Help setting up machine auth with peap

Josh Hiner josh at remc1.org
Fri Mar 13 05:09:11 CET 2009


Have a radius box setup and am using ntlm_auth to authenticate peapv0 
with mschapv2 in the inner tunnel off a samba pdc.

All normal users authenticate fine. When I try to authenticate using the 
machine account I get this:

eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for host/cc20000 with NT-Password
[mschap]     expand: --username=%{mschap:User-Name:-None} -> 
--username=cc20000$
[mschap] setting NT-Domain to same as machine name
[mschap]     expand: --domain=%{mschap:NT-Domain:-ISD} -> --domain=cc20000
[mschap]  mschap2: bc
[mschap]     expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=857e792244c9e024
[mschap]     expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=0e44e0288f3f64004f58718f93e09c629670ab97d1e997bf
Exec-Program output: Must change password (0xc0000224)
Exec-Program-Wait: plaintext: Must change password (0xc0000224)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [host/cc20000] (from client CCISD-REMC-Radius port 0 
via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
    MS-CHAP-Error = "\010E=691 R=1"
    EAP-Message = 0x04080004
    Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
    MS-CHAP-Error = "\010E=691 R=1"
    EAP-Message = 0x04080004
    Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 71 to 172.17.10.108 port 1033
    EAP-Message = 
0x010900261900170301001b34bc45f7fbc2e102f7ec6da756ce808f27d99f1074294fb3b5b69c
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xb410f68ebc19efa88b187555f468f0ff
Finished request 18.


I do see the "Exec-Program output: Must change password (0xc0000224)" 
which to me means the computer account password has expired? I tried 
removing and re-adding the computer to the domain but get the same error.

Any ideas? Anyone else successfully doing peapv0 auth with machine 
accounts and ntlm_auth?

Thanks for any help.



More information about the Freeradius-Users mailing list