On 30/08/2023 11:09, Härtl, Calvin wrote:
(6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (6) mschap: --> --username=host/HOSTNAME.DOMAIN.COM (6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM (6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (6) mschap: --> --challenge=ef98e59da6aea4aa (6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (6) mschap: --> --nt-response=1e7106295666480efb781446f97f618e57e09017da042590 (6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (6) mschap: External script failed (6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
I think this used to work, but not 100% sure. You might need to mangle the username into the format AD uses for computers, "HOSTNAME.DOMAIN.COM$" or "HOSTNAME$" for example.
My FreeRADIUS server is connected to our Active Directory via SAMBA and winbind, and I checked that the users can authenticate via radtest. Is FreeRADIUS natively capable of doing machine authentication via AD, do I have to configure some additional files or are there any modules that I can install to do this for me?
The usual way to do this is to set up EAP-TLS and use the AD-managed machine certificate for auth. Much more secure and faster authentication as well. It's one of the easiest setups for EAP-TLS with Windows clients because AD manages all the certificates for you. I would investigate that rather than spending time on trying to get MSCHAPv2 working for machine auth. -- Matthew