The last piece of the puzzle - XP host authentication

Phil Mayers p.mayers at imperial.ac.uk
Tue Apr 19 10:38:25 CEST 2011 

On 04/18/2011 08:39 PM, East, Bill wrote:

>
> Like the man says, other people are doing it so I know it's not
> impossible. What seems to be happening from reading the debug is that
> domain/user requests are coming in using EAP, doing the TLS
> interchange, then using MSCHAPv2 to verify the credentials. The host
> requests, on the other hand, do the TLS side but never seem to
> progress to the mschap portion. I've gone mildly crosseyed reading
> the debugs but I don't see where it is that I've gone wrong. I'm very
> new to RADIUS but I've been doing Linux and Windows for a while so I
> know that this *should* work.

Have you made sure that your root cert is present in the right stores - 
remember windows clients have both machine and per-user cert stores. 
Machine auth requires it be in the machine store.

>
> The configuration is: AD 2008 with a Slackware Linux server running
> the lastest Samba and Kerberos as well as obviously FR. The client is
> a Windows XP box with the latest service pack. Below is a mildly
> sanitized copy of radiusd -X with both failed machine logins (LP-0010
> is the host) and a successful user (myuser) login.

Couple of points: the debug is actually quite mangled. The indenting has 
all gone away, making it really hard to follow, and you've chopped the 
top off where FreeRADIUS starts and prints out the config, meaning some 
vital info is absent.

Also, it only looks sanitised; much of the data you *think* you've 
removed is actually contained again inside the hex of the EAP-Message 
packets, so it's basically pointless. If you don't want to reveal 
sensitive data, create a test user.

So given the mangling this is a guess, but as Alan says you're 
apparently manglnig the usernames, which will definitely break things; 
but to my eye, it looks like it's failing earlier than that, as the the 
certificate exchange bit, implying the issue I note above.

On the subject of mangling usernames - if you want to deal with all 3 of:

domain\user
user
host/name.domain.com

...you can use the following:

%{mschap:User-Name}

...and the mschap module will strip them all into the right form. 
Specifically, when you configure your ntlm_auth helper line in 
raddb/modules/mschap, I recommend it read:

  ntlm_auth = "... --username=%{mschap:User-Name} ..."

HTH

More information about the Freeradius-Users mailing list