MSCHAP Machine/User Authentication with Windows
Tynan Young
tynany at gmail.com
Mon May 11 10:25:28 CEST 2015
> > (8) eap_mschapv2 : Auth-Type MS-CHAP {
> > (8) mschap : Creating challenge hash with username:
host/win81-ops.in.testdomain
> > (8) mschap : Client is using MS-CHAPv2
> > (8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key
> > --username=%{mschap:User-Name:-None}
> > --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}
> > (8) mschap : EXPAND --username=%{mschap:User-Name:-None}
> > (8) mschap : --> --username=win81-ops$
> > (8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
> > (8) mschap : --> --domain=in
> > (8) mschap : Creating challenge hash with username:
host/win81-ops.in.testdomain
> > (8) mschap : EXPAND --challenge=%{mschap:Challenge:-00}
> > (8) mschap : --> --challenge=4d7bb6f00f0d7a38
> > (8) mschap : EXPAND --nt-response=%{mschap:NT-Response:-00}
> > (8) mschap : -->
> > --nt-response=d0dd725641db826ddf168b4b2144c203e6d3280c10fec229
> > (8) ERROR: mschap : Program returned code (1) and output 'Logon
> > failure (0xc000006d)'
> > (8) mschap : External script failed.
> > (8) ERROR: mschap : External script says: Logon failure (0xc000006d)
> > (8) ERROR: mschap : MS-CHAP2-Response is incorrect
>
> What *should* the username be? "host/win81-ops.in.testdomain"? If so,
your User-Name that's being passed to ntlm_auth is incorrect.
>
> You'll notice from the above output that mschap believes the username
should be 'win81-ops', and the domain should be 'in'. I suspect that's
wrong...
>
> :-)
>
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
Username = testuser
Domain = testdomain
FQDN = in.testdomain
Computer name = win81-ops
I believe that debug is of an attempted machine authentication, which would
explain 'host/machine name' (ie host/win81-ops.in.testdomain).
Cheers.
More information about the Freeradius-Users
mailing list