802.1x Auth Problem - Windows Login case sensitive?

cn mailinglists at freaks.de
Tue Mar 10 13:16:18 CET 2009


Hi List,

I have quite a interesting problem. And I don't think it's
freeRADIUS-related, but I hope somebody else already had the same issue and
can give me a hint. Also a hint where to dig / ask would be very nice...

Okay, the setup:

I'm using freeRADIUS aus 802.1x/PEAP authenticator for our WLAN-deployment
and MS-AD als backend. It's the setup described in:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO

And it's working quite well - for all machine accounts and most user
accounts. So I assume my freeradius/samba/kerberos config is fine so far...

The things I tracked:
It seems all accounts migrated from the old NT or Windows2000 Domain are
"Case Sensitive":

For those accounts the Windows-User has to use exact the same upper/lower
case for the user name used in AD's sAMAccountName - otherwise it won't
work.

For all new created accounts (after the migration) the case dosn't matter.

Anybody heard of this or had the same issue? I already googled quite a lot,
but I didn't come up with a solution. Just found some reports about similar
problems.

To the details:
In my radius requests, I see following:
For all new created accounts the windows login doesn't same to be
case-sensitive. Regardless how the user name is written during login, in my
radius requests I always see the username in exact the same way then it is
stored in the AD. It seems the XP Client is doing some adjustments during
auth.

For the migrated accounts I see the user accounts in the same case then
entered in the windows login - so it seems the client isn't doing these
adjustments. And if the account is written in a different way, ntlm_auth is
failing. 

Some parts of the trace for a successful request (sAMAccountName=testuser):

rad_recv: Access-Request packet from host 10.1.1.5:32822, id=139, length=286
    User-Name = "DOMAIN\\testuser"
    NAS-IP-Address = 10.1.1.254
    NAS-Port = 2
    NAS-Identifier = "10.1.1.5"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "00XXXXXXXXX"
    Called-Station-Id = "000XXXXXXXXX"
    Service-Type = Login-User
    Framed-MTU = 1100
    EAP-Message = XXXXXXXXXXXXXX
    State = XXXXXXXXXXXXXX
    Aruba-Essid-Name = "mySSID"
    Aruba-Location-Id = "test-ap"
    Message-Authenticator = XXXXXXXXXXXXXX
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 16
  modcall[authorize]: module "mschap" returns noop for request 16
  rlm_eap: EAP packet type response id 18 length 98
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 16
  modcall[authorize]: module "files" returns notfound for request 16
modcall: leaving group authorize (returns updated) for request 16
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
    EAP-Message = XXXXXXXXXXXXX
  PEAP: Setting User-Name to DOMAIN\testuser
  PEAP: Adding old state with 97 88
  PEAP: Sending tunneled request
    EAP-Message = XXXXXXXXXXXXXX
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "DOMAIN\\testuser"
    State = XXXXXXXXXXXXXX
  Processing the authorize section of radiusd.conf
modcall: leaving group authorize (returns updated) for request 16
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 16
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN
--username=testuser --challenge=bba9adXXXXXXXXXX
--nt-response=565bc73aa70b1fXXXXXXXXXXXX07f081266171807c68d90
Exec-Program output: NT_KEY: 8066616C0E1F32C93158XXXXXXXXX
Exec-Program-Wait: plaintext: NT_KEY: 8066616C0E1F32C9315866XXXXXXXXX
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
  modcall[authenticate]: module "mschap" returns ok for request 16
modcall: leaving group MS-CHAP (returns ok) for request 16
MSCHAP Success 
  modcall[authenticate]: module "eap" returns handled for request 16

The same with different case (failed request):

rad_recv: Access-Request packet from host 10.1.1.6:32822, id=110, length=286
        User-Name = "DOMAIN\\TESTUSER"
        NAS-IP-Address = 10.1.1.254
        NAS-Port = 1
        NAS-Identifier = "10.1.1.5"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "00XXXXXXXX"
        Called-Station-Id = "000XXXXXXXXX"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = XXXXXXXXXXXXXXX
        State = 0xXXXXXXXXXXXXXXXXXXX
        Aruba-Essid-Name = " mySSID"
        Aruba-Location-Id = "test-ap"
        Message-Authenticator = 0xXXXXXXXXXXXXXXXXXXX
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 329
  modcall[authorize]: module "auth_log" returns ok for request 329
  modcall[authorize]: module "mschap" returns noop for request 329
  rlm_eap: EAP packet type response id 8 length 98
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 329
  modcall[authorize]: module "files" returns notfound for request 329
modcall: leaving group authorize (returns updated) for request 329
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 329
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
        EAP-Message = XXXXXXXXXXXXXXXXXXXXXXXXX
  PEAP: Setting User-Name to DOMAIN\TESTUSER
  PEAP: Adding old state with 89 3f
  PEAP: Sending tunneled request
        EAP-Message = XXXXXXXXXXXXXXXXXXXXXXXXXXX
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "DOMAIN\\TESTUSER"
        State = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 329
  modcall[authorize]: module "preprocess" returns ok for request 329
  modcall[authorize]: module "mschap" returns noop for request 329
  rlm_eap: EAP packet type response id 8 length 75
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 329
  modcall[authorize]: module "files" returns notfound for request 329
modcall: leaving group authorize (returns updated) for request 329
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 329
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 329
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for TESTUSER with NT-Password
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN
--username=TESTUSER --challenge=52972ee6749XXXXXXXX
--nt-response=13c2b8dd52e6591e0c568a02802fb9450cc91XXXXXXXXXXXXXX
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 329
modcall: leaving group MS-CHAP (returns reject) for request 329
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 329
modcall: leaving group authenticate (returns reject) for request 329
auth: Failed to validate the user.
Login incorrect: [DOMAIN\\TESTUSER/<no User-Password attribute>] (from
client localhost port 0)

If you need more information just ask...

I hope somebody can give me a hint where to look or what to do. I also asked
my Windows-People (I'm a unix guy...) but all the idea's they had didn't
help...

Thanks,
    Chris 





More information about the Freeradius-Users mailing list