PEAP and Automatically use my Windows logon name
Hello I am trying to authenticate end VPN users using PEAP method toward freeradius server. On client side there is built-in VPN client (PPTP) on windows 7 machines. In general everything is working - users are able to autenticate once they manually use their credentials. Also the scenario with including (manually filled) domain name is also available and users are able to authenticate as well. The problems starting if I try to use "Automatically use my Windows logon name and password (and domain if any)" checkbox within PEAP method - the user is not able to autenticate even if the logged-in windows account (login/pass) is same than on server side. From the radius debug logs the problems started with beginning of mschapv2 module: Working part (with manually filled domain): [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel-vpn [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") [mschapv2] expand: %{My-Local-Client-Type} -> user [mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...} [mschap_vpn] Creating challenge hash with username: bob [mschap_vpn] Told to do MS-CHAPv2 for timeos with NT-Password [mschap_vpn] expand: --username=%{mschap:User-Name} -> --username=bob [mschap_vpn] Creating challenge hash with username: bob [mschap_vpn] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=63b158798144225d [mschap_vpn] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=44a58798471dc8e98dc3854e7c285246596fafb0c116cd14 Exec-Program output: NT_KEY: ABF2579A08227E23F0984101C44B8D12 Exec-Program-Wait: plaintext: NT_KEY: ABF2579A08227E23F0984101C44B8D12 Exec-Program: returned: 0 [mschap_vpn] adding MS-CHAPv2 MPPE keys +++[mschap_vpn] returns ok ++- if ("%{My-Local-Client-Type}" == "user") returns ok MSCHAP Success Not working case (using "Automatically use my Windows logon name..."): [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel-vpn [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") [mschapv2] expand: %{My-Local-Client-Type} -> user [mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...} [mschap_vpn] ERROR: User-Name (abrakadabra\bob) is not the same as MS-CHAP Name (bob) from EAP-MSCHAPv2 +++[mschap_vpn] returns reject ++- if ("%{My-Local-Client-Type}" == "user") returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [abrakadabra\\bob] (from client vpn.exmaple.com port 0 via TLS tunnel) mschap module: mschap mschap_vpn { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=S-1-5-21-248145504-287154277-2125575804-1588" } notes: - If I write the domain in login box manually, it is typed in uppercase (without ability to change) - "ABRAKADABRA\bob". If I check "Automatically use my Windows logon name...", the domain (only local-computer) name is pushed in lower case: "abrakadabra\bob". that's the main difference what I can see from comparing both debug logs. - if I write the domain manually inside the login name using "abrakadabra\bob" and keep the "Domain" field empty - the name will be pushed "abrakadabra\bob" - but in this case, I will be authenticated _successfully_. it sounds to me that this issue have nothing to do with uppercase/lowercase of domain name, but it must be something else which breaks all authentication using windows login credentials. - the client computer domain is not real domain - it's just the computer name but this does not matter as the domain name is not pushed to ntlm_auth at all. If I try to log in directly using "ntlm_auth" without providing "--domain" parameter - I will be authenticated correctly. please has anyone working PEAP authentication with ability to use "Automatically use my Windows logon name..."? What I am doing wrong. thank you michal
Of course, I forgot to provide FR version: freeradius-2.1.12-4.el6_3.x86_64 (on Centos 6.5) sorry On 30. 1. 2014 19:27, Michal Bruncko wrote:
Hello
I am trying to authenticate end VPN users using PEAP method toward freeradius server. On client side there is built-in VPN client (PPTP) on windows 7 machines. In general everything is working - users are able to autenticate once they manually use their credentials. Also the scenario with including (manually filled) domain name is also available and users are able to authenticate as well. The problems starting if I try to use "Automatically use my Windows logon name and password (and domain if any)" checkbox within PEAP method - the user is not able to autenticate even if the logged-in windows account (login/pass) is same than on server side.
From the radius debug logs the problems started with beginning of mschapv2 module:
Working part (with manually filled domain): [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel-vpn [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") [mschapv2] expand: %{My-Local-Client-Type} -> user [mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...} [mschap_vpn] Creating challenge hash with username: bob [mschap_vpn] Told to do MS-CHAPv2 for timeos with NT-Password [mschap_vpn] expand: --username=%{mschap:User-Name} -> --username=bob [mschap_vpn] Creating challenge hash with username: bob [mschap_vpn] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=63b158798144225d [mschap_vpn] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=44a58798471dc8e98dc3854e7c285246596fafb0c116cd14 Exec-Program output: NT_KEY: ABF2579A08227E23F0984101C44B8D12 Exec-Program-Wait: plaintext: NT_KEY: ABF2579A08227E23F0984101C44B8D12 Exec-Program: returned: 0 [mschap_vpn] adding MS-CHAPv2 MPPE keys +++[mschap_vpn] returns ok ++- if ("%{My-Local-Client-Type}" == "user") returns ok MSCHAP Success
Not working case (using "Automatically use my Windows logon name..."): [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel-vpn [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") [mschapv2] expand: %{My-Local-Client-Type} -> user [mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE [mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...} [mschap_vpn] ERROR: User-Name (abrakadabra\bob) is not the same as MS-CHAP Name (bob) from EAP-MSCHAPv2 +++[mschap_vpn] returns reject ++- if ("%{My-Local-Client-Type}" == "user") returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [abrakadabra\\bob] (from client vpn.exmaple.com port 0 via TLS tunnel)
mschap module: mschap mschap_vpn { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=S-1-5-21-248145504-287154277-2125575804-1588" }
notes: - If I write the domain in login box manually, it is typed in uppercase (without ability to change) - "ABRAKADABRA\bob". If I check "Automatically use my Windows logon name...", the domain (only local-computer) name is pushed in lower case: "abrakadabra\bob". that's the main difference what I can see from comparing both debug logs. - if I write the domain manually inside the login name using "abrakadabra\bob" and keep the "Domain" field empty - the name will be pushed "abrakadabra\bob" - but in this case, I will be authenticated _successfully_. it sounds to me that this issue have nothing to do with uppercase/lowercase of domain name, but it must be something else which breaks all authentication using windows login credentials. - the client computer domain is not real domain - it's just the computer name but this does not matter as the domain name is not pushed to ntlm_auth at all. If I try to log in directly using "ntlm_auth" without providing "--domain" parameter - I will be authenticated correctly.
