Using Stripped-User-Name was one of my first try. I got this errorr eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: Creating challenge hash with username: /user/@/domain.com/ (8) mschap: Client is using MS-CHAPv2 (8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:Stripped-User-Name}:-None} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (8) mschap: ERROR: Unknown expansion string 'Stripped-User-Name' <--------------------------- UNKNOWN !!!!! (8) mschap: EXPAND --username=%{%{mschap:Stripped-User-Name}:-None} (8) mschap: --> --username=None (8) mschap: Creating challenge hash with username: /user@domain.com/ (8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (8) mschap: --> --challenge=ae371b1f11bb456a (8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (8) mschap: --> --nt-response=36fafc123be05aa58780eec7406d0a16a70423c7f4e1cf84 (8) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (8) mschap: External script failed (8) mschap: ERROR: External script says: Logon failure (0xc000006d) (8) mschap: ERROR: MS-CHAP2-Response is incorrect Also the challenge are created against user@domain.com, and not against Stripped-User-Name On 06/30/2017 07:25 PM, Alan DeKok wrote:
On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele@verzeletti.org> wrote:
Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap. I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP and MSCHAPv2 against Active directory. User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName. ntlm_auth just passes data from FreeRADIUS to AD. If the user is being rejected, it's not because of ntlm_auth.
With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
authorize { update request { User-Name := `/path/to/my/script '%{User-Name}'` } Don't edit the User-Name. It's wrong.
You also don't need to run a script to do this. FreeRADIUS can do LDAP queries natively.
I have an error in the log
(0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Identity does not match User-Name, setting from EAP Identity (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid Yup
In the short term, you can do:
authorize { update request { Stripped-User-Name := `/path/to/my/script '%{User-Name}'` } }
And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html