Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to LDAP stored users. The think is ,that it accepts only plain text stored passwords in ldap becouse of very well known NT-Password for MSCHAPv2 I figure out there is an option to make it work with ntlm_auth in mschap configuration in radius. But when I enable it : #with_ntdomain_hack = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have "winbindd" and # "nmbd" running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # Be VERY careful when editing the following line! # ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-Use r-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT- Response:-00}" } I am getting following error : rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: Told to do MS-CHAPv2 for boss with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 6b radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=boss --challenge=09c34801a6bafab3 --nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boss --challenge=09c34801a6bafab3 --nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301 Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) Exec-Program-Wait: plaintext: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 1 But I am not sending a domain trought VPN connection (I have it clear). I have also tried #with_ntdomain_hack = yes But without result. Please help me, David
David Hláčik wrote:
Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to LDAP stored users. The think is ,that it accepts only plain text stored passwords in ldap becouse of very well known NT-Password for MSCHAPv2 ... Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boss --challenge=09c34801a6bafab3 --nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301
Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
That's an error from winbindd. Does ntlm_auth work from the command line? http://deployingradius.com/documents/configuration/active_directory.html If not, don't bother trying FreeRADIUS until ntlm_auth works from the command-line. Alan DeKok.
Hi, i've got back to problem : as i mentioned i have plain text stored passwords (atrib UserPassword) in ldap, and i want to change it to crypt, or mda5. Mschap need NT-Password , which is the best way to solve it? I do not want to store NT-Password value in LDAP, or there is no other choice? What about that ntlm_auth - it will create from crypt nt and send it to mschap? Thanks in advance! David 2008/3/5 Alan DeKok <aland@deployingradius.com>:
David Hláčik wrote:
Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to LDAP stored users. The think is ,that it accepts only plain text stored passwords in ldap becouse of very well known NT-Password for MSCHAPv2 ... Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boss --challenge=09c34801a6bafab3 --nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301
Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
That's an error from winbindd. Does ntlm_auth work from the command line?
http://deployingradius.com/documents/configuration/active_directory.html
If not, don't bother trying FreeRADIUS until ntlm_auth works from the command-line.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://deployingradius.com/documents/protocols/compatibility.html Have a look at the mschap row and you will see what can and what can't work. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, "David Hláčik" <david@hlacik.eu> piše:
Hi, i've got back to problem : as i mentioned i have plain text stored passwords (atrib UserPassword) in ldap, and i want to change it to crypt, or mda5. Mschap need NT-Password , which is the best way to solve it? I do not want to store NT-Password value in LDAP, or there is no other choice? What about that ntlm_auth - it will create from crypt nt and send it to mschap?
Thanks in advance!
David
2008/3/5 Alan DeKok <aland@deployingradius.com>:
David Hláčik wrote:
Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to LDAP stored users. The think is ,that it accepts only plain text stored passwords in ldap becouse of very well known NT-Password for MSCHAPv2 ... Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boss --challenge=09c34801a6bafab3 --nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301
Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
That's an error from winbindd. Does ntlm_auth work from the command line?
http://deployingradius.com/documents/configuration/active_directory.html
If not, don't bother trying FreeRADIUS until ntlm_auth works from the command-line.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David Hláčik wrote:
as i mentioned i have plain text stored passwords (atrib UserPassword) in ldap, and i want to change it to crypt, or mda5.
Don't.
Mschap need NT-Password , which is the best way to solve it?
Store passwords in clear-text. Anything else is a bad idea.
I do not want to store NT-Password value in LDAP, or there is no other choice? What about that ntlm_auth - it will create from crypt nt and send it to mschap?
No. Alan DeKok.
participants (3)
-
Alan DeKok -
David Hláčik -
Ivan Kalik