please has anyone working PEAP authentication with ability to use "Automatically use my Windows logon name..."? What I am doing wrong.
thank you
michal
-- Ing. Michal Bruncko, PhD., CCNP, RHCSA™ IT systems and network administrator Coupled school of business and services Ruzomberok Slovak Republic
Hello Alan, many thanks for response. Please did you remember related commit which fixes this issue? Or at least the files where the change was applied. Probably it will be better to backport this fix into 2.1.12. thank you again michal On 30. 1. 2014 19:58, Alan DeKok wrote:
Michal Bruncko wrote:
[mschap_vpn] ERROR: User-Name (abrakadabra\bob) is not the same as MS-CHAP Name (bob) from EAP-MSCHAPv2 Upgrade to 2.2.3. This issue has been fixed.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 01/30/2014 04:23 PM, Michal Bruncko wrote:
Hello Alan,
many thanks for response. Please did you remember related commit which fixes this issue? Or at least the files where the change was applied. Probably it will be better to backport this fix into 2.1.12.
All the information you need is already available to you. You don't need to bother anybody else to acquire it. Clone the freeradius git repo, % git clone https://github.com/FreeRADIUS/freeradius-server.git list the branches % git branch -r origin/HEAD -> origin/master origin/master origin/v1.1.x origin/v2.1.x-apple origin/v2.x.x origin/v3.0.x check out the v2.x.x branch % git checkout v2.x.x puruse the log looking for the desired commit % git log After you've found the commit use it's sha-1 commit id to show the patch % git show xxxxx done See, wasn't that easy? -- John
Thank you John this is much more better than searching within Commits on Github web. the only problem is the huge amount of commits and the fact, that from the commit description is not possible to find out if this is related commit to the described issue or not. There is no such description like "Fix for: MSCHAP authentication problem" - most of commit descriptions are very specific to issue what they wanted to fix, but not from global point of view (to what the original problem are they fixing - which I completely understand). Also maybe the fix is related to other component than MSCHAP which also fixes my problem. I wanted to say that some keyword/hint will be helpful to find out for which I am looking for (maybe the filenames on where I should focus on in looking for right commit). Maybe someone else also had same problem and looked for same patch and found it... thank you again michal 2014-01-30 22:57 odosielateľ napísal:
On 01/30/2014 04:23 PM, Michal Bruncko wrote:
Hello Alan,
many thanks for response. Please did you remember related commit which fixes this issue? Or at least the files where the change was applied. Probably it will be better to backport this fix into 2.1.12.
All the information you need is already available to you. You don't need to bother anybody else to acquire it.
Clone the freeradius git repo,
% git clone https://github.com/FreeRADIUS/freeradius-server.git
list the branches
% git branch -r origin/HEAD -> origin/master origin/master origin/v1.1.x origin/v2.1.x-apple origin/v2.x.x origin/v3.0.x
check out the v2.x.x branch
% git checkout v2.x.x
puruse the log looking for the desired commit
% git log
After you've found the commit use it's sha-1 commit id to show the patch
% git show xxxxx
done
See, wasn't that easy?
On 31 Jan 2014, at 10:34, Bruncko Michal <Michal.Bruncko@zssos.sk> wrote:
Thank you John
this is much more better than searching within Commits on Github web. the only problem is the huge amount of commits and the fact, that from the commit description is not possible to find out if this is related commit to the described issue or not. There is no such description like "Fix for: MSCHAP authentication problem"
git log release_2_1_12..release_2_2_3 | grep -i -B8 -A8 chap | grep -i -B8 -A8 user "If you have 1 bucket with 2 gallons and 1 bucket with 4 gallons, how many buckets you got?" Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
thank you very much to both of you. this commit is exactly that one (15e0d23c8a3a82cfadd2e5ec8292fd6af983aaa6). thanks again. michal On 31. 1. 2014 13:47, Arran Cudbard-Bell wrote:
On 31 Jan 2014, at 10:34, Bruncko Michal <Michal.Bruncko@zssos.sk> wrote:
Thank you John
this is much more better than searching within Commits on Github web. the only problem is the huge amount of commits and the fact, that from the commit description is not possible to find out if this is related commit to the described issue or not. There is no such description like "Fix for: MSCHAP authentication problem" git log release_2_1_12..release_2_2_3 | grep -i -B8 -A8 chap | grep -i -B8 -A8 user
"If you have 1 bucket with 2 gallons and 1 bucket with 4 gallons, how many buckets you got?"
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bruncko Michal wrote:
this is much more better than searching within Commits on Github web. the only problem is the huge amount of commits and the fact, that from the commit description is not possible to find out if this is related commit to the described issue or not.
The fix is in the rlm_mschap module. There is a reason why so many replies here appear "unhelpful". We assume that people are willing to work, and to ask questions where they get stuck. It's what *we* did to get to our current level of knowledge. The replies are intended to guide people to figure things out for themselves. This is frustrating when you just want to get something done quickly. But it means you get *more* done in the long run. One of my shop teachers would say "fast is wrong. slow is correct. correct is fast". That applies here, too. Alan DeKok.
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Bruncko Michal -
John Dennis -
Michal Bruncko