802.1x machine authentication ads peap domainname
hello for all! I've configured freeradius to work with 802.x connection, everything working well but rlm_mschap expanding user name and domain "host/host123.domain.com" to: username -> host123$ domain -> domain (without .com) in ntlm_auth i have no correct domain name (without .com) so i've added domainname directly to command line. is there better solution to expand full domain name by mschap? thanks! Lukasz
hello for all! I've configured freeradius to work with 802.x connection, everything working well but rlm_mschap expanding user name and domain "host/host123.domain.com" to: username -> host123$ domain -> domain (without .com)
in ntlm_auth i have no correct domain name (without .com) so i've added domainname directly to command line. is there better solution to expand full domain name by mschap?
Use mschap:Doman-Name Ivan Kalik Kalik Informatika ISP
thanks but nope: rlm_mschap: Unknown expansion string "Domain-Name" i'm using freeradius: FreeRADIUS Version 2.0.5, for host x86_64-pc-linux-gnu in other hands it is possible to get this to work together with domain\user and host/host123.domain.com ? regards! 2009/1/27 <tnt@kalik.net>:
hello for all! I've configured freeradius to work with 802.x connection, everything working well but rlm_mschap expanding user name and domain "host/host123.domain.com" to: username -> host123$ domain -> domain (without .com)
in ntlm_auth i have no correct domain name (without .com) so i've added domainname directly to command line. is there better solution to expand full domain name by mschap?
Use mschap:Doman-Name
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- .''`. O.R.Z.E.H.: Obedient Robotic Zealous Exploration Humanoid : :' : '98 linux registered | [FoxGame | ---] team translator | Amiga 2000 user `. `'` [nagios plugin | udev aic9xx] relaser | 220v active user `- http://www.goldenline.pl/lukasz-sitko3 | http://www.linkedin.com/in/lukaszsitko
i know about this expand but it's expanding to only first section of domain (eg. domain.com mschap expand gives only "domain") i'm wondering it is possible to get to work correct expand beceause sometimes radius must authorize users from other thrusted domains. thanks for answer! 2009/1/27 <tnt@kalik.net>:
thanks but nope: rlm_mschap: Unknown expansion string "Domain-Name"
Sorry it's NT-Domain:
--domain=%{NT-Domain}
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i know about this expand but it's expanding to only first section of domain (eg. domain.com mschap expand gives only "domain") i'm wondering it is possible to get to work correct expand beceause sometimes radius must authorize users from other thrusted domains.
Can you post an example. If you are splitting the User-Name with something from the realm module (suffix, ntdomain etc.) you get Stripped-User-Name and Realm. Perhaps %{Realm} would work for you. Ivan Kalik Kalik Informatika ISP
thanks for reply i'm not splitting user name from realm (well i don't know), below is an example with NT-Domain expand: (not working host/host.domain.local eap/peap but works ppp authorization from all domains User-name is DOMAIN\\user and domain is correctly expanded it works also with OTHERDOMAIN\\otheruser - another trusted ads domain) <code> server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 9 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- here mschap2: fa expand: --challenge=%{mschap:Challenge:-00} -> --challenge=19601d7be2fxxxxx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3a04766fxxxxxxxbfaedba4977c0xxxxxxx Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject </code> and here is an example without NT-Domain expand for ntlm_auth (it is working well for only "domain.local" and "DOMAIN\\user" but not for thrusted OTHERDOMAIN\\otheruser ): <code> server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ mschap2: 96 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2dff1a169cxxxxx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=7fa7664801defd917c241937bd4xxxxxxx Exec-Program output: NT_KEY: 7C54FDDBA668A77xxxxxxxx Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxxxxxx Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok </code> thanks for help! Lukasz 2009/1/28 <tnt@kalik.net>:
i know about this expand but it's expanding to only first section of domain (eg. domain.com mschap expand gives only "domain") i'm wondering it is possible to get to work correct expand beceause sometimes radius must authorize users from other thrusted domains.
Can you post an example. If you are splitting the User-Name with something from the realm module (suffix, ntdomain etc.) you get Stripped-User-Name and Realm. Perhaps %{Realm} would work for you.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i'm not splitting user name from realm (well i don't know), below is an example with NT-Domain expand: (not working host/host.domain.local eap/peap but works ppp authorization from all domains User-name is DOMAIN\\user and domain is correctly expanded it works also with OTHERDOMAIN\\otheruser - another trusted ads domain)
<code> server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 9 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- here mschap2: fa expand: --challenge=%{mschap:Challenge:-00} -> --challenge=19601d7be2fxxxxx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3a04766fxxxxxxxbfaedba4977c0xxxxxxx Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject </code>
and here is an example without NT-Domain expand for ntlm_auth (it is working well for only "domain.local" and "DOMAIN\\user" but not for thrusted OTHERDOMAIN\\otheruser ):
<code> server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ mschap2: 96 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2dff1a169cxxxxx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=7fa7664801defd917c241937bd4xxxxxxx Exec-Program output: NT_KEY: 7C54FDDBA668A77xxxxxxxx Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxxxxxx Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok </code>
OK. So you need two mschap instances one for NT format (DOMAIN\\user type - with NT-Domain in ntlm_auth) and one for IPASS (host/somehost.domain.local type - without) format. Use unlang to detect the delimiter and switch the correct instance replacing mschap in authorize and inside Auth-Type MSCHAP. Ivan Kalik Kalik Informatika ISP
wow! it's working great!!! Tests with two instances for now are working - thanks a lot! i'm must do more tests but it seems this is the way! regards! Lukasz 2009/1/29 <tnt@kalik.net>:
i'm not splitting user name from realm (well i don't know), below is an example with NT-Domain expand: (not working host/host.domain.local eap/peap but works ppp authorization from all domains User-name is DOMAIN\\user and domain is correctly expanded it works also with OTHERDOMAIN\\otheruser - another trusted ads domain)
<code> server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 9 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- here mschap2: fa expand: --challenge=%{mschap:Challenge:-00} -> --challenge=19601d7be2fxxxxx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3a04766fxxxxxxxbfaedba4977c0xxxxxxx Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject </code>
and here is an example without NT-Domain expand for ntlm_auth (it is working well for only "domain.local" and "DOMAIN\\user" but not for thrusted OTHERDOMAIN\\otheruser ):
<code> server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ mschap2: 96 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2dff1a169cxxxxx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=7fa7664801defd917c241937bd4xxxxxxx Exec-Program output: NT_KEY: 7C54FDDBA668A77xxxxxxxx Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxxxxxx Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok </code>
OK. So you need two mschap instances one for NT format (DOMAIN\\user type - with NT-Domain in ntlm_auth) and one for IPASS (host/somehost.domain.local type - without) format. Use unlang to detect the delimiter and switch the correct instance replacing mschap in authorize and inside Auth-Type MSCHAP.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- .''`. O.R.Z.E.H.: Obedient Robotic Zealous Exploration Humanoid : :' : '98 linux registered | [FoxGame | ---] team translator | Amiga 2000 user `. `'` [nagios plugin | udev aic9xx] relaser | 220v active user `- http://www.goldenline.pl/lukasz-sitko3 | http://www.linkedin.com/in/lukaszsitko
participants (2)
-
orzeh -
tnt@kalik.net