First of all: Thanks for the help. I've modified the smb.conf file according to the link you suggested. I'm trying to do the auth via ntlm_auth now and this is the response I got: (10) } # authorize = updated (10) Found Auth-Type = mschap (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam (10) Auth-Type mschap { (10) mschap: Creating challenge hash with username: some-user@somewhere.com (10) mschap: Client is using MS-CHAPv2 (10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (10) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (10) mschap: --> --username=some-user (10) mschap: Creating challenge hash with username: some-user@somewhere.com (10) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (10) mschap: --> --challenge=39258c5db7d3edb7 (10) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (10) mschap: --> --nt-response=1a16fe12fb9e1557724bf5a3aad065da38173340a65363ba (10) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (10) mschap: External script failed (10) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (10) mschap: ERROR: MS-CHAP2-Response is incorrect (10) [mschap] = reject (10) } # Auth-Type mschap = reject (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject maybe something to point out (which don't know if does matter) is that the user might be providing @somewhere.com, however, the AD domain name I have to do the queries against is really "swr.com" Operator name is @somewhere.com on the server config file so I can properly filter the local users, but the samba configuration and the domain is configured against the real domain name "swr.com"- could it be that the challenge hash is being wrongfuly created here?: (10) mschap: Creating challenge hash with username: some-user@somewhere.com And somehow, mschap should create the hash with "some-user@swe.com"? I sure don't have this issue when testing locally... I don't know if this makes sense--- On Wed, 15 Apr 2020 at 10:52, L.P.H. van Belle via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
That samba part is on the free radius site is obsolete
Configure samba as a member server as shown here : Step 1. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Then what most people dont see/forget is : https://wiki.samba.org/index.php/Idmap_config_rid This is oblicated..
If its only for authentication just use RID backend, thats fine.
When thats done, go here.
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Di...
And verify your settings, this is the most important one for smb.conf
ntlm auth = mschapv2-and-ntlmv2-only
So all info to fix it is in this mail ;-)
See how far you get, questions, mail again.
Greetz,
Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens R3DNano Verzonden: woensdag 15 april 2020 10:35 Aan: FreeRadius users mailing list Onderwerp: mschap: ERROR: MS-CHAP2-Response is incorrect
I'm trying to deploy a FreeRADIUS server for eduroam authentication. The local authentication source is a Microsoft AD that I configured following this guide: https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory- Integration-HOWTO The binding was successful and the eapol_test tests are all green too.
However, I'm having a hard time implementing it with an aerohive controller. This controller has a "test" function which lets you input an username and a password and does who knows what in order to check the radius server. As far as I understood, it tries to do MSCHAPv2 without any encryption as per the logs I'll show below (please, correct me if I'm wrong) Other than that, I receive an Access-Reject which looks like is pointing at a wrong password being provided, although, it is not the case (checked the password)
This is what I see on the server side:
(0) Received Access-Request Id 155 from 10.10.50.5:22074 to 10.168.0.14:1812 length 198 (0) User-Name = "some-user@somewhere.com" (0) Message-Authenticator = 0x021108ef4ce751de58540e09fc6d0147 (0) Attr-26.26928.212 = 0x43382d36372d35452d35392d46462d4330 (0) Service-Type = Authorize-Only (0) NAS-Port = 0 (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Identifier = "SOME_ID" (0) NAS-IP-Address = 10.40.1.186 (0) MS-CHAP-Challenge = 0x451507759c738d0d3792bb6474f55e88 (0) MS-CHAP2-Response = 0xcf0003d0a09c080f1f3981adf41050b91b960000000000000000c568a193 2f0abe2cf1f9908feb851dee780c95ccefcd6aca (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/eduroam (0) authorize {
[edited]
(0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok
[edited, removed log entries]
(0) } # authorize = updated (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam (0) Auth-Type mschap { (0) mschap: Creating challenge hash with username: some-user@somewhere.com (0) mschap: Client is using MS-CHAPv2 (0) mschap: EXPAND %{Stripped-User-Name} (0) mschap: --> some-user rlm_mschap (mschap): Closing connection (0): Hit idle_timeout, was idle for 2240 seconds rlm_mschap (mschap): Closing connection (1): Hit idle_timeout, was idle for 2240 seconds rlm_mschap (mschap): Closing connection (2): Hit idle_timeout, was idle for 2240 seconds rlm_mschap (mschap): You probably need to lower "min" rlm_mschap (mschap): Closing connection (3): Hit idle_timeout, was idle for 2240 seconds rlm_mschap (mschap): You probably need to lower "min" rlm_mschap (mschap): Closing connection (4): Hit idle_timeout, was idle for 2240 seconds rlm_mschap (mschap): You probably need to lower "min" rlm_mschap (mschap): 0 of 0 connections in use. You may need to increase "spare" rlm_mschap (mschap): Opening additional connection (5), 1 of 32 pending slots used rlm_mschap (mschap): Reserved connection (5) (0) mschap: sending authentication request user='some-user' domain=' SOMEWHERE.COM' rlm_mschap (mschap): Released connection (5) Need 2 more connections to reach min connections (3) rlm_mschap (mschap): Opening additional connection (6), 1 of 31 pending slots used (0) mschap: ERROR: When trying to update a password, this return status indicates that the value provided as the current password is not correct. [0xC000006A] (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # Auth-Type mschap = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject
[edited, removed log entries]
(0) } # Post-Auth-Type REJECT = updated (0) Sent Access-Reject Id 155 from 10.168.0.14:1812 to 10.10.50.5:22074 length 0 (0) MS-CHAP-Error = "\317E=691 R=1 C=e7b3f200a3c36896f32a2ecf4adaab39 V=3 M=Authentication rejected" (0) Finished request
I edited the linelog parts out - yes there's only one single request (0) Although, It does have an "Authorize-Only" value, which makes me think this test only does authorization but no authentication and that's why the test fails?? - any help trying to interpret and troubleshoot this issue would be welcome.
Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html