freeRADIUS -> AD Auth

nfischer at hush.com nfischer at hush.com
Fri Aug 15 13:02:25 CEST 2014 

Hi again.

I have one last Problem.
I hope i don´t bug you.

The mschapv2 challange fails.
--domain=%{mschap:NT-Domain} doesn´t change the result.

[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: hausmeister at oblan
[mschap] Told to do MS-CHAPv2 for hausmeister at oblan with NT-Password
[mschap]        expand: %{Stripped-User-Name} -> hausmeister
[mschap]        expand:
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
--username=hausmeister
[mschap] Creating challenge hash with username: hausmeister at oblan
[mschap]        expand: %{mschap:Challenge} -> fffc6d74f50463ee
[mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} ->
--challenge=fffc6d74f50463ee
[mschap]        expand: %{mschap:NT-Response} ->
46ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b
[mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
--nt-response=46ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b
Exec-Program output: Reading winbind reply failed! (0xc0000001)
Exec-Program-Wait: plaintext: Reading winbind reply failed!
(0xc0000001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject

NTLM_AUTH works:
haus-meister at KRATOS:~$ ntlm_auth --request-nt-key
--username=hausmeister --domain=OBLAN
Password:
NT_STATUS_OK: Success (0x0)

Winbind gives me a list of all AD Users with wbinfo -u.
So im pretty sure i still have a mistake in the modules/mschap i´ve
tried a couple of things but nothing worked...

Also i have another question:
Is there a way to tell the clients (especially iOS/Android) that they
have to use a Proxy-Server (e.g 192.168.1.254:3128)
so that the Useres must not do that?

Thanks again!

-- 
 Mit freundlichem Gruß
 Nicolas Fischer
 email: nfischer at hush.com
 jabber: jagger at jabber.ccc.de
 tel: 01573-0420888
 Skype: jagger64
 TOX: Just ask me :)
 PGP-Key:
 http://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0xCF5E6AD15A5B6132
 If you sent me a PGP Crypted Mail I´ll be happy and will give you a
free cookie :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140815/766d2fb3/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeradius-log.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140815/766d2fb3/attachment-0001.txt>

More information about the Freeradius-Users mailing list