FreeRadius and AD authentication

Dennis Xu dxu at uoguelph.ca
Fri Sep 11 18:06:41 CEST 2015


I have installed FreeRadius 3.04 on RHEL7 and configured FreeRadius and Samba according to the following docs: 

http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO 
http://deployingradius.com/documents/configuration/active_directory.html 

Both wbinfo and ntlm_auth tests worked fine: 
[root at rotator mods-available]# wbinfo -a dxu001%xxxxxxx 
plaintext password authentication failed 
Could not authenticate user dxu001%xxxxxxxx with plaintext password 
challenge/response password authentication succeeded 
[root at rotator mods-available]# ntlm_auth --request-nt-key --domain=cfs.uoguelph.ca --username=dxu001 
Password: 
NT_STATUS_OK: Success (0x0) 
[root at rotator mods-available]# 




When I tried to authenticate using username dxu001, the authentication failed. Below is the debug outputs: 

server inner-tunnel { 
(15) server inner-tunnel { 
(15) Request: 
EAP-Message = 0x020700411a0207003c31ea301dc50a02a3039d53ef8da042028d0000000000000000416ca750de3cd86e2f16a1533433d62264a5a1946f17c6c400647875303031 
FreeRADIUS-Proxied-To = 127.0.0.1 
User-Name = 'dxu001' 
State = 0x20b8045120bf1e31a648ded5aa0c1cba 
Chargeable-User-Identity = 0x00 
Location-Capable = Civix-Location 
Calling-Station-Id = '90-18-7c-17-97-6c' 
Called-Station-Id = '04-fe-7f-93-7c-a0:test-secure' 
NAS-Port = 1 
Acct-Session-Id = '55f2fb67/90:18:7c:17:97:6c/97' 
NAS-IP-Address = 131.104.45.66 
NAS-Identifier = 'WLC_TEST' 
Service-Type = Framed-User 
Framed-MTU = 1300 
NAS-Port-Type = Wireless-802.11 
Event-Timestamp = 'Sep 11 2015 12:05:06 EDT' 
(15) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel 
(15) authorize { 
(15) [chap] = noop 
(15) [mschap] = noop 
(15) suffix : Checking for suffix after "@" 
(15) suffix : No '@' in User-Name = "dxu001", looking up realm NULL 
(15) suffix : No such realm "NULL" 
(15) [suffix] = noop 
(15) update control { 
(15) Proxy-To-Realm := 'LOCAL' 
(15) } # update control = noop 
(15) eap : Peer sent code Response (2) ID 7 length 65 
(15) eap : No EAP Start, assuming it's an on-going EAP conversation 
(15) [eap] = updated 
(15) [files] = noop 
(15) [expiration] = noop 
(15) [logintime] = noop 
(15) [pap] = noop 
(15) } # authorize = updated 
(15) Found Auth-Type = EAP 
(15) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel 
(15) authenticate { 
(15) eap : Expiring EAP session with state 0x20b8045120bf1e31 
(15) eap : Finished EAP session with state 0x20b8045120bf1e31 
(15) eap : Previous EAP request found for state 0x20b8045120bf1e31, released from the list 
(15) eap : Peer sent method MSCHAPv2 (26) 
(15) eap : EAP MSCHAPv2 (26) 
(15) eap : Calling eap_mschapv2 to process EAP data 
(15) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel 
(15) eap_mschapv2 : Auth-Type MS-CHAP { 
(15) mschap : Creating challenge hash with username: dxu001 
(15) mschap : Client is using MS-CHAPv2 
Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: 
(15) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
(15) mschap : --> --username=dxu001 
(15) ERROR: mschap : No NT-Domain was found in the User-Name 
(15) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA} 
(15) mschap : --> --domain=CFS.UOGUELPH.CA 
(15) mschap : Creating challenge hash with username: dxu001 
(15) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00} 
(15) mschap : --> --challenge=43f96f7805c5bb5a 
(15) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00} 
(15) mschap : --> --nt-response=416ca750de3cd86e2f16a1533433d62264a5a1946f17c6c4 
Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)' 
(15) mschap : External script failed 
(15) ERROR: mschap : External script says: Reading winbind reply failed! (0xc0000001) 
(15) ERROR: mschap : MS-CHAP2-Response is incorrect 
(15) [mschap] = reject 



Any ideas? Thanks! 


More information about the Freeradius-Users mailing list