MSCHAP using multiple domains

Klemen forneci forneci at gmail.com
Tue Jul 21 18:01:39 CEST 2020 

Hello.
I know this may not be strictly radius related, but my google-fu is
all used up (not much on the subject). Now to the problem:
I'm using freeradius 3.13 on centos7 (Upgrading from v2 on centos6).
In the modules i have 2 mschap configuration based on user domain
(windows domain):

mschap mschap_thor {
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = yes

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-THOR}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
}

mschap mschap_loki {

        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = yes

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-LOKI}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"

}

In the sitens-enabled/default:

   Auth-Type MS-CHAP {
      if(Realm == "um.si") {
          mschap_thor
      }
     elsif(Realm == "guest.um.si") {
         mschap_thor
      }
      elsif(Realm == "student.um.si") {
          mschap_loki
      }
   }

When I use mschap_thor everything works. When I try mschap_loki, I get
the following error:
(2) mschap_loki: ERROR: Program returned code (1) and output 'Logon
Failure: The machine you are logging onto is protected by an
authentication firewall. The specified account is not allowed to
authenticate to the machine. (0xc0000413)'
(2) mschap_loki: External script failed
(2) mschap_loki: ERROR: External script says: Logon Failure: The
machine you are logging onto is protected by an authentication
firewall. The specified account is not allowed to authenticate to the
machine. (0xc0000413)
(2) mschap_loki: ERROR: MS-CHAP2-Response is incorrect

I've tried adding the radiusd server to the LOKI domain (net ads
join), but the error remains. Are there any more settings in
freeradius that i've missed or anywhere else. The whole project is on
a standstill because of this :/

Thank you and best regards,
Klemen

More information about the Freeradius-Users mailing list