Hi Matthew and thankyou for your response I am providing the full output from a new test login with a different user but am getting the exact same result. I have added a realm definition in proxy.conf before doing this test. (0) Received Access-Request Id 18 from 192.168.1.1:59973 to 192.168.1.124:1812 length 161 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "leo.giusti@home.win" (0) MS-CHAP-Challenge = 0x27e163edf32c2d798ef2e57f87d32767 (0) MS-CHAP2-Response = 0xa400ee83ddefe9941705484493b26d7b4c6b0000000000000000e3c7a7ea97d694435f1feb61dbfba7ebde420e596281a1a1 (0) Calling-Station-Id = "192.168.1.10" (0) NAS-IP-Address = 192.168.1.1 (0) NAS-Port = 0 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "home.win" for User-Name = "leo.giusti@home.win " (0) suffix: Found realm "home.win" (0) suffix: Adding Stripped-User-Name = "leo.giusti" (0) suffix: Adding Realm = "home.win" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop Not doing PAP as Auth-Type is already set. (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Creating challenge hash with username: leo.giusti@home.win (0) mschap: Client is using MS-CHAPv2 (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=leo.giusti (0) mschap: Creating challenge hash with username: leo.giusti@home.win (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=4b2160a676fadd0d (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=e3c7a7ea97d694435f1feb61dbfba7ebde420e596281a1a1 (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> leo.giusti@home.win (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 18 from 192.168.1.124:1812 to 192.168.1.1:59973 length 103 (0) MS-CHAP-Error = "\244E=691 R=1 C=d95b8528834837c7eeb0cdf6582a92cd V=3 M=Authentication rejected" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 18 with timestamp +25 due to cleanup_delay was reached On 10/01/2024 03:01, Leo Giusti wrote:
I am able to authenticate against my domain with ntlm_auth with a username and password.
OK
I will clarify that it works using both just username and username@home.win
(0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "home.win" for User-Name = "joshua.sharpe@home.win" (0) suffix: No such realm "home.win" (0) [suffix] = noop
Did not strip the realm.
You may need to add the realm to proxy.conf so that suffix can strip the realm, or use the split_username_nai policy to do it in unlang.
I theink I have this setyup correctly now
(0) mschap: Creating challenge hash with username: joshua.sharpe@home.win (0) mschap: Client is using MS-CHAPv2 (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=joshua.sharpe@home.win (0) mschap: Creating challenge hash with username: joshua.sharpe@home.win (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=9c377afcf9835f65 (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=c3b892042ad109ffc85d84f05a3322050c6f048fee25f823 (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
So the command you used to test is not the same as the command FreeRADIUS is running, or the username or password is incorrect.
Does this authenticate successfully?
/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=joshua.sharpe@home.win --challenge=9c377afcf9835f65 --nt-response=c3b892042ad109ffc85d84f05a3322050c6f048fee25f823
If not then you need to find out why. I suspect it's because the username isn't stripped, and that just using "joshua.sharpe" would work.
leogiusti@TestRADIUS:~$ sudo ntlm_auth --request-nt-key --allow-mschapv2 --username=leo.giusti@home.win --challenge=4b2160a676fadd0d --nt-response=e3c7a7ea97d694435f1feb61dbfba7ebde420e596281a1a1 The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) leogiusti@TestRADIUS:~$ sudo ntlm_auth --request-nt-key --allow-mschapv2 --username=leo.giusti --challenge=4b2160a676fad d0d --nt-response=e3c7a7ea97d694435f1feb61dbfba7ebde420e596281a1a1 The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
--
Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html