Hello everyone, We have setup FreeRadius w/ Active Direcotry using LDAP and ntlm as per the wiki and everything is working great save one item of concern. When our users are needing to reset their password or have reset their password ntlm fails I'm pretty certain that this is not a freeradius issue and I'm sorry to post here however this would be the largest base for user whom may have experienced this issue We can correct the issue if we remove the registry key located HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters however this removes the 802.1x configuration for the machine. rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user Raduser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_mschap: Told to do MS-CHAPv2 for Raduser with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=Raduser' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 88 radius_xlat: '--challenge=5fb05b4d0e49743a' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=abc64919a43a42c675c516ce59001bb4a3ef65d68f8de407' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 48 modcall: leaving group MS-CHAP (returns reject) for request 48 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 48 modcall: leaving group authenticate (returns reject) for request 48 auth: Failed to validate the user. Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [Raduser/<no User-Password attribute>] (from client localhost port 0) freeradius-1.1.7-3.1 samba-3.0.28-0 samba-client-3.0.28-0 samba-common-3.0.28-0 Any help much appreciated, we currently running about 1500 users with this setup and everything is great save the password issue. Thanks
Wrong key: http://support.microsoft.com/kb/823731 Ivan Kalik Kalik Informatika ISP Dana 8/4/2008, "Charlie B" <cbwonderboy@gmail.com> piše:
Hello everyone,
We have setup FreeRadius w/ Active Direcotry using LDAP and ntlm as per the wiki and everything is working great save one item of concern.
When our users are needing to reset their password or have reset their password ntlm fails
I'm pretty certain that this is not a freeradius issue and I'm sorry to post here however this would be the largest base for user whom may have experienced this issue
We can correct the issue if we remove the registry key located HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters however this removes the 802.1x configuration for the machine.
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user Raduser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0
rlm_mschap: Told to do MS-CHAPv2 for Raduser with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=Raduser' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 88 radius_xlat: '--challenge=5fb05b4d0e49743a' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=abc64919a43a42c675c516ce59001bb4a3ef65d68f8de407' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 48 modcall: leaving group MS-CHAP (returns reject) for request 48 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 48 modcall: leaving group authenticate (returns reject) for request 48 auth: Failed to validate the user. Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [Raduser/<no User-Password attribute>] (from client localhost port 0)
freeradius-1.1.7-3.1 samba-3.0.28-0 samba-client-3.0.28-0 samba-common-3.0.28-0
Any help much appreciated, we currently running about 1500 users with this setup and everything is great save the password issue.
Thanks
Thanks Ivan, We though there should be a key in the current logedon user as well, but all of our domain users don't have an entry in the registry, even though we have it check to cache the credentials. The only way we can produce this key is to have WinXP use the "prompt for credentials" balloon. 2008/4/7 Ivan Kalik <tnt@kalik.net>:
Wrong key:
http://support.microsoft.com/kb/823731
Ivan Kalik Kalik Informatika ISP
Dana 8/4/2008, "Charlie B" <cbwonderboy@gmail.com> piše:
Hello everyone,
We have setup FreeRadius w/ Active Direcotry using LDAP and ntlm as per the wiki and everything is working great save one item of concern.
When our users are needing to reset their password or have reset their password ntlm fails
I'm pretty certain that this is not a freeradius issue and I'm sorry to post here however this would be the largest base for user whom may have experienced this issue
We can correct the issue if we remove the registry key located HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters however this removes the 802.1x configuration for the machine.
rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user Raduser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0
rlm_mschap: Told to do MS-CHAPv2 for Raduser with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=Raduser' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 88 radius_xlat: '--challenge=5fb05b4d0e49743a' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=abc64919a43a42c675c516ce59001bb4a3ef65d68f8de407' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 48 modcall: leaving group MS-CHAP (returns reject) for request 48 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 48 modcall: leaving group authenticate (returns reject) for request 48 auth: Failed to validate the user. Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [Raduser/<no User-Password attribute>] (from client localhost port 0)
freeradius-1.1.7-3.1 samba-3.0.28-0 samba-client-3.0.28-0 samba-common-3.0.28-0
Any help much appreciated, we currently running about 1500 users with this setup and everything is great save the password issue.
Thanks
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I guess I should add that this is a wired connection, not that this should change too much. Thank you again!
Has no one else experienced this issue where reset password confuses WinXP? I really don't want to use IAS. Anyone ideas? Thanks
Charlie B wrote:
Has no one else experienced this issue where reset password confuses WinXP? I really don't want to use IAS. Anyone ideas?
Let me get this straight: You have machines in the domain, users doing domain logins, and wired 802.1x using the domain credentials. When you change a users password, the username/password cached on the client is no longer valid, and they fall off the network. It's hard to see what else could happen; you've changed their password and given the machine they're logged onto no way of knowing that. Why don't you just let them change their password? Very likely many resources would continue to be accessible because the credential cache includes a valid kerberos TGT but that isn't used for 802.1x/MS-CHAP - it's the plain username/password. Whatever happens, the client machine would have to prompt the user for their new username/password. Does this work with IAS? If so, it may be that there's an error code which can be put in an MS-CHAP-Error attribute. However, very likely Samba would have to generate the error code. In short, I don't think it's going to work any time soon.
