PEAP and Automatically use my Windows logon name

Michal Bruncko michal.bruncko at zssos.sk
Thu Jan 30 19:27:56 CET 2014 

Hello

I am trying to authenticate end VPN users using PEAP method toward 
freeradius server. On client side there is built-in VPN client (PPTP) on 
windows 7 machines. In general everything is working - users are able to 
autenticate once they manually use their credentials. Also the scenario 
with including (manually filled) domain name is also available and users 
are able to authenticate as well.
The problems starting if I try to use "Automatically use my Windows 
logon name and password (and domain if any)" checkbox within PEAP method 
- the user is not able to autenticate even if the logged-in windows 
account (login/pass) is same than on server side.

 From the radius debug logs the problems started with beginning of 
mschapv2 module:

Working part (with manually filled domain):
[mschapv2] # Executing group from file 
/etc/raddb/sites-enabled/inner-tunnel-vpn
[mschapv2] +- entering group MS-CHAP {...}
[mschapv2] ++? if ("%{My-Local-Client-Type}" == "user")
[mschapv2]      expand: %{My-Local-Client-Type} -> user
[mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE
[mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE
[mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...}
[mschap_vpn] Creating challenge hash with username: bob
[mschap_vpn] Told to do MS-CHAPv2 for timeos with NT-Password
[mschap_vpn]    expand: --username=%{mschap:User-Name} -> --username=bob
[mschap_vpn] Creating challenge hash with username: bob
[mschap_vpn]    expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=63b158798144225d
[mschap_vpn]    expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=44a58798471dc8e98dc3854e7c285246596fafb0c116cd14
Exec-Program output: NT_KEY: ABF2579A08227E23F0984101C44B8D12
Exec-Program-Wait: plaintext: NT_KEY: ABF2579A08227E23F0984101C44B8D12
Exec-Program: returned: 0
[mschap_vpn] adding MS-CHAPv2 MPPE keys
+++[mschap_vpn] returns ok
++- if ("%{My-Local-Client-Type}" == "user") returns ok
MSCHAP Success


Not working case (using "Automatically use my Windows logon name..."):
[mschapv2] # Executing group from file 
/etc/raddb/sites-enabled/inner-tunnel-vpn
[mschapv2] +- entering group MS-CHAP {...}
[mschapv2] ++? if ("%{My-Local-Client-Type}" == "user")
[mschapv2]      expand: %{My-Local-Client-Type} -> user
[mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE
[mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE
[mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...}
[mschap_vpn] ERROR: User-Name (abrakadabra\bob) is not the same as 
MS-CHAP Name (bob) from EAP-MSCHAPv2
+++[mschap_vpn] returns reject
++- if ("%{My-Local-Client-Type}" == "user") returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [abrakadabra\\bob] (from client vpn.exmaple.com port 0 
via TLS tunnel)


mschap module:
mschap mschap_vpn {
         with_ntdomain_hack = yes
         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00} 
--require-membership-of=S-1-5-21-248145504-287154277-2125575804-1588"
}

notes:
- If I write the domain in login box manually, it is typed in uppercase 
(without ability to change) - "ABRAKADABRA\bob". If I check  
"Automatically use my Windows logon name...", the domain (only 
local-computer) name is pushed in lower case: "abrakadabra\bob". that's 
the main difference what I can see from comparing both debug logs.
- if I write the domain manually inside the login name using 
"abrakadabra\bob" and keep the "Domain" field empty - the name will be 
pushed "abrakadabra\bob" - but in this case, I will be authenticated 
_successfully_. it sounds to me that this issue have nothing to do with 
uppercase/lowercase of domain name, but it must be something else which 
breaks all authentication using windows login credentials.
- the client computer domain is not real domain - it's just the computer 
name but this does not matter as the domain name is not pushed to 
ntlm_auth at all. If I try to log in directly using "ntlm_auth" without 
providing "--domain" parameter - I will be authenticated correctly.

please has anyone working PEAP authentication with ability to use 
"Automatically use my Windows logon name..."? What I am doing wrong.

thank you

michal

More information about the Freeradius-Users mailing list