radtest passes test, phone connects to WiFi, but laptop does not

Alan DeKok aland at deployingradius.com
Wed Nov 2 20:00:18 CET 2016


On Nov 2, 2016, at 2:48 PM, Daniel Wruck <daniel.wruck at fbchammond.com> wrote:
> I have FreeRADIUS 3.0.12 set up on an Ubuntu 16.04 box. I believe that I have most everything working (except maybe sql). I have an AD forest with 1 domain (fbcexample.com) and 3 child domains (hac.fbcexample.com, cbs.fbcexample.com, and hac.fbcexample.com). I created 4 named mschap modules so that I could hard code the --domain property in each one.

  That's not a good idea.

> I can successfully rad test from each of my 4 domains against it including group membership.

  Those domains should all be part of one AD forest.  i.e. they are NOT 4 different AD servers.  They are one server, with 4 domains.

> Then I setup a test SSID on my aruba controller.  I can connect via my android phone (with just username & pass), but connecting a laptop to is not working (it appears that it is sending domain as a part of username). It seems that there is more security stuff going on when the laptop connects; maybe I don't have MSCHAPv2 configured right? Something broken in realms?

  The recommendation as always is to start simple, and then once it works, add something else.  Starting with a complex configuration is a guaranteed way to never get it working.

> When the Win 10 x64 laptop connects, radius -X first shows that it is trying to connect via computer name. Then a box pops up asking for username and password with a checkmark for 'Use my Windows user account", I choose and continue. Radius -X shows that several more requests are made and then windows sows 'Can't connect to this network'. Any suggestions on where my problem is?

  Start with a simple configuration.  One domain, and see if it works.  This should be simple:

http://deployingradius.com/documents/configuration/active_directory.html

> I created the CA and server certs and have believe them to be correctly installed. But not sure that this has anything to do with the problem descripted above.

  Probably not.

> Examples of the code that I am running. I included a pastebin for the 3000 lines of radius -X output.
> WORKING RADTEST LINE
> radtest -t mschap daniel.radius  passw0rd 127.0.0.1 0 testing123

  That's a good test.

> 
> ABBREVIATED MSCHAP MODULE
> mschap mschap_fbc {
>        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=fbcexample --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_fbc:Challenge}:-00} --nt-response=%{%{mschap_fbc:NT-Response}:-00}  --require-membership-of='fbcexample\\LDAP_WiFi'"
> 
>      . . .
> }

  That's... likely a problem.  It should work, but why hard-code the domain?

> DEFAULT SITE AUTHENICATE SECTION
> authenticate {
>  . . .
> #  MSCHAP authentication.
>        Auth-Type MS-CHAP {
>            mschap_fbc {
>                reject = 2
>             }
>             if (reject){
>                mschap_hac
>                reject = 2
>             }
>             if (reject){
>                mschap_hbs
>                reject = 2
>             }
>             if (reject){
>                mschap_cbs
>                reject = 2
>             }
>        }
>  . . .
> }

  That's a *terrible* idea.  Don't do that.  Ever.  It will destroy your AD servers with traffic.

  AD can't really handle any kind of traffic load.  Maybe a few dozens of packets a second.  Increasing the load by a factor of 4 is bad.

  The simpler solution, and the one everyone else uses, is to just require users to login with their domain.

  Follow the examples from the web site, which have a hard-coded domain.  Then, change the MS-CHAP module configuration to:

       exec ntlm_auth {
                wait = yes
                program = "/path/to/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password}"
        }

 Which should work.

  The idea is that once you have the domain in the Access-Request, you just pass it to AD.  You don't care what the *value* of the domain is, because AD will do the checking for you.

  That way you have one RADIUS configuration, and it works for 4 domains.

  Your current configuration is slow, complex, and will regularly take down your AD server.

  Alan DeKok.




More information about the Freeradius-Users mailing list