Sorry for the individual emails, but I got things working with MSCHAP (w/ ntlm_auth) and WPA-EAP. My issue was that when I got the two winbind errors, I did some more searching and there's the potential that the freerad user did not have access to pipe named: /var/run/samba/winbindd That pipe is owned as follows: drwxr-x--- 2 root winbindd_priv 60 Aug 22 11:15 winbindd_privileged/ That being the case, you need to add the user freerad to that group, so it can execute with the right privileges. Sending Access-Request of id 52 to 127.0.0.1 port 1812 User-Name = "wyse1" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0xf38d9f1a3dcb27e9 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000941d3ff95601f8f335e7eff7c97e1abf28df15abd28b7fda rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=84 MS-CHAP-MPPE-Keys = 0x0000000000000000d22b3a1df401aa61a721c8a31ba910820000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Now, is it safe to disable modules (by commenting them out of the sites-enabled files) that aren't related to the MSCHAP process? This is just in passing curiosity. On Aug 22, 2013, at 10:14 AM, Chris Parker <cparkervt@me.com> wrote:
Thank you for setting me on the right track; I have followed the directions on http://deployingradius.com/documents/configuration/active_directory.html (the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per those directions. When I run the ntlm_auth command manually, it works find / as does running wbinfo -a
root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D plaintext password authentication succeeded challenge/response password authentication succeeded
Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111, length=113 User-Name = "wyse1" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0xe07a375bed09f1f7 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000065b157b183b4d29d455414b184c57af4912b1d74f4ed726 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "wyse1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: %{User-Name:-None} -> wyse1 [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=wyse1 [mschap] mschap1: e0 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e07a375bed09f1f7 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726 Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says Reading winbind reply failed! (0xc0000001)): [wyse1/<via Auth-Type = mschap>] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 111 to 127.0.0.1 port 60046 Waking up in 4.9 seconds. Cleaning up request 0 ID 111 with timestamp +15 Ready to process requests.
On Aug 22, 2013, at 5:50 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 21/08/13 23:44, Chris Parker wrote:
Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key.
Either way, I'm still having a failure in MSCHAP with radtest that I'm not quite grasping.
Well, as I explained in my other email, mschap == challenge/response, "modules/ntlm_auth" != challenge/response.
To reiterate, "modules/ntlm_auth" is almost certainly not what you want, and is not intended to be used as-is. I would unconfigure it and concentrate on getting "modules/mschap" working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html