Is your AD-DC also a samba server ? Try adding this to smb.conf (globel) # Add for freeradius support ntlm auth = mschapv2-and-ntlmv2-only Greetz, Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Piviul Verzonden: dinsdag 7 juli 2020 15:05 Aan: freeradius-users@lists.freeradius.org Onderwerp: mschap configuration problem
Hi there, I'm new to freeradius and I'm trying to configure it to authenticate on a AD domain using mschap and ntlm_auth. From a client I have put domain, username and password in variables to be sure that there are no typing errors, then I run:
# ntlm_auth --allow-mschapv2 --domain=$domain --username=$username --password=$password && radtest -t mschap "$domain\\$username" $password 127.0.0.1 0 testing123 NT_STATUS_OK: The operation completed successfully. (0x0) Sent Access-Request Id 58 from 0.0.0.0:55359 to 127.0.0.1:1812 length 139 User-Name = "CSATEST\\user1" MS-CHAP-Password = "Alfa.2020" NAS-IP-Address = 192.168.64.10 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Alfa.2020" MS-CHAP-Challenge = 0x6b4e461a0c35c8da MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330 052688e78de5ccbba7d9d954abf1e1b85596b385 Received Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61 MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2" (0) -: Expected Access-Accept got Access-Reject
From server side freeradius said:
(5) Received Access-Request Id 58 from 127.0.0.1:55359 to 127.0.0.1:1812 length 139 (5) User-Name = "CSATEST\\user1" (5) NAS-IP-Address = 192.168.64.10 (5) NAS-Port = 0 (5) Message-Authenticator = 0x20d737038881440d2585fa1b63641a0f (5) MS-CHAP-Challenge = 0x6b4e461a0c35c8da (5) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330 052688e78de5ccbba7d9d954abf1e1b85596b385 (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (5) [mschap] = ok (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "CSATEST\user1", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: No EAP-Message, not doing EAP (5) [eap] = noop (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop (5) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (5) pap: WARNING: Authentication will fail unless a "known good" password is available (5) [pap] = noop (5) } # authorize = ok (5) Found Auth-Type = mschap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) mschap: Client is using MS-CHAPv1 with NT-Password (5) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}: (5) mschap: EXPAND --domain=%{mschap:NT-Domain} (5) mschap: --> --domain=CSATEST (5) mschap: EXPAND --username=%{mschap:User-Name} (5) mschap: --> --username=user1 (5) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)' (5) mschap: External script failed (5) mschap: ERROR: External script says: Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a) (5) mschap: ERROR: MS-CHAP2-Response is incorrect (5) [mschap] = reject (5) } # authenticate = reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> CSATEST\\user1 (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Login incorrect (mschap: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)'): [CSATEST\user1] (from client localhost port 0) (5) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61 (5) MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2" Waking up in 3.9 seconds. (5) Cleaning up request packet ID 58 with timestamp +927
Someone can help me to understand where I wrong?
Piviul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html