Re: Error: User-Name is not the same as MS-CHAP name
Hi, I had a look at this issue with him since he is one of our client. Machine authentications are working flawlessly, windows 7 authentication as well (no hostname is sent with the username). The problem is when the HOSTNAME is sent along with the username under windows XP. I tried to set a realm specially for this HOSTNAME, but we got the same error.
Well... re-writing the names in the "inner-tunnel" server is breaking authentication. We don't. The sites configuration are very straightforward (almost default), no fency rewrites in the default or the inner-tunnel. *Why* are you re-writing them? What do you expect to do with the names? Why isn't there another way to achieve the same goal? We do not rewrite anything. LDAP authorization passes properly, but when EAP authentication kicks in, we have this MS-CHAP error. We are using mschap:user-name in the LDAP filter and in the ntlm_auth line. Again, we are *NOT* rewriting the User-Name.
We need other ideas here. -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Francois Gaudreault wrote:
We are using mschap:user-name in the LDAP filter and in the ntlm_auth line. Again, we are *NOT* rewriting the User-Name.
We need other ideas here.
Post the debug output. Alan DeKok.
On 05/27/2011 09:04 PM, Francois Gaudreault wrote:
Hi,
I had a look at this issue with him since he is one of our client. Machine authentications are working flawlessly, windows 7 authentication as well (no hostname is sent with the username).
I honestly lost track of this issue; the guy had spread it over a couple of mailing list posts, and the debug output kept getting sent as either URLs I couldn't access, or heavily mangled text, so I'm afraid I drifted away. Can you summarise in brief the setup you have, and as per Alan's request, send the full debug output of "radiusd -X" for a failing authentication. Please don't trim or edit the output. By "summarise your setup" I mean: * what clients, and how they're setup * what NASes * what behaviour you're trying to achieve I'll repeat something I've had cause to say several times recently: Either: 1. The client is sending wrong/mismatching usernames 2. Something along the way is mangling the usernames 3. You have configured FreeRADIUS to mangle it There really aren't any other options.
Hi Phil, and Alan, I will get you the debug output for Windows XP SP3 boxes (likely Monday). I will summarise what we have. Basically, this is a setup where the client is using eDirectory to authorize the users using the rlm_ldap module. On the windows boxes, it is configured to do PEAP using MSCHAPv2. When we send a host credential (ie. host/mycomputer.domain.tld) it will pass the authorization and during the authentication phase, it will use ntlm_auth to ensure that the machine is member of the domain. That part is working fine, the mschap module does its job. For the users, they have windows 7s and windows XPs. Windows 7 appears to be working without problems since the username is sent without the computer name as the domain prefix. The problem comes with the windows XP boxes. If we let windows send the credentials automatically (when novell logs in), the LDAP authorization will work properly, but the authentication will fail even if the Cleartext-Password attribute is set by the LDAP module. It will throw that MS-CHAP error. We also ensure that everything that comes from something that is not matching host/something will use the MS-CHAP-NTLM-Auth = No. The only way to make Windows XP work is to disable the "automatically send username" thing and only send the username without the domain name. However, the user experience will definitely be terrible. The NAS Client is an Avaya Access Point. Thanks for your feedbacks guys, it is appreciated. I will get you the debug information and the sites configuration as soon as I can. Have a nice weekend. -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Hi, Here is the complete debug log : rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=194, length=179 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x02000016015354494330383836325c54656368524d43 Message-Authenticator = 0xfa084ddf06908a03fe823772e3df038e # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 0 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for STIC08862\TechRMC [ldap] expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC) [ldap] expand: o=CSPI -> o=CSPI [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=CSPI, with filter (uid=TechRMC) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user STIC08862\TechRMC authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 194 to 10.220.30.5 port 29010 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6309d0dd14b00d913c56dbe3f Finished request 78. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=195, length=255 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x0201005019800000004616030100410100003d03014de118d0fb7ad90b86758750890c116038cb55d9c09e4f2b4228a03e019e3d4200001600040005000a000900640062000300060013001200630100 State = 0x309c14c6309d0dd14b00d913c56dbe3f Message-Authenticator = 0xbb36f856b12e7151d07b7f62bb8ac4d1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 1 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 195 to 10.220.30.5 port 29010 EAP-Message = 0x0102040019c00000089b160301002a0200002603014de118cc589bf7890a69fb3f645cbd3f8fb8e69b0de774081f186249cbb1fab400000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3131303532363131323630315a170d3132303532353131323630315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100abc6704165a82539a0386d451ff1ef7af0b77a030e0ece6ae83f509f03075fc22f4314bed080131a3f4ce4836d78b9f839e787dcf28407ebe4b4976a23b8 EAP-Message = 0x99720c1bdeb4e3a97cb664364a74231a865f1c58f96afa6060b528500f2a570c488ba5d43c1898ec6b8ccb38f66ed46fcc83c824da13c885743ae1c2fac049de6d095b694a6144ab81d6b1ae9ade3ad472fa3c505c5aad28a7f878426c5625e844a9f8980f2d6b18a2820ddc4086ae123f1b58b76e1662d5df63ec1662d44f8c302fd0f0f56bf156e2b998558ffab4e9c5967adf434ed23e28b8500d13e12d72202880234fadf61dc578fd16f6a0e9b7e62fbc7d5e93195384c6a53388a357a7e8590203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101009b9dae84aad1294971 EAP-Message = 0x085bfc65eea37216552b3898f2164a56490b8e68d7d3b809b379f74c18b249611da68f59c6ded6c40673cfe5bc870d40e305eeb2da97d2550d804d6e75fd2a42bf35e2ee7abdeae22a33a2cd27c8e5cb26a30a10cd7b9a22bb936e09effc1323a9beb1b407f375a0f197b5ea4dab4dc9f5a131bd89d64b3e61ce79250659c86de853316f63cd62edcae9ffd2ea4bba902a02e38cbf2a483f2b723f6e87bc7092f6335730a0cb24c8ec74a1d21cc0e7aa0f9b4eb991a00e10f9c54fbbe950dd0252c7eb094e26888c8bd0cf38488755f2f64822923402e46c5578ab316d899076fcab91a140b32aa180e265e8e8df263e209233432482bf0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6319e0dd14b00d913c56dbe3f Finished request 79. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=196, length=181 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020200061900 State = 0x309c14c6319e0dd14b00d913c56dbe3f Message-Authenticator = 0xa462f5cd5ac6dd277077e9011fbf9c14 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 196 to 10.220.30.5 port 29010 EAP-Message = 0x010303fc194000cbce0215a96683a7300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303532363131323630315a170d3132303532353131323630315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bc17ac5d732962b1d8b9930162674dbc7ed2c21a022847f8d0bbf631b90c4598a9f450824c1335d535b1a3bc06344b72429484af7f8a7470f387f9b3314ca14b85328e7ed7c94f40f821bc5b69b1828a4eb5ca30e4cb30668c7b8dada3769f20a61fa244d158eb43fa343001a80195 EAP-Message = 0xb1b11e518865a45a3b1f8116ffc29a79de5bc4f72c54e53632a1c49f84aa523b39519bfdac4cf067f0bff3455f17f44c8e40b04b06ad175fcf5fcc9d88e047d95a35ee4581d243207a1c94f32aaa6ba8c59883944f8d2721493a52f0d18aa594cbaead171926e6a1f992b67ab93854a34f3d421cbe875e2909aafde2eb5bed79d233a20fa21fb9e378497d273e8f6ca14d0203010001a381fb3081f8301d0603551d0e04160414c4c3cc2ea4d081bbce0c80d92996e92cda9390dc3081c80603551d230481c03081bd8014c4c3cc2ea4d081bbce0c80d92996e92cda9390dca18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900cbce0215a96683a7300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100022271f224357d78202aaecf9faca93ece45548fc74f4bed01bb6ad31badca58eb3d019ac1f2fcc323d33dcae04b84b6c2b443bca35258946c7f02eaa1bbeb550494b30648c47d83786b5f872facbb828d6f EAP-Message = 0x3deb8931d600ea5e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6329f0dd14b00d913c56dbe3f Finished request 80. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=197, length=181 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020300061900 State = 0x309c14c6329f0dd14b00d913c56dbe3f Message-Authenticator = 0xa5deb369fab7a8ab117e3a2d3a1bd99a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 197 to 10.220.30.5 port 29010 EAP-Message = 0x010400b519001c077a0c37c0021ebd5901d8710b97ad0f8565cbe4081f184c4f48d79500d781c789cd7e4fcb9ef1c0d85e8c0e2f79b33d98067a79636b7b18c212c6fa065393ead60ccbd66b1ee55415965798592390475c38b8f1d81a8372e7e1aafcb6563a44f0be0cb173c485b071d8f18a6d6c978b2a17fc24579a3a00c360a6b43efefc2ec4f0d73ab140ec5e5d9b591a5b29b0d3a7a096774771c16065b46160051a8d1e88f6aa261516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c633980dd14b00d913c56dbe3f Finished request 81. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=198, length=497 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x0204014019800000013616030101061000010201000d5a7cfe5681de38952daa49b5a1f72a4406db283c1bdb0dbf56630552caba84d0ddd24cb5782d77a3b91ccbfbecc86a769bce2e367a77d13049c89aca7179224427b950971802c12e803af42ec507f6ded58f3ad883f4e774878bef3537d59d19e0e6697a98120a7cc029be2c20ca05e87ba0beb9376957afba29ab6bff97667ce389d9b8d5530f9456b4b6a77753596a1bd6caff20c5269203b2b6d51e70082f5592c2abb1a17235e2f1ccfe6110ea40a44f4b25b46b56eaae52ec6649d39bf5434b53b996821b1c68159f34d7695c4d0d21d6d138c62f5fa6eb7664bf2ab59facdbab3bf9eac9 EAP-Message = 0x2a59234d25f162d9c012c90c1b564c40f7a244ceb74fdbba1403010001011603010020105e724ee5343bc59dc34a12d5f6ae80cb30ee64b5e06ec66e794571315cee97 State = 0x309c14c633980dd14b00d913c56dbe3f Message-Authenticator = 0xa808596aff58e89c835ba408d22c8576 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 198 to 10.220.30.5 port 29010 EAP-Message = 0x0105003119001403010001011603010020a7b524514b3cddffd4a8160f9eb6cc6a58975c324fe0d9ad042931b8bffb2bbd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c634990dd14b00d913c56dbe3f Finished request 82. