<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
</head><body>
<p style="margin: 0;"><span><span>Hello List,</span></span></p>
<p style="margin: 0;"><span><span><br/></span></span></p>
<p style="margin: 0;"><span><span>i've got a strange behavior here. I've got a running freeradius with</span></span></p>
<p style="margin: 0;">peap and ntlm_auth authentication and everything works fine.</p>
<p style="margin: 0;"> </p>
<p style="margin: 0;">But if i enhance the ntlm_auth with the "--require-membership-of" Switch,</p>
<p style="margin: 0;">authentication still works, but i get no EAP-Response from the client anymore.</p>
<p style="margin: 0;"> </p>
<p style="margin: 0;"> </p>
<p>+- entering group MS-CHAP {...}<br/>[mschap] Creating challenge hash with username: username@realm.de<br/>[mschap] Told to do MS-CHAPv2 for username@realm.de with NT-Password<br/>[mschap] expand: --require-membership-of=%{Huntgroup-Name} -> --require-membership-of=adp.realm.de\wlan<br/>[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br/>[mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=username<br/>[mschap] Creating challenge hash with username: username@realm.de<br/>[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=aefab931ad734f6e<br/>[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=884c07bf7ed6d38688c6730be8e92b714f912da037da8554<br/>Exec-Program output: NT_KEY: 84092FAC9DC4C216C61D4411B5BB768C <br/>Exec-Program-Wait: plaintext: NT_KEY: 84092FAC9DC4C216C61D4411B5BB768C <br/>Exec-Program: returned: 0<br/>[mschap] adding MS-CHAPv2 MPPE keys<br/>++[mschap] returns ok<br/> WARNING: Empty session section. Using default return values.<br/> WARNING: Empty post-auth section. Using default return values.<br/># Executing section post-auth from file /etc/raddb/sites-enabled/mitarb<br/>} # server mitarb<br/>Going to the next request<br/><<< Received proxied response code 2 from internal virtual server.<br/># Executing section post-proxy from file /etc/raddb/sites-enabled/default<br/>+- entering group post-proxy {...}<br/>[eap] Doing post-proxy callback<br/>[eap] Passing reply from proxy back into the tunnel.<br/>server eduroam-inner-tunnel {<br/>[eap] Passing reply back for EAP-MS-CHAP-V2<br/># Executing section post-proxy from file /etc/raddb/sites-enabled/eduroam<br/>+- entering group post-proxy {...}<br/>[eap] Doing post-proxy callback<br/> rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x86a4e0 2.<br/> rlm_eap_mschapv2: Authentication succeeded.<br/>MSCHAP Success <br/>++[eap] returns ok</p>
<p style="margin: 0;"> </p>
<p style="margin: 0;">Looks good so far , but then ......</p>
<p style="margin: 0;"> </p>
<p style="margin: 0;"> </p>
<p>server eduroam-outer-tunnel {<br/>} # server eduroam-outer-tunnel<br/>Sending Access-Challenge of id 2 to 141.72.64.3 port 32768<br/> EAP-Message = 0x0115005b19001703010050cb972ac25fca4ed1fb69d92f327ffc0a5d206ef0541edb35627a0d93187423d332a9c1194dcf844077258dd435d362bcba65c361650224ca83a669d82fc36f2a1cff8ea1868802734676ea1474288492<br/> Message-Authenticator = 0x00000000000000000000000000000000<br/> State = 0xe0bbe76ce9aefea746f07bdba2aaec4b<br/>Finished request 9.<br/>Going to the next request<br/>Waking up in 4.8 seconds.<br/>Cleaning up request 0 ID 249 with timestamp +19<br/>Cleaning up request 1 ID 250 with timestamp +19<br/>Cleaning up request 2 ID 251 with timestamp +19<br/>Cleaning up request 3 ID 252 with timestamp +19<br/>Cleaning up request 4 ID 253 with timestamp +19<br/>Cleaning up request 5 ID 254 with timestamp +19<br/>Cleaning up request 6 ID 255 with timestamp +19<br/>Cleaning up request 7 ID 0 with timestamp +19<br/>Cleaning up request 8 ID 1 with timestamp +19<br/>Cleaning up request 9 ID 2 with timestamp +19<br/>WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br/>WARNING: !! EAP session for state 0xe0bbe76ce9aefea7 did not finish!<br/>WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility<br/>WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br/>Ready to process requests.</p>
<p style="margin: 0;"><span><span><br/></span></span></p>
<p style="margin: 0;"><span><span><br/></span></span></p>
<p style="margin: 0;"><span><span>My ntlm_auth string in modules/mschap looks like this:</span></span></p>
<p style="margin: 0;"><span><span><br/></span></span></p>
<p style="margin: 0;"><span><span>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --require-membership-of=%{Huntgroup-Name} --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"</span></span></p>
<p style="margin: 0;"> </p>
<p style="margin: 0;">If i remove the "require-membership-of" everything works fine. Why ?</p>
<p style="margin: 0;"><span><span><br/></span></span></p>
<p style="margin: 0;"><span><span>Help would be great !</span></span></p>
<p style="margin: 0;"><span><span><br/></span></span></p>
<p style="margin: 0;"> </p>
<p style="margin: 0px;">Yours</p>
<p><strong>Patrick Machauer</strong></p>
</body></html>