Hi Phil, You are dead on with what is going on however this is occurring when the user enters the 14 days prior to being required to change their password, and even when the user themselves are prompted to change. Just so its clear. When user enters two week prior to being required to change password, their password no longer allows access to network When user changes password when prompted, their denied access "Logon Failure" to the network We find we have to delete the registry key for the computer, since the logged on user key is removed by the system in order to correct the issue. Or we change the setup to have the user prompted to logon (balloon) rather than use the logged on credentials. In this case the same username and password combination works successfully. If there is anything else I can provide to find a solution please let me know, this is a real pain in ***
Hi,
Charlie B wrote:
Has no one else experienced this issue where reset password confuses WinXP? I really don't want to use IAS. Anyone ideas?
Let me get this straight: You have machines in the domain, users doing domain logins, and wired 802.1x using the domain credentials. When you change a users password, the username/password cached on the client is no longer valid, and they fall off the network.
It's hard to see what else could happen; you've changed their password and given the machine they're logged onto no way of knowing that. Why don't you just let them change their password?
Very likely many resources would continue to be accessible because the credential cache includes a valid kerberos TGT but that isn't used for 802.1x/MS-CHAP - it's the plain username/password.
Whatever happens, the client machine would have to prompt the user for their new username/password.
Does this work with IAS? If so, it may be that there's an error code which can be put in an MS-CHAP-Error attribute. However, very likely Samba would have to generate the error code.
In short, I don't think it's going to work any time soon.
we see the same issue with using machine credentials for wireless login. the AD will update the password of the machine within the time frame set in the AD - for us, 90 days..and then when the client attempts to validate against AD, they have a small discussion to get things back into sync. On the wired this works as it seems that the client will do this over an 'open' link, however the partnering wont happen over an encrypted link(!) - go figure - perhaps to stop it happening over a PPTP VPN link when user is away from work? and therefore the next time the user tries to associate to wifi they cannot log in. the only fix is for them to plug into a wired socket... magically wifi works again. a fix? none that i have struggled to come up with i'm afraid. alan
Thanks Alan, I'm really surprised at this issue. Something like this really puts me on the spot to have to bring up an IAS in order to deal with the password issue. I hate windoze but I though more than a handful of us would be running into this issue since I see there are a lot of freeradius + AD deployments. anyone else run into this issue and find a fix? Thanks :)
Charlie B wrote:
I'm really surprised at this issue. Something like this really puts me on the spot to have to bring up an IAS in order to deal with the password issue. I hate windoze but I though more than a handful of us would be running into this issue since I see there are a lot of freeradius + AD deployments.
(1) Are you sure it works with IAS? (2) Microsoft has gone to great effort to make sure that IAS has "magic" integration with Active Directory. One way to fix it may be to have a native Windows port of FreeRADIUS. Alan DeKok.
Hello Mr. DeKok, I wanted to say thank you, FreeRadius is the best, there is not better when it comes to radius. On to topic, I believe we have found the issue. It may be related to kerberos tickets and krb5.conf file were I had the realm in lower case. Found documentation that indicated it MUST be in upper case. In the wiki :) Just didn't think it would materialize into this type of problem. I will report back if this is has been rectified by the change of case for the realm.
Hello, Looks like the kerberos was only a piece to the puzzle. When a user enters the 14 day period prior to being required to change password, windows XP is changing the password of the user in some way that deauthenticates the user. any ideas?
Hello Everyone, So in my world we have been able to diagnose that the authentication issue is related to the username case (only difference in Radius) and I have not found anything other than a statement in an old post from Alan about AD being case sensitive with usernames? Is there any information somewhere to help me correct this? Usernames have for as long as I can remember not been case sensitive. Thanks Thu May 1 08:34:37 2008 : Auth: Login OK: [BrooksK/<no User-Password attribute>] (from client localhost port 0) Thu May 1 08:34:37 2008 : Auth: Login OK: [BrooksK/<no User-Password attribute>] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:36:24 2008 : Auth: Login OK: [BrooksK/<no User-Password attribute>] (from client localhost port 0) Thu May 1 08:36:24 2008 : Auth: Login OK: [BrooksK/<no User-Password attribute>] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:37:24 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [brooksk/<no User-Password attribute>] (from client localhost port 0) Thu May 1 08:37:24 2008 : Auth: Login incorrect: [brooksk/<no User-Password attribute>] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:41:39 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [brooksk/<no User-Password attribute>] (from client localhost port 0) Thu May 1 08:41:39 2008 : Auth: Login incorrect: [brooksk/<no User-Password attribute>] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F)
Just me again, User has reset there password the usual way however we are still getting fail login. Anyone with an idea or what I can provide to help solve this puzzle? Thx Thu May 1 09:07:33 2008 : Auth: Login incorrect: [brebberm/<no User-Password attribute>] (from client 10.0.1.12 port 60035 cli 00-14-22-5A-D5-CD) Thu May 1 09:08:43 2008 : Auth: Login incorrect (rlm_mschap: Account locked out (0xc0000234)): [BrebberM/<no User-Password attribute>] (from client localhost port 0)
Hi,
I'm really surprised at this issue. Something like this really puts me on the spot to have to bring up an IAS in order to deal with the password issue. I hate windoze but I though more than a handful of us would be running into this issue since I see there are a lot of freeradius + AD deployments.
anyone else run into this issue and find a fix?
yes, dont run windows clients ;-) seriously, IAS is next to useless as a cross platform, proxying, accounting and controllable RADIUS solution. install it if you want but dont come here asking questions about it :-) alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Charlie B -
Ivan Kalik -
Phil Mayers