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=199, length=181 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020500061900 State = 0x309c14c634990dd14b00d913c56dbe3f Message-Authenticator = 0xfbb387ec4960fce18fa01d5ff1c5e01e # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 199 to 10.220.30.5 port 29010 EAP-Message = 0x010600201900170301001571c76260985f4c2cdee93f9c926ad4e44dbc5089bd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6359a0dd14b00d913c56dbe3f Finished request 83. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=200, length=220 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x0206002d1900170301002265afc9d83fb63b3df1fa050064293a1d5724034b497cd6917712aed52e33e5c50a93 State = 0x309c14c6359a0dd14b00d913c56dbe3f Message-Authenticator = 0x1d9a3ba6178e12c05cfd06e7b2a2c601 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 6 length 45 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - STIC08862\TechRMC [peap] Got inner identity 'STIC08862\TechRMC' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02060016015354494330383836325c54656368524d43 server { PEAP: Setting User-Name to STIC08862\TechRMC Sending tunneled request EAP-Message = 0x02060016015354494330383836325c54656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "STIC08862\\TechRMC" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE [eap] EAP packet type response id 6 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for STIC08862\TechRMC [ldap] expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC) [ldap] expand: o=CSPI -> o=CSPI [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=CSPI, with filter (uid=TechRMC) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user STIC08862\TechRMC authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) ? Evaluating (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE ++- entering if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) {...} +++[control] returns ok ++- if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107002b1a010700261012b5c4c3a3dbd6a23fe3af6f3db81bc15354494330383836325c54656368524d43 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x510e2245510938eb25e1ac3222e20688 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107002b1a010700261012b5c4c3a3dbd6a23fe3af6f3db81bc15354494330383836325c54656368524d43 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x510e2245510938eb25e1ac3222e20688 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 200 to 10.220.30.5 port 29010 EAP-Message = 0x0107004219001703010037421203ab26df0308676a4f2cb9e0fa8ff6e390152e6e971e94d31eda95d20b849007bca062f718e1d559e79b10a5b6a188768b6fe1907c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c6369b0dd14b00d913c56dbe3f Finished request 84. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=201, length=264 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020700591900170301004eb1f256aa2e900c41ef37f9d0933df166344a6edbc9356301e0fdc15cb87b6cbe03f6b07e54ccfd7fca446c7ce6cca1a742794be48c57b8e2ac735d7b2a2b38fe4483984103fc270b54d6c691b4c2 State = 0x309c14c6369b0dd14b00d913c56dbe3f Message-Authenticator = 0x8d693684ec5593182b54ce7c3d5e7d8f # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 7 length 89 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc000000000000000009a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 server { PEAP: Setting User-Name to STIC08862\TechRMC Sending tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc000000000000000009a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "STIC08862\\TechRMC" State = 0x510e2245510938eb25e1ac3222e20688 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE [eap] EAP packet type response id 7 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for STIC08862\TechRMC [ldap] expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC) [ldap] expand: o=CSPI -> o=CSPI [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=CSPI, with filter (uid=TechRMC) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user STIC08862\TechRMC authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) ? Evaluating (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE ++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE ++- entering if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) {...} +++[control] returns ok ++- if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] ERROR: User-Name (STIC08862\TechRMC) is not the same as MS-CHAP Name (TechRMC) from EAP-MSCHAPv2 ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 201 to 10.220.30.5 port 29010 EAP-Message = 0x010800261900170301001bd9addceecce69a0bbcafd532787f06f03515b539bbb8c598213707 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x309c14c637940dd14b00d913c56dbe3f Finished request 85. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.220.30.5 port 29010, id=202, length=213 User-Name = "STIC08862\\TechRMC" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11a" EAP-Message = 0x020800261900170301001b5d49f3ad65771949521891ede66912ccf09cfa17c7d6a9965f229e State = 0x309c14c637940dd14b00d913c56dbe3f Message-Authenticator = 0xf8e78209cd1bbc051781ce0db38fb367 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC" [ntdomain] No such realm "STIC08862" ++[ntdomain] returns noop ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) expand: %{User-Name} -> STIC08862\TechRMC ? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE ++[preprocess] returns ok [eap] EAP packet type response id 8 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> STIC08862\TechRMC attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 86 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 86 Sending Access-Reject of id 202 to 10.220.30.5 port 29010 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. On 11-05-28 10:32 AM, Francois Gaudreault wrote:
Hi Phil, and Alan,
I will get you the debug output for Windows XP SP3 boxes (likely Monday).
I will summarise what we have. Basically, this is a setup where the client is using eDirectory to authorize the users using the rlm_ldap module. On the windows boxes, it is configured to do PEAP using MSCHAPv2. When we send a host credential (ie. host/mycomputer.domain.tld) it will pass the authorization and during the authentication phase, it will use ntlm_auth to ensure that the machine is member of the domain. That part is working fine, the mschap module does its job. For the users, they have windows 7s and windows XPs. Windows 7 appears to be working without problems since the username is sent without the computer name as the domain prefix. The problem comes with the windows XP boxes. If we let windows send the credentials automatically (when novell logs in), the LDAP authorization will work properly, but the authentication will fail even if the Cleartext-Password attribute is set by the LDAP module. It will throw that MS-CHAP error. We also ensure that everything that comes from something that is not matching host/something will use the MS-CHAP-NTLM-Auth = No. The only way to make Windows XP work is to disable the "automatically send username" thing and only send the username without the domain name. However, the user experience will definitely be terrible.
The NAS Client is an Avaya Access Point.
Thanks for your feedbacks guys, it is appreciated. I will get you the debug information and the sites configuration as soon as I can.
Have a nice weekend.
-- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On 05/28/2011 06:33 PM, Francois Gaudreault wrote:
Sending tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc000000000000000009a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43
FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "STIC08862\\TechRMC" State = 0x510e2245510938eb25e1ac3222e20688
Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use "send username automatically" That is - does this work if the Novell client isn't in the picture?
Hi Phil, On 11-05-29 6:16 AM, Phil Mayers wrote:
Ok, so as before what we're seeing is that the host is sending
STIC08862\TechRMC
...in the EAP-Identity response, but:
TechRMC
...in the MSCHAP packet (the hex above decodes to that)
This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. It is indeed a machine name. This is where we have problems, this does not happen using Windows 7. I tried to set a Realm for that machine name without success. The thing I don't understand is why MSCHAP complains about that. I mean, correct me if I am wrong, mschap:User-Name will *always* strip that part since it looks like a domain.
Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works?
The machine is not member of the domain, and the user logs in Novell. So when the user logs in, it sends the username information to RADIUS just like if a local user logs in.
What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use "send username automatically"
We tried it, and the machine appears to be sending the machine name anyway. It will work only if we don't send the credentials automatically. Thanks! -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On 05/29/2011 03:10 PM, Francois Gaudreault wrote:
Hi Phil,
On 11-05-29 6:16 AM, Phil Mayers wrote:
Ok, so as before what we're seeing is that the host is sending
STIC08862\TechRMC
...in the EAP-Identity response, but:
TechRMC
...in the MSCHAP packet (the hex above decodes to that)
This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. It is indeed a machine name. This is where we have problems, this does not happen using Windows 7. I tried to set a Realm for that machine name without success. The thing I don't understand is why MSCHAP complains about that. I mean, correct me if I am wrong, mschap:User-Name will *always* strip that part since it looks like a domain.
Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. For example - suppose I have an environment with two separate domains: STAFF STUDENTS ...if the mschap module did *not* check this, I could rig my mschap client to send: EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username.
Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works?
The machine is not member of the domain, and the user logs in Novell. So when the user logs in, it sends the username information to RADIUS just like if a local user logs in.
Ah. I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed?
What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use "send username automatically"
We tried it, and the machine appears to be sending the machine name anyway. It will work only if we don't send the credentials automatically.
Usually, people only use "send username automatically" with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen.
Hi Phil,
Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure.
For example - suppose I have an environment with two separate domains:
STAFF STUDENTS
...if the mschap module did *not* check this, I could rig my mschap client to send:
EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john
There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username.
True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. Is there a way we could work around this hard-coded check since in our case, we only have "one john"?
Ah.
I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed?
Correct, the machines are not member of an AD domain. However, they have the Novell Client installed, and they are using a kind of AD tree in their eDirectory structure. So machine auth works the same as if it was an AD domain. The users are not member of that special tree.
Usually, people only use "send username automatically" with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen.
It is possible that in Windows XP, something is broken at the supplicant level. In windows 7, the OS is brilliant enough not to send the machine name. However, mainly 80% of his machines are Windows XP. -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username.
True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two.
For a legit client, yes. A malicious client can send anything it wants.
Is there a way we could work around this hard-coded check since in our case, we only have "one john"?
Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office.
In my shop I see a mix of domain and non domain machines. Each type will send machine or user\localmachine for user's name depending on the configuration of the windows suplicant. Avoid having users logon to domain machines with local user accounts unless you have configured the windows suplicant from the default. Do the same with non domain machines. Here I check for the form "\full.windows.domain.name". If this is present, I use ntlm-auth. If it is not, I strip off the "\host" part in the inner tunnel and use that as a user in an ldap store which has mschap password hashes. In most cases this works for domain machines where users are logging in with local accounts or logging in locally with cached user credentials. The rest show up at the help desk. I am excited about the mschap patches talked about in recent posts. Sent from Verizon Wireless -----Original Message----- From: Phil Mayers <p.mayers@imperial.ac.uk> Sender: freeradius-users-bounces+ironrake=yahoo.com@lists.freeradius.org Date: Mon, 30 May 2011 14:55:03 To: FreeRadius users mailing list<freeradius-users@lists.freeradius.org> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Error: User-Name is not the same as MS-CHAP name On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username.
True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two.
For a legit client, yes. A malicious client can send anything it wants.
Is there a way we could work around this hard-coded check since in our case, we only have "one john"?
Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, On 11-05-30 9:55 AM, Phil Mayers wrote:
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username.
True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two.
For a legit client, yes. A malicious client can send anything it wants. I completely agree with you on this.
Is there a way we could work around this hard-coded check since in our case, we only have "one john"?
Sure; the check is just one line; grep the source code for it and comment it out.
What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow.
e.g. maybe the check should be:
if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject
I will try to investigate this tomorrow when I get back to the office.
Aight. Keep us posted. -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
Hi Phil,
What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow.
e.g. maybe the check should be:
if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject
I will try to investigate this tomorrow when I get back to the office.
Aight. Keep us posted.
Did you have a chance to look at it? Thanks! -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On Thu, Jun 2, 2011 at 9:01 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 02/06/11 14:47, Francois Gaudreault wrote:
Did you have a chance to look at it?
Ironically I'm having trouble finding a windows XP install CD...
This might help: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=21eabb90-958f-4b... Last time I check Virtualbox can also use VHD, so it should work even on Linux/Mac hosts. -- Fajar
On 06/02/2011 10:39 PM, Fajar A. Nugraha wrote:
On Thu, Jun 2, 2011 at 9:01 PM, Phil Mayers<p.mayers@imperial.ac.uk> wrote:
On 02/06/11 14:47, Francois Gaudreault wrote:
Did you have a chance to look at it?
Ironically I'm having trouble finding a windows XP install CD...
This might help:
Not really.
participants (5)
-
Alan DeKok -
Fajar A. Nugraha -
Francois Gaudreault -
ironrake@yahoo.com -
Phil Mayers