Hello,
We’re struggling with Windows 7 and PEAP/MSCHAP
auth.. There are several scenarios where ones AD password will expire. FR
is configured to send the auth request to AD (MSCHAP only,
I THOUGHT MSCHAPv2 can recognize a “password expired”
state and actually allow a user to change it via MSCHAPv2 functions. Is
this not correct, or are there settings in AD or the ntlm_auth/samba I
need to tweak? Or should I be using LDAP? And will it work at all
using a “basic” MS supplicant, or do I need a third party one that
handles this better?
We have a similar failure when the laptops “cached
credentials” are out of sync with AD. Ie, the user changed their AD
password using their desktop on Friday. Monday AM they bring in their
laptop and try to login. Well, it’s not “connected” to
the domain, so they enter their old password just to get access to their
laptop. So far so good, until the supplicant (which is configured to “use
my windows login info” ) grabs the old password and tries to auth –
which of course fails because it’s the old (now incorrect) password.
There seems to be some bug with Windows 7, because it WILL pop a box to allow
the user to manually enter a password, but even when the new / correct password
is entered – MSCHAP/NTLM_AUTH STILL fails. It’s as if even
though Windows 7 pops the box and allows one to enter a different password, it
ignores it and ALWAYS uses the windows login credentials – which are
invalid. FWIW: if we REQUIRE the user to ALWAYS enter their credentials
(don’t try to use windows) I THINK everything works OK, BUT the powers
that be say it’s unacceptable for a user to have to login twice –
once to “windows” and then again to the “network”.
My colleague has been messing with this for many hours to no
avail. I’ve spent several hours myself trying various configs,
googling, etc. Tomorrow I intend to take a more controlled / methodical
approach to the testing scenarios and see what that may reveal. In the
mean time any advice would be greatly appreciated. SURELY we’re not
the only ones to encounter this – it’s a pretty common
environment. I don’t THINK the problem, or at least the same
problem exist on XP – but I’m not 100% sure at this point. FR
is 2.1.10 and Samba is 3.0.33-3.7.el5. I THINK our DC’s are running
2003.
Below are FR debugs for (3) auth attempts, (1) success and
(2) failures… I expected the middle (2nd) request to
fail, ‘cause windows automatically tried using the old/wrong creds –
but the last / 3rd attempt should have worked…
TIA -
#Working
rad_recv: Access-Request packet from host 1.1.2.4 port
33350, id=50, length=241
NAS-IP-Address =
1.1.2.4
NAS-Port = 0
NAS-Port-Type =
Wireless-802.11
User-Name =
"netengtest"
Calling-Station-Id = "58946BB9F738"
Called-Station-Id
= "000B8661BF34"
MS-CHAP-Challenge
= 0x65f0e3833007ea3603cb7a74a97d905a
MS-CHAP2-Response
=
0x0600c3fb5dab7b3c82d77669020e64574a790000000000000000b656fe75b45fb03fcdb6cd0c1e7675da77b79296fb32e768
Service-Type =
Login-User
Aruba-Essid-Name
= "Bob"
Aruba-Location-Id
= "00:24:6c:c3:43:d3"
NAS-Identifier =
"Aruba-WLAN-1"
Message-Authenticator = 0x43ab558afb7057dd052430f8829bf0e1
# Executing section authorize from file
/devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting
'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "netengtest",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for
the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with
NT-Password
[mschap] expand:
%{mschap:User-Name} -> netengtest
[mschap] expand:
--username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=netengtest
[mschap] mschap2: 65
[mschap] Creating challenge hash with username: netengtest
[mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=80f102377e0b1914
[mschap] expand:
--nt-response=%{mschap:NT-Response:-00} -> --nt-response=b656fe75b45fb03fcdb6cd0c1e7675da77b79296fb32e768
Exec-Program output: NT_KEY:
B2E9713382580CAFC4C5EAE9B83F6461
Exec-Program-Wait: plaintext: NT_KEY:
B2E9713382580CAFC4C5EAE9B83F6461
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file
/devel/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 50 to 1.1.2.4 port 33350
MS-CHAP2-Success
= 0x06533d38383935363335453339443030353230304644393132383945323846323245424242423042453530
MS-MPPE-Recv-Key
= 0xc5abbc0bad0bf488c01523801f46f494
MS-MPPE-Send-Key
= 0x48e3498b39788d95b47add261796c57d
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 4.
#Not Working, windows auto retry
rad_recv: Access-Request packet from host 1.1.2.4 port
33350, id=51, length=249
NAS-IP-Address =
1.1.2.4
NAS-Port = 0
NAS-Port-Type =
Wireless-802.11
User-Name =
"WADDELL\\netengtest"
Calling-Station-Id = "58946BB9F738"
Called-Station-Id
= "000B8661BF34"
MS-CHAP-Challenge
= 0x311d0b69fd0ee15bf605dda7b0c7da0e
MS-CHAP2-Response
= 0x06008b488ab132a5a2ee7d3051bf0f75858700000000000000003bc8b876f0e5171fc2aef6667fbe2a038cb846368d395fa5
Service-Type =
Login-User
Aruba-Essid-Name
= "Bob"
Aruba-Location-Id
= "00:24:6c:c3:43:d3"
NAS-Identifier =
"Aruba-WLAN-1"
Message-Authenticator = 0x9f6bc9ad403b95afd3506155e9e44761
# Executing section authorize from file
/devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting
'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name =
"WADDELL\netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for
the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with
NT-Password
[mschap] expand:
%{mschap:User-Name} -> netengtest
[mschap] expand:
--username=%{%{mschap:User-Name}:-%{User-Name:-None}} ->
--username=netengtest
[mschap] mschap2: 31
[mschap] Creating challenge hash with username: netengtest
[mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=c118e8c6818033b1
[mschap] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=3bc8b876f0e5171fc2aef6667fbe2a038cb846368d395fa5
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /devel/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand:
%{User-Name} -> WADDELL\netengtest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 51 to 1.1.2.4 port 33350
#Not Working, Manually entered password
rad_recv: Access-Request packet from host 1.1.2.4 port
33350, id=52, length=249
NAS-IP-Address =
1.1.2.4
NAS-Port = 0
NAS-Port-Type =
Wireless-802.11
User-Name =
"WADDELL\\netengtest"
Calling-Station-Id = "58946BB9F738"
Called-Station-Id
= "000B8661BF34"
MS-CHAP-Challenge
= 0xda7118673bd18b3563feedff1107cc3f
MS-CHAP2-Response
=
0x070026aa6bd893de1a79db494843ad54b22e0000000000000000844ffd37fcda8bb1053320572de943678762ac51805a9170
Service-Type =
Login-User
Aruba-Essid-Name
= "Bob"
Aruba-Location-Id
= "00:24:6c:c3:43:d3"
NAS-Identifier =
"Aruba-WLAN-1"
Message-Authenticator = 0xd61275e77c4c589d7dea376d07ed6a57
# Executing section authorize from file
/devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting
'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name =
"WADDELL\netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for
the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with
NT-Password
[mschap] expand:
%{mschap:User-Name} -> netengtest
[mschap] expand:
--username=%{%{mschap:User-Name}:-%{User-Name:-None}} ->
--username=netengtest
[mschap] mschap2: da
[mschap] Creating challenge hash with username: netengtest
[mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=a2e2cf9f927f511c
[mschap] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=844ffd37fcda8bb1053320572de943678762ac51805a9170
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /devel/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand:
%{User-Name} -> WADDELL\netengtest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 52 to 1.1.2.4 port 33350
Waking up in 4.9 seconds.