802.1x machine authentication ads peap domainname

orzeh orz3h at tlen.pl
Thu Jan 29 16:33:44 CET 2009 

wow!
it's working great!!!
Tests with two instances for now are working - thanks a lot!
i'm must do more tests but it seems this is the way!

regards!
Lukasz


2009/1/29  <tnt at kalik.net>:
>>i'm not splitting user name from realm (well i don't know), below is
>>an example with NT-Domain expand: (not working host/host.domain.local
>>eap/peap but works ppp authorization from all domains User-name is
>>DOMAIN\\user and domain is correctly expanded it works also with
>>OTHERDOMAIN\\otheruser  - another trusted ads domain)
>>
>><code>
>>server inner-tunnel {
>>+- entering group authorize
>>++[chap] returns noop
>>++[mschap] returns noop
>>++[unix] returns notfound
>>    rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
>>looking up realm NULL
>>    rlm_realm: No such realm "NULL"
>>++[suffix] returns noop
>>++[control] returns noop
>>  rlm_eap: EAP packet type response id 9 length 89
>>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>++[eap] returns updated
>>++[files] returns noop
>>++[expiration] returns noop
>>++[logintime] returns noop
>>++[pap] returns noop
>>  rad_check_password:  Found Auth-Type EAP
>>auth: type "EAP"
>>+- entering group authenticate
>>  rlm_eap: Request found, released from the list
>>  rlm_eap: EAP/mschapv2
>>  rlm_eap: processing type mschapv2
>>+- entering group MS-CHAP
>>  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
>>  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
>>  rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
>>NT-Password
>>       expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
>>       expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- here
>> mschap2: fa
>>       expand: --challenge=%{mschap:Challenge:-00} -> --challenge=19601d7be2fxxxxx
>>       expand: --nt-response=%{mschap:NT-Response:-00} ->
>>--nt-response=3a04766fxxxxxxxbfaedba4977c0xxxxxxx
>>Exec-Program output: Logon failure (0xc000006d)
>>Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
>>Exec-Program: returned: 1
>>  rlm_mschap: External script failed.
>>  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>>++[mschap] returns reject
>></code>
>>
>>and here is an example without NT-Domain expand for ntlm_auth (it is
>>working well for only "domain.local" and "DOMAIN\\user" but not for
>>thrusted OTHERDOMAIN\\otheruser ):
>>
>><code>
>>server inner-tunnel {
>>+- entering group authorize
>>++[chap] returns noop
>>++[mschap] returns noop
>>++[unix] returns notfound
>>    rlm_realm: No '@' in User-Name = "host/somehost.domain.local",
>>looking up realm NULL
>>    rlm_realm: No such realm "NULL"
>>++[suffix] returns noop
>>++[control] returns noop
>>  rlm_eap: EAP packet type response id 7 length 89
>>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>++[eap] returns updated
>>++[files] returns noop
>>++[expiration] returns noop
>>++[logintime] returns noop
>>++[pap] returns noop
>>  rad_check_password:  Found Auth-Type EAP
>>auth: type "EAP"
>>+- entering group authenticate
>>  rlm_eap: Request found, released from the list
>>  rlm_eap: EAP/mschapv2
>>  rlm_eap: processing type mschapv2
>>+- entering group MS-CHAP
>>  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
>>  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
>>  rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with
>>NT-Password
>>       expand: --username=%{mschap:User-Name:-None} -> --username=somehost$
>> mschap2: 96
>>       expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2dff1a169cxxxxx
>>       expand: --nt-response=%{mschap:NT-Response:-00} ->
>>--nt-response=7fa7664801defd917c241937bd4xxxxxxx
>>Exec-Program output: NT_KEY: 7C54FDDBA668A77xxxxxxxx
>>Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxxxxxx
>>Exec-Program: returned: 0
>>rlm_mschap: adding MS-CHAPv2 MPPE keys
>>++[mschap] returns ok
>></code>
>
> OK. So you need two mschap instances one for NT format (DOMAIN\\user
> type - with NT-Domain in ntlm_auth) and one for IPASS
> (host/somehost.domain.local type - without) format. Use unlang to detect
> the delimiter and switch the correct instance replacing mschap in
> authorize and inside Auth-Type MSCHAP.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



-- 
 .''`.  O.R.Z.E.H.: Obedient Robotic Zealous Exploration Humanoid
: :'  : '98 linux registered | [FoxGame | ---] team translator | Amiga 2000 user
`. `'`	[nagios plugin | udev aic9xx] relaser | 220v active user
 `- 	http://www.goldenline.pl/lukasz-sitko3 |
http://www.linkedin.com/in/lukaszsitko

More information about the Freeradius-Users mailing list