Hai Red, Well, almost.. you mist 1 part. This : Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: change that to : /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: I even highlighted it in the samba wiki .. So edit : /etc/freeradius/3.0/sites-enabled/eduroam And correct that and try again. If it then still is not working, as extra you could try. Adduser freeradion to the winbind_priv group And check if apparmor is running and adjust the needed files there also. Greetz, Louis ________________________________ Van: Red Nano [mailto:r3dnano@gmail.com] Verzonden: woensdag 15 april 2020 11:27 Aan: FreeRadius users mailing list CC: L.P.H. van Belle Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect First of all: Thanks for the help. I've modified the smb.conf file according to the link you suggested. I'm trying to do the auth via ntlm_auth now and this is the response I got: (10) } # authorize = updated (10) Found Auth-Type = mschap (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam (10) Auth-Type mschap { (10) mschap: Creating challenge hash with username: some-user@somewhere.com (10) mschap: Client is using MS-CHAPv2 (10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (10) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (10) mschap: --> --username=some-user (10) mschap: Creating challenge hash with username: some-user@somewhere.com (10) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (10) mschap: --> --challenge=39258c5db7d3edb7 (10) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (10) mschap: --> --nt-response=1a16fe12fb9e1557724bf5a3aad065da38173340a65363ba (10) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (10) mschap: External script failed (10) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (10) mschap: ERROR: MS-CHAP2-Response is incorrect (10) [mschap] = reject (10) } # Auth-Type mschap = reject (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject maybe something to point out (which don't know if does matter) is that the user might be providing @somewhere.com, however, the AD domain name I have to do the queries against is really "swr.com" Operator name is @somewhere.com on the server config file so I can properly filter the local users, but the samba configuration and the domain is configured against the real domain name "swr.com"- could it be that the challenge hash is being wrongfuly created here?: (10) mschap: Creating challenge hash with username: some-user@somewhere.com And somehow, mschap should create the hash with "some-user@swe.com"? I sure don't have this issue when testing locally... I don't know if this makes sense--- On Wed, 15 Apr 2020 at 10:52, L.P.H. van Belle via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: That samba part is on the free radius site is obsolete Configure samba as a member server as shown here : Step 1. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Then what most people dont see/forget is : https://wiki.samba.org/index.php/Idmap_config_rid This is oblicated.. If its only for authentication just use RID backend, thats fine. When thats done, go here. https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Di... And verify your settings, this is the most important one for smb.conf ntlm auth = mschapv2-and-ntlmv2-only So all info to fix it is in this mail ;-) See how far you get, questions, mail again. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: Freeradius-Users > [mailto:freeradius-users-bounces+belle <mailto:freeradius-users-bounces%2Bbelle> =bazuin.nl@lists.freerad > ius.org] Namens R3DNano > Verzonden: woensdag 15 april 2020 10:35 > Aan: FreeRadius users mailing list > Onderwerp: mschap: ERROR: MS-CHAP2-Response is incorrect > > I'm trying to deploy a FreeRADIUS server for eduroam authentication. > The local authentication source is a Microsoft AD that I configured > following this guide: > https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory- > Integration-HOWTO > The binding was successful and the eapol_test tests are all green too. > > However, I'm having a hard time implementing it with an > aerohive controller. > This controller has a "test" function which lets you input an > username and > a password and does who knows what in order to check the > radius server. > As far as I understood, it tries to do MSCHAPv2 without any > encryption as > per the logs I'll show below (please, correct me if I'm wrong) > Other than that, I receive an Access-Reject which looks like > is pointing at > a wrong password being provided, although, it is not the case > (checked the > password) > > This is what I see on the server side: > > (0) Received Access-Request Id 155 from MailScanner warning: numerical links are often malicious: 10.10.50.5:22074 <http://10.10.50.5:22074> to > MailScanner warning: numerical links are often malicious: 10.168.0.14:1812 <http://10.168.0.14:1812> > length 198 > (0) User-Name = "some-user@somewhere.com" > (0) Message-Authenticator = 0x021108ef4ce751de58540e09fc6d0147 > (0) Attr-26.26928.212 = 0x43382d36372d35452d35392d46462d4330 > (0) Service-Type = Authorize-Only > (0) NAS-Port = 0 > (0) NAS-Port-Type = Wireless-802.11 > (0) NAS-Identifier = "SOME_ID" > (0) NAS-IP-Address = 10.40.1.186 > (0) MS-CHAP-Challenge = 0x451507759c738d0d3792bb6474f55e88 > (0) MS-CHAP2-Response = > 0xcf0003d0a09c080f1f3981adf41050b91b960000000000000000c568a193 > 2f0abe2cf1f9908feb851dee780c95ccefcd6aca > (0) # Executing section authorize from file > /etc/freeradius/3.0/sites-enabled/eduroam > (0) authorize { > > [edited] > > (0) eap: No EAP-Message, not doing EAP > (0) [eap] = noop > (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' > (0) [mschap] = ok > > [edited, removed log entries] > > (0) } # authorize = updated > (0) Found Auth-Type = mschap > (0) # Executing group from file > /etc/freeradius/3.0/sites-enabled/eduroam > (0) Auth-Type mschap { > (0) mschap: Creating challenge hash with username: > some-user@somewhere.com > (0) mschap: Client is using MS-CHAPv2 > (0) mschap: EXPAND %{Stripped-User-Name} > (0) mschap: --> some-user > rlm_mschap (mschap): Closing connection (0): Hit > idle_timeout, was idle for > 2240 seconds > rlm_mschap (mschap): Closing connection (1): Hit > idle_timeout, was idle for > 2240 seconds > rlm_mschap (mschap): Closing connection (2): Hit > idle_timeout, was idle for > 2240 seconds > rlm_mschap (mschap): You probably need to lower "min" > rlm_mschap (mschap): Closing connection (3): Hit > idle_timeout, was idle for > 2240 seconds > rlm_mschap (mschap): You probably need to lower "min" > rlm_mschap (mschap): Closing connection (4): Hit > idle_timeout, was idle for > 2240 seconds > rlm_mschap (mschap): You probably need to lower "min" > rlm_mschap (mschap): 0 of 0 connections in use. You may > need to increase > "spare" > rlm_mschap (mschap): Opening additional connection (5), 1 of > 32 pending > slots used > rlm_mschap (mschap): Reserved connection (5) > (0) mschap: sending authentication request user='some-user' domain=' > SOMEWHERE.COM' > rlm_mschap (mschap): Released connection (5) > Need 2 more connections to reach min connections (3) > rlm_mschap (mschap): Opening additional connection (6), 1 of > 31 pending > slots used > (0) mschap: ERROR: When trying to update a password, this > return status > indicates that the value provided as the current password is > not correct. > [0xC000006A] > (0) mschap: ERROR: MS-CHAP2-Response is incorrect > (0) [mschap] = reject > (0) } # Auth-Type mschap = reject > (0) Failed to authenticate the user > (0) Using Post-Auth-Type Reject > > [edited, removed log entries] > > (0) } # Post-Auth-Type REJECT = updated > (0) Sent Access-Reject Id 155 from MailScanner warning: numerical links are often malicious: 10.168.0.14:1812 <http://10.168.0.14:1812> to > MailScanner warning: numerical links are often malicious: 10.10.50.5:22074 <http://10.10.50.5:22074> > length 0 > (0) MS-CHAP-Error = "\317E=691 R=1 > C=e7b3f200a3c36896f32a2ecf4adaab39 V=3 > M=Authentication rejected" > (0) Finished request > > > > I edited the linelog parts out - yes there's only one single > request (0) > Although, It does have an "Authorize-Only" value, which makes > me think this > test only does authorization but no authentication and that's > why the test > fails?? - any help trying to interpret and troubleshoot this > issue would be > welcome. > > Thanks. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html