<html><head></head><body style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br>Hello<br><br>I try to set up AD as freeradius authentication oracle. My system:<br>ohv:/etc/raddb/modules # radiusd -v<br>radiusd: FreeRADIUS Version 2.1.12, for host x86_64-suse-linux-gnu, built on Oct 19 2011 at 13:55<br><br>I followed this guidelines <br>http://deployingradius.com/documents/configuration/active_directory.html<br>and everything went great (user logons OK, all the tests decribed in howto went OK) until the last part MS-CHAP + ntlm_auth<br><br>OK, what happens when I try to authenticate via MS-CHAP<br><br>ohv:/etc/samba # radtest -t mschap freeradius.test passwordschmassword localhost 0 testing123<br>Sending Access-Request of id 11 to 127.0.0.1 port 1812<br> User-Name = "freeradius.test"<br> NAS-IP-Address = 10.128.160.4<br> NAS-Port = 0<br> Message-Authenticator = 0x00000000000000000000000000000000<br> MS-CHAP-Challenge = 0x7c68b9721c3a0b46<br> MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000013e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a<br>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=38<br> MS-CHAP-Error = "\000E=691 R=1"<br><br>Lets see freeradius log<br><br>Thu Mar 8 13:42:03 2012 : Info: Found Auth-Type = MSCHAP<br>Thu Mar 8 13:42:03 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default<br>Thu Mar 8 13:42:03 2012 : Info: +- entering group MS-CHAP {...}<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] Told to do MS-CHAPv1 with NT-Password<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=freeradius.test<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] No NT-Domain was found in the User-Name.<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: %{mschap:NT-Domain} -><br>Thu Mar 8 13:42:03 2012 : Info: [mschap] ... expanding second conditional<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-LOCAL} -> --domain=LOCAL<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] mschap1: 7c<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=7c68b9721c3a0b46<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a<br>Thu Mar 8 13:42:03 2012 : Debug: Exec-Program output: Reading winbind reply failed! (0xc0000001)<br>Thu Mar 8 13:42:03 2012 : Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)<br>Thu Mar 8 13:42:03 2012 : Debug: Exec-Program: returned: 1<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] External script failed.<br>Thu Mar 8 13:42:03 2012 : Info: [mschap] MS-CHAP-Response is incorrect.<br>Thu Mar 8 13:42:03 2012 : Info: ++[mschap] returns reject<br><br>OK, lets strace this and find the actual command line sent to freeradius and try it out on command line (edited to follow correct syntax!) Command line looks like this:<br> /usr/bin/ntlm_auth "--request-nt-key", "--username=freeradius.test", "--domain=LOCAL", "--challenge=0x7c68b9721c3a0b46", "--nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a" <br>Logon failure (0xc000006d)<br><br>Wait, what? Let's re-check<br> ntlm_auth --request-nt-key --domain=local --username=freeradius.test --password=passwordschmassword<br>NT_STATUS_OK: Success (0x0)<br><br>Seems that values for "challenge" and "response" are getting filled incorrectly. I also tried to turn with_ntdomain_hack aprameter on and off, but no avail.<br>Is freeradius at all responsible to fill those parameters or how can I fix this behaviour?<br><br>Andres Septer<br>
<span id="OLK_SRC_BODY_SECTION">Systems Administrator<br>Navirec Software OÜ<br>Tallinn, Estonia<br><a href="http://navirec.com/">http://navirec.com</a></span></body></html>