Re: Strip off the domain part from the User-Name
Hi On Friday 25 March 2011 15:42:30 you wrote:
In which case, you *must* enable "with_ntdomain_hack = yes" As you suggested I changed the 'with_ntdomain_hack' option to 'yes' in four different locations (modules/preprocess, modules/mschap, eap.conf, modules/inner-eap) but still it doesn't work. I get the following error message (for a full debug log see attachment) which is new:
++[ldap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [tom1] (from client swtswitch01 port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled I'm obviously missing something but I can't seem to find out what it is... Any ideas? Regards Tom
On 30/03/11 14:46, Thomas Wunder wrote:
Hi On Friday 25 March 2011 15:42:30 you wrote:
In which case, you *must* enable "with_ntdomain_hack = yes"
First, there's no need to email me directly; I read the list. Second - you say:
As you suggested I changed the 'with_ntdomain_hack' option to 'yes' in four different locations (modules/preprocess, modules/mschap, eap.conf, modules/inner-eap) but still it doesn't work. I get the following error message (for a full debug log see attachment) which is new:
You *only* set: with_ntdomain_hack = yes ...in modules/mschap. DO NOT set it anywhere else - this basically does exactly the same thing you were doing earlier (rewriting the *real* username) and causes EAP to break.
On Wednesday 30 March 2011 15:52:31 Phil Mayers wrote:
First, there's no need to email me directly; I read the list. I totally agree with you I just missed to exchange the recipient address (and after noticing that i also sent it to the list)... sorry! You *only* set: with_ntdomain_hack = yes ...in modules/mschap. DO NOT set it anywhere else - this basically does exactly the same thing you were doing earlier (rewriting the *real* username) and causes EAP to break. Sorry but that didn't help either. I did -- like you suggested -- set 'with_ntdomain_hack' back to 'no' everywhere except for modules/mschap but I still get that '[...] not the same as [...]' error message.
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2 ++[mschap] returns reject Again a full log is appended. My modules/mschap currently looks like this (i suppose that the above problems might arise from it): mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } Regards Tom
On 01/04/11 11:08, Thomas Wunder wrote:
On Wednesday 30 March 2011 15:52:31 Phil Mayers wrote:
First, there's no need to email me directly; I read the list. I totally agree with you I just missed to exchange the recipient address (and after noticing that i also sent it to the list)... sorry! You *only* set: with_ntdomain_hack = yes ...in modules/mschap. DO NOT set it anywhere else - this basically does exactly the same thing you were doing earlier (rