Of course, I forgot to provide FR version: freeradius-2.1.12-4.el6_3.x86_64 (on Centos 6.5) sorry On 30. 1. 2014 19:27, Michal Bruncko wrote:
Hello
I am trying to authenticate end VPN users using PEAP method toward freeradius server. On client side there is built-in VPN client (PPTP) on windows 7 machines. In general everything is working - users are able to autenticate once they manually use their credentials. Also the scenario with including (manually filled) domain name is also available and users are able to authenticate as well. The problems starting if I try to use "Automatically use my Windows logon name and password (and domain if any)" checkbox within PEAP method - the user is not able to autenticate even if the logged-in windows account (login/pass) is same than on server side.
From the radius debug logs the problems started with beginning of mschapv2 module:
Working part (with manually filled domain): [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel-vpn [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") [mschapv2] expand: %{My-Local-Client-Type} -> user [mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...} [mschap_vpn] Creating challenge hash with username: bob [mschap_vpn] Told to do MS-CHAPv2 for timeos with NT-Password [mschap_vpn] expand: --username=%{mschap:User-Name} -> --username=bob [mschap_vpn] Creating challenge hash with username: bob [mschap_vpn] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=63b158798144225d [mschap_vpn] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=44a58798471dc8e98dc3854e7c285246596fafb0c116cd14 Exec-Program output: NT_KEY: ABF2579A08227E23F0984101C44B8D12 Exec-Program-Wait: plaintext: NT_KEY: ABF2579A08227E23F0984101C44B8D12 Exec-Program: returned: 0 [mschap_vpn] adding MS-CHAPv2 MPPE keys +++[mschap_vpn] returns ok ++- if ("%{My-Local-Client-Type}" == "user") returns ok MSCHAP Success
Not working case (using "Automatically use my Windows logon name..."): [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel-vpn [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") [mschapv2] expand: %{My-Local-Client-Type} -> user [mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...} [mschap_vpn] ERROR: User-Name (abrakadabra\bob) is not the same as MS-CHAP Name (bob) from EAP-MSCHAPv2 +++[mschap_vpn] returns reject ++- if ("%{My-Local-Client-Type}" == "user") returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [abrakadabra\\bob] (from client vpn.exmaple.com port 0 via TLS tunnel)
mschap module: mschap mschap_vpn { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=S-1-5-21-248145504-287154277-2125575804-1588" }
notes: - If I write the domain in login box manually, it is typed in uppercase (without ability to change) - "ABRAKADABRA\bob". If I check "Automatically use my Windows logon name...", the domain (only local-computer) name is pushed in lower case: "abrakadabra\bob". that's the main difference what I can see from comparing both debug logs. - if I write the domain manually inside the login name using "abrakadabra\bob" and keep the "Domain" field empty - the name will be pushed "abrakadabra\bob" - but in this case, I will be authenticated _successfully_. it sounds to me that this issue have nothing to do with uppercase/lowercase of domain name, but it must be something else which breaks all authentication using windows login credentials. - the client computer domain is not real domain - it's just the computer name but this does not matter as the domain name is not pushed to ntlm_auth at all. If I try to log in directly using "ntlm_auth" without providing "--domain" parameter - I will be authenticated correctly.
please has anyone working PEAP authentication with ability to use "Automatically use my Windows logon name..."? What I am doing wrong.
thank you
michal
-- Ing. Michal Bruncko, PhD., CCNP, RHCSAâ„¢ IT systems and network administrator Coupled school of business and services Ruzomberok Slovak Republic