Machine auth fails but user auth works

Alan DeKok aland at deployingradius.com
Tue Dec 8 18:55:06 CET 2015


> On Dec 8, 2015, at 12:39 PM, Dennis Xu <dxu at uoguelph.ca> wrote:
> 
> I see one difference between my machine auth and user auth cases:
> ...
> Machine auth:
> (19)    mschap : Creating challenge hash with username: host/CCS-252.cfs.uoguelph.ca
> (19)    mschap : Client is using MS-CHAPv2
> Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
> (19)    mschap : EXPAND --username=%{%{mschap:User-Name}:-00}
> (19)    mschap :    --> --username=CCS-252$
> (19)    mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (19)    mschap :    --> --username=host/CCS-252.cfs.uoguelph.ca
> (19)    mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA}
> (19)    mschap :    --> --domain=cfs
> (19)    mschap : Creating challenge hash with username: host/CCS-252.cfs.uoguelph.ca
> (19)    mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (19)    mschap :    --> --challenge=9845f8f1049eec1c
> (19)    mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (19)    mschap :    --> --nt-response=c1ee140e5d85a62db9d4dd943a841a0f317a77521e0c26e0
> Program returned code (1) and output 'Logon failure (0xc000006d)'
> (19)    mschap : External script failed
> (19)    ERROR: mschap : External script says: Logon failure (0xc000006d)
> (19)    ERROR: mschap : MS-CHAP2-Response is incorrect
> (19)     [mschap] = reject
> (19)    } # Auth-Type MS-CHAP = reject
> 
> The EXPAND domain value from user auth is "domain=CFS.UOGUELPH.CA" which is correct, but it got "domain=cfs" in the machine auth case. I am not sure if that is important. 

  It would seem to be important.

  FreeRADIUS is working correctly.  As you configured it.

  If you want it to work, figure out how to use the correct domain for machine authentication.  It will then work.

  Alan DeKok.




More information about the Freeradius-Users mailing list