NT-Response:-00} ->
>--nt-response=7fa7664801defd917c241937bd4xxxxxxx
>Exec-Program output: NT_KEY: 7C54FDDBA668A77xxxxxxxx
>Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxxxxxx
>Exec-Program: returned: 0
>rlm_mschap: adding MS-CHAPv2 MPPE keys
>++[mschap] returns ok
></code>

OK. So you need two mschap instances one for NT format (DOMAIN\\user
type - with NT-Domain in ntlm_auth) and one for IPASS
(host/somehost.domain.local type - without) format. Use unlang to detect
the delimiter and switch the correct instance replacing mschap in
authorize and inside Auth-Type MSCHAP.

Ivan Kalik
Kalik Informatika ISP