The last piece of the puzzle - XP host authentication

East, Bill eastb at pffcu.org
Tue Apr 19 15:59:47 CEST 2011


> -----Original Message-----
> From: freeradius-users-bounces+eastb=pffcu.org at lists.freeradius.org [mailto:freeradius-users-
> bounces+eastb=pffcu.org at lists.freeradius.org] On Behalf Of Phil Mayers
> Sent: Tuesday, April 19, 2011 4:38 AM
> To: freeradius-users at lists.freeradius.org
> Subject: Re: The last piece of the puzzle - XP host authentication
> Have you made sure that your root cert is present in the right stores - remember windows
> clients have both machine and per-user cert stores.
> Machine auth requires it be in the machine store.

Bah, I should have known that. It's fixed, now.


> 
> >
> > The configuration is: AD 2008 with a Slackware Linux server running
> > the lastest Samba and Kerberos as well as obviously FR. The client is
> > a Windows XP box with the latest service pack. Below is a mildly
> > sanitized copy of radiusd -X with both failed machine logins (LP-0010
> > is the host) and a successful user (myuser) login.
> 
> Couple of points: the debug is actually quite mangled. The indenting has all gone away, making
> it really hard to follow, and you've chopped the top off where FreeRADIUS starts and prints out
> the config, meaning some vital info is absent.
> 

I shouldn't have clipped the top, if I post a full debug again I'll fix that. As for the formatting, I'm not sure where that's going, I'm copying from putty to gvim and out to Outlook. I know where I'd put my money for making unwanted changes to text, though.

> Also, it only looks sanitised; much of the data you *think* you've removed is actually contained
> again inside the hex of the EAP-Message packets, so it's basically pointless. If you don't want to
> reveal sensitive data, create a test user.

Makes sense, but at least folks googling for basic information such as my org name won't have it all set out for them on a platter.

> 
> So given the mangling this is a guess, but as Alan says you're apparently manglnig the
> usernames, which will definitely break things; but to my eye, it looks like it's failing earlier than
> that, as the the certificate exchange bit, implying the issue I note above.
> 
> On the subject of mangling usernames - if you want to deal with all 3 of:
> 
> domain\user
> user
> host/name.domain.com
> 
> ...you can use the following:
> 
> %{mschap:User-Name}
> 
> ...and the mschap module will strip them all into the right form.
> Specifically, when you configure your ntlm_auth helper line in raddb/modules/mschap, I
> recommend it read:
> 
>   ntlm_auth = "... --username=%{mschap:User-Name} ..."


Aha!

This looks highly promising.

I've got the syntax right in mschap now, I think, but the challenge is still being created strangely (or is it supposed to look like that?)

[mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/LP-0010.pffcu.org
[mschap] Told to do MS-CHAPv2 for host/LP-0010.pffcu.org with NT-Password
[mschap]        expand: %{mschap:User-Name} -> LP-0010$
[mschap]        expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=LP-0010$
[mschap]  mschap2: ac
[mschap] Creating challenge hash with username: host/LP-0010.pffcu.org
[mschap]        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=cc01b9d88b911c44
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)


I appreciate your help with this


This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation.



More information about the Freeradius-Users mailing list