Stuck on ntlm_auth/mschap setup between FreeRADIUS & Samba DC
Hi I'm trying to setup Ubiquiti UniFi to authenticate users in AD, and the ntlm_auth portion is causing me some issues. As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and AD. My AD is a Samba 4 server, Samba is configured & working and the freeradius server has been joined to the domain. root@radius:~# wbinfo -u administrator foo guest krbtgt ntlm_auth on the command line works OK : root@radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo --password=xxx NT_STATUS_OK: The operation completed successfully. (0x0) I've followed a couple of guidelines specific for this setup (with UniFi) but none of them appear to work, neither with winbind nor ntlm_auth as method within freeradius. I'm currently using this in my mods-available/mschap file : ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" with_ntdomain_hack = yes When I run radtest from CLI I get this : *root@radius*:*~*$ radtest -t mschap "BAR\foo" xxx localhost 0 testing123 Sent Access-Request Id 245 from 0.0.0.0:43248 to 127.0.0.1:1812 length 136 User-Name = "BAR\\foo" MS-CHAP-Password = "xxx" NAS-IP-Address = 192.168.10.8 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "xxx" MS-CHAP-Challenge = 0xa822149a03011b15 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d Received Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length 61 MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2" (0) -: Expected Access-Accept got Access-Reject On the radius debug log I get this : (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=BAR\\foo (0) mschap: EXPAND --domain=%{mschap:NT-Domain} (0) mschap: --> --domain=BAR (0) mschap: mschap1: a8 (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=a822149a03011b15 (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=3ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> BAR\\foo (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'): [BAR\foo/<via Auth-Type = mschap>] (from client localhost port 0) (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length 61 (0) MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 245 with timestamp +25 due to cleanup_delay was reached Ready to process requests So my guess is that my ntlm_auth line is not correct, or I missed some other parameter somewhere, but I've tried quite a few options so far, and they seem to all fail. Any suggestions ? I did see some recommending using winbind instead of ntlm_auth, but I wanted to control access via group membership and it seems that is not an option with winbind. If anyone has a working example of what I'm trying to do (UniFi-->FreeRADIUS-->Samba DC) I'm all ears as the examples I found so far are not working. /Jesper
On Sep 12, 2022, at 3:42 AM, Jesper Nemholt <jfn@dataradical.com> wrote:
As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and AD. My AD is a Samba 4 server,
That's fine.
Samba is configured & working and the freeradius server has been joined to the domain.
OK.
ntlm_auth on the command line works OK :
root@radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo --password=xxx
NT_STATUS_OK: The operation completed successfully. (0x0)
Note the domain / username configuration...
I've followed a couple of guidelines specific for this setup (with UniFi) but none of them appear to work, neither with winbind nor ntlm_auth as method within freeradius.
http://deployingradius.com has a complete guide. it's been the definitive source for 15+ years. There's no need to any unifi-specific setup, other than configuring the Unifi equipment as a RADIUS client.
I'm currently using this in my mods-available/mschap file :
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" with_ntdomain_hack = yes
The docs say "post the debug output, not the configuration".
When I run radtest from CLI I get this :
*root@radius*:*~*$ radtest -t mschap "BAR\foo" xxx localhost 0 testing123
After 20 years, I still can't figure out why people insist on posting the output of "radtest", when all of the documentation, "man" pages, etc. say "don't do that."
On the radius debug log I get this :
That's the only thing that matters. Everything else is not really helpful.
(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=BAR\\foo (0) mschap: EXPAND --domain=%{mschap:NT-Domain} (0) mschap: --> --domain=BAR
Note that this username / domain is different than what you used when testing ntlm_auth on the command line. How about configuring FreeRADIUS to just use "foo" for the "--username=foo" field? The mschap module has extensive documentation on this subject. Perhaps try: ... --username=%{mschap:User-Name} ...
So my guess is that my ntlm_auth line is not correct, or I missed some other parameter somewhere, but I've tried quite a few options so far, and they seem to all fail.
It isn't helpful to try random things. The best approach is to look at what works, and what doesn't work. Then, make the "not working" thing more like the "working" thing. The problem with "I tried a bunch of stuff and nothing works" is that you're not understanding how the system works. You're just trying random things, hoping that some random change will magically make it work. Instead, you should be working on understanding how things work. Read the docs, try the different configurations suggested in the docs, etc. A methodical approach will *always* yield better results than trying random things you found on google. Alan DeKok.
Jesper, The problem is your username On command-line you have this: root@radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo --password=xxx NT_STATUS_OK: The operation completed successfully. (0x0) In FreeRADIUS, it builds this: /usr/bin/ntlm_auth --request-nt-key --username=BAR\\foo --domain=BAR --challenge=a822149a03011b15 --nt-response=3ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d I suspect the fact that --username is 'BAR\foo', not 'foo', is the problem. :-) Stefan Paetow Federated Roaming Technical Specialist eduroam(UK), Jisc email/teams: stefan.paetow@jisc.ac.uk gpg: 0x3FCE5142 On Mondays and Wednesdays, I am not available after 15:00. For eduroam support, please contact us via help@jisc.ac.uk and mark it for the eduroam team’s attention. jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. On 12/09/2022, 08:43, "Freeradius-Users on behalf of Jesper Nemholt" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on behalf of jfn@dataradical.com> wrote: Hi I'm trying to setup Ubiquiti UniFi to authenticate users in AD, and the ntlm_auth portion is causing me some issues. As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and AD. My AD is a Samba 4 server, Samba is configured & working and the freeradius server has been joined to the domain. root@radius:~# wbinfo -u administrator foo guest krbtgt ntlm_auth on the command line works OK : root@radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo --password=xxx NT_STATUS_OK: The operation completed successfully. (0x0) I've followed a couple of guidelines specific for this setup (with UniFi) but none of them appear to work, neither with winbind nor ntlm_auth as method within freeradius. I'm currently using this in my mods-available/mschap file : ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" with_ntdomain_hack = yes When I run radtest from CLI I get this : *root@radius*:*~*$ radtest -t mschap "BAR\foo" xxx localhost 0 testing123 Sent Access-Request Id 245 from 0.0.0.0:43248 to 127.0.0.1:1812 length 136 User-Name = "BAR\\foo" MS-CHAP-Password = "xxx" NAS-IP-Address = 192.168.10.8 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "xxx" MS-CHAP-Challenge = 0xa822149a03011b15 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d Received Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length 61 MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2" (0) -: Expected Access-Accept got Access-Reject On the radius debug log I get this : (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=BAR\\foo (0) mschap: EXPAND --domain=%{mschap:NT-Domain} (0) mschap: --> --domain=BAR (0) mschap: mschap1: a8 (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=a822149a03011b15 (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=3ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> BAR\\foo (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'): [BAR\foo/<via Auth-Type = mschap>] (from client localhost port 0) (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length 61 (0) MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 245 with timestamp +25 due to cleanup_delay was reached Ready to process requests So my guess is that my ntlm_auth line is not correct, or I missed some other parameter somewhere, but I've tried quite a few options so far, and they seem to all fail. Any suggestions ? I did see some recommending using winbind instead of ntlm_auth, but I wanted to control access via group membership and it seems that is not an option with winbind. If anyone has a working example of what I'm trying to do (UniFi-->FreeRADIUS-->Samba DC) I'm all ears as the examples I found so far are not working. /Jesper - List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7C58893dfb2cc443d4032708da9492792d%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637985654084797285%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cfGFSj%2Bc6cTTRWHVm0psNzCICGeYA9IX4pH1zoETgsI%3D&reserved=0
participants (3)
-
Alan DeKok -
Jesper Nemholt -
Stefan Paetow