mschap configuration problem

Piviul piviul at riminilug.it
Tue Jul 7 15:05:00 CEST 2020 

Hi there, I'm new to freeradius and I'm trying to configure it to 
authenticate on a AD domain using mschap and ntlm_auth. From a client I 
have put domain, username and password in variables to be sure that 
there are no typing errors, then I run:
> # ntlm_auth --allow-mschapv2 --domain=$domain --username=$username --password=$password && radtest -t mschap "$domain\\$username" $password 127.0.0.1 0 testing123
> NT_STATUS_OK: The operation completed successfully. (0x0)
> Sent Access-Request Id 58 from 0.0.0.0:55359 to 127.0.0.1:1812 length 139
> 	User-Name = "CSATEST\\user1"
> 	MS-CHAP-Password = "Alfa.2020"
> 	NAS-IP-Address = 192.168.64.10
> 	NAS-Port = 0
> 	Message-Authenticator = 0x00
> 	Cleartext-Password = "Alfa.2020"
> 	MS-CHAP-Challenge = 0x6b4e461a0c35c8da
> 	MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330052688e78de5ccbba7d9d954abf1e1b85596b385
> Received Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61
> 	MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2"
> (0) -: Expected Access-Accept got Access-Reject

 From server side freeradius said:
> (5) Received Access-Request Id 58 from 127.0.0.1:55359 to 127.0.0.1:1812 length 139
> (5)   User-Name = "CSATEST\\user1"
> (5)   NAS-IP-Address = 192.168.64.10
> (5)   NAS-Port = 0
> (5)   Message-Authenticator = 0x20d737038881440d2585fa1b63641a0f
> (5)   MS-CHAP-Challenge = 0x6b4e461a0c35c8da
> (5)   MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330052688e78de5ccbba7d9d954abf1e1b85596b385
> (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (5)   authorize {
> (5)     policy filter_username {
> (5)       if (&User-Name) {
> (5)       if (&User-Name)  -> TRUE
> (5)       if (&User-Name)  {
> (5)         if (&User-Name =~ / /) {
> (5)         if (&User-Name =~ / /)  -> FALSE
> (5)         if (&User-Name =~ /@[^@]*@/ ) {
> (5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (5)         if (&User-Name =~ /\.\./ ) {
> (5)         if (&User-Name =~ /\.\./ )  -> FALSE
> (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (5)         if (&User-Name =~ /\.$/)  {
> (5)         if (&User-Name =~ /\.$/)   -> FALSE
> (5)         if (&User-Name =~ /@\./)  {
> (5)         if (&User-Name =~ /@\./)   -> FALSE
> (5)       } # if (&User-Name)  = notfound
> (5)     } # policy filter_username = notfound
> (5)     [preprocess] = ok
> (5)     [chap] = noop
> (5) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> (5)     [mschap] = ok
> (5)     [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "CSATEST\user1", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5)     [suffix] = noop
> (5) eap: No EAP-Message, not doing EAP
> (5)     [eap] = noop
> (5)     [files] = noop
> (5)     [expiration] = noop
> (5)     [logintime] = noop
> (5) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
> (5) pap: WARNING: Authentication will fail unless a "known good" password is available
> (5)     [pap] = noop
> (5)   } # authorize = ok
> (5) Found Auth-Type = mschap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5)   authenticate {
> (5) mschap: Client is using MS-CHAPv1 with NT-Password
> (5) mschap: Executing: /usr/bin/ntlm_auth  --request-nt-key --allow-mschapv2 --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}:
> (5) mschap: EXPAND --domain=%{mschap:NT-Domain}
> (5) mschap:    --> --domain=CSATEST
> (5) mschap: EXPAND --username=%{mschap:User-Name}
> (5) mschap:    --> --username=user1
> (5) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)'
> (5) mschap: External script failed
> (5) mschap: ERROR: External script says: Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)
> (5) mschap: ERROR: MS-CHAP2-Response is incorrect
> (5)     [mschap] = reject
> (5)   } # authenticate = reject
> (5) Failed to authenticate the user
> (5) Using Post-Auth-Type Reject
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5)   Post-Auth-Type REJECT {
> (5) attr_filter.access_reject: EXPAND %{User-Name}
> (5) attr_filter.access_reject:    --> CSATEST\\user1
> (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (5)     [attr_filter.access_reject] = updated
> (5)     [eap] = noop
> (5)     policy remove_reply_message_if_eap {
> (5)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (5)       else {
> (5)         [noop] = noop
> (5)       } # else = noop
> (5)     } # policy remove_reply_message_if_eap = noop
> (5)   } # Post-Auth-Type REJECT = updated
> (5) Login incorrect (mschap: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)'): [CSATEST\user1] (from client localhost port 0)
> (5) Delaying response for 1.000000 seconds
> Waking up in 0.2 seconds.
> Waking up in 0.7 seconds.
> (5) Sending delayed response
> (5) Sent Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61
> (5)   MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2"
> Waking up in 3.9 seconds.
> (5) Cleaning up request packet ID 58 with timestamp +927

Someone can help me to understand where I wrong?

Piviul

More information about the Freeradius-Users mailing list