ntlm_auth "--require-membership-of" breaks eap-conversation

Patrick Machauer machauer at dhbw-mannheim.de
Thu Jul 5 13:27:36 CEST 2012


Hello List,

i've got a strange behavior here. I've got a running freeradius with
peap and ntlm_auth authentication and everything works fine.

But if i enhance the ntlm_auth with the "--require-membership-of"
Switch,
authentication still works, but i get no EAP-Response from the client
anymore.



+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: username at realm.de
[mschap] Told to do MS-CHAPv2 for username at realm.de with NT-Password
[mschap] expand: --require-membership-of=%{Huntgroup-Name} ->
--require-membership-of=adp.realm.de\wlan
[mschap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
-> --username=username
[mschap] Creating challenge hash with username: username at realm.de
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=aefab931ad734f6e
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=884c07bf7ed6d38688c6730be8e92b714f912da037da8554
Exec-Program output: NT_KEY: 84092FAC9DC4C216C61D4411B5BB768C
Exec-Program-Wait: plaintext: NT_KEY: 84092FAC9DC4C216C61D4411B5BB768C
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
WARNING: Empty session section. Using default return values.
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/etc/raddb/sites-enabled/mitarb
} # server mitarb
Going to the next request
<<< Received proxied response code 2 from internal virtual server.
# Executing section post-proxy from file
/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server eduroam-inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from file
/etc/raddb/sites-enabled/eduroam
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel
0x86a4e0 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
++[eap] returns ok


Looks good so far , but then ......



server eduroam-outer-tunnel {
} # server eduroam-outer-tunnel
Sending Access-Challenge of id 2 to 141.72.64.3 port 32768
EAP-Message =
0x0115005b19001703010050cb972ac25fca4ed1fb69d92f327ffc0a5d206ef0541edb35627a0d93187423d332a9c1194dcf844077258dd435d362bcba65c361650224ca83a669d82fc36f2a1cff8ea1868802734676ea1474288492
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0bbe76ce9aefea746f07bdba2aaec4b
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 249 with timestamp +19
Cleaning up request 1 ID 250 with timestamp +19
Cleaning up request 2 ID 251 with timestamp +19
Cleaning up request 3 ID 252 with timestamp +19
Cleaning up request 4 ID 253 with timestamp +19
Cleaning up request 5 ID 254 with timestamp +19
Cleaning up request 6 ID 255 with timestamp +19
Cleaning up request 7 ID 0 with timestamp +19
Cleaning up request 8 ID 1 with timestamp +19
Cleaning up request 9 ID 2 with timestamp +19
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xe0bbe76ce9aefea7 did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.



My ntlm_auth string in modules/mschap looks like this:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--require-membership-of=%{Huntgroup-Name}
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

If i remove the "require-membership-of" everything works fine. Why ?

Help would be great !


Yours

Patrick Machauer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120705/43412737/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PatrickMachauer.vcf
Type: text/x-vcard
Size: 3894 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120705/43412737/attachment.vcf>


More information about the Freeradius-Users mailing list