Configuring FreeRADIUS to use ntlm_auth for MS-CHAP

Martin Ubank Martin.Ubank at uwe.ac.uk
Tue Oct 18 16:30:12 CEST 2011 

I took Alan Buxey's advice and installed FreeRADIUS 2.1.10 and Samba 3.5.6-86.

After solving other problems along the way, I got to the final test of FR with AD and ntlm_auth using 'eapol_test'.
This gave the Certificate_Compatibility warning.

I then went back through the process of creating production certificates:

Deleted *csr, *key, ca.pem, server.crt, server.p12.
Cleared the contents of index.txt (to prevent an error with openssl).
Ran 'make'.
Ensured all files in certs directory are group owned by 'radiusd' group.
Successfully ran 'eapol_test' against various config files with ca_cert entry un-commented.
However, running 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' on the server on which FreeRadius is installed still fails with the Certificate Compatibility warning.
Can anyone help me work out what I've done wrong or not done?
Thanks

Martin.

peap-mschapv2-cert-ntlm_auth.conf
=================================

#
#   eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123
#

# eapol_version=1
# fast_reauth=0

network={
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="USERNAME"
#        anonymous_identity="anonymous"
        password="PASSWORD"
        phase2="autheap=MSCHAPV2"

#       priority=10

        #
        #  Uncomment the following to perform server certificate validation.
        ca_cert="/etc/raddb/certs/ca.der"
}

ca.cnf
======
[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = ./
certs                   = $dir
crl_dir                 = $dir/crl
database                = $dir/index.txt
new_certs_dir           = $dir
certificate             = $dir/ca.pem
serial                  = $dir/serial
crl                     = $dir/crl.pem
private_key             = $dir/ca.key
RANDFILE                = $dir/.rand
name_opt                = ca_default
cert_opt                = ca_default
default_days            = 365
default_crl_days        = 30
default_md              = sha1
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
prompt                  = no
distinguished_name      = certificate_authority
default_bits            = 2048
input_password          = INPUT_PW
output_password         = OUTPUT_PW
x509_extensions         = v3_ca

[certificate_authority]
countryName             = UK
stateOrProvinceName     = United Kingdom
localityName            = West of England
organizationName        = UWE
emailAddress            = email_address at uwe.ac.uk
commonName              = "UWE, Bristol"

[v3_ca]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
basicConstraints        = CA:true

server.cnf
==========
[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = ./
certs                   = $dir
crl_dir                 = $dir/crl
database                = $dir/index.txt
new_certs_dir           = $dir
certificate             = $dir/server.pem
serial                  = $dir/serial
crl                     = $dir/crl.pem
private_key             = $dir/server.key
RANDFILE                = $dir/.rand
name_opt                = ca_default
cert_opt                = ca_default
default_days            = 365
default_crl_days        = 30
default_md              = sha1
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
prompt                  = no
distinguished_name      = server
default_bits            = 2048
input_password          = INPUT_PW
output_password         = OUTPUT_PW

[server]
countryName             = UK
stateOrProvinceName     = United Kingdom
localityName            = West of England
organizationName        = UWE
emailAddress            = email_address at uwe.ac.uk
commonName              = "UWE, Bristol"

client.cnf
==========
[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = ./
certs                   = $dir
crl_dir                 = $dir/crl
database                = $dir/index.txt
new_certs_dir           = $dir
certificate             = $dir/server.pem
serial                  = $dir/serial
crl                     = $dir/crl.pem
private_key             = $dir/server.key
RANDFILE                = $dir/.rand
name_opt                = ca_default
cert_opt                = ca_default
default_days            = 365
default_crl_days        = 30
default_md              = sha1
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
prompt                  = no
distinguished_name      = client
default_bits            = 2048
input_password          = INPUT_PW
output_password         = OUTPUT_PW

[client]
countryName             = UK
stateOrProvinceName     = United Kingdom
localityName            = West of ENgland
organizationName        = UWE
emailAddress            = email_address at uwe.ac.uk
commonName              = "UWE, Bristol"

P.S. Let me know if it would help to include other files.

-----Original Message-----
From: freeradius-users-bounces+martin.ubank=uwe.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac.uk at lists.freeradius.org] On Behalf Of Alan Buxey
Sent: 17 October 2011 09:21
To: FreeRadius users mailing list
Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP

Hi,

> Thanks for that.
> I had left some previous versions of files in the modules directory not knowing that they are still active.
> Moving them to another location progressed me to the following error:

yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/
directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions
lying around in those directories (this is a common problem)

> This was fixed by issuing this command:
> 
> 'chgrp radiusd /var/lib/samba/winbindd_privileged'

yep

> The next problem I got was
> 
> "EAP-MSCHAPV2: Received success
>  EAP-MSCHAPV2: Invalid authenticator response in success request"
> 
> Googling this suggests there is a bug in the version of Samba I'm using and that I need to install version 3.0.30.

the latest SAMBA release in 3.5.x should work fine. 

I note you are runninging 2.1.9 - why that version? 2.1.10 should be available
for CentOS 6 with yum.  if self-compiling, use 2.1.12

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list