On 30/08/2023 11:57, Matthew Newton via Freeradius-Users wrote:
On 30/08/2023 11:09, Härtl, Calvin wrote:
(6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (6) mschap: --> --username=host/HOSTNAME.DOMAIN.COM (6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM (6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (6) mschap: --> --challenge=ef98e59da6aea4aa (6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (6) mschap: --> --nt-response=1e7106295666480efb781446f97f618e57e09017da042590 (6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (6) mschap: External script failed (6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
I think this used to work, but not 100% sure. You might need to mangle the username into the format AD uses for computers, "HOSTNAME.DOMAIN.COM$" or "HOSTNAME$" for example.
A Matthew said, EAP-TLS is likely a better option, however, if you have to use MSCHAPv2, I have done this by using the winbind authentication method instead of ntlml_auth. In mods_enabled/mschap: - comment out ntlm_auth = .... - uncomment winbind_username = "%{mschap:User-Name}" - uncomment winbind_domain = "%{mschap:NT-Domain}" The "%{winbind:...}" xlat goes hunting in the request attributes for data representing the requested MS CHAP attribute in commonly formats. The request for "User-Name" finds data that represents users and machines and does "the right thing" in most cases. -- Nick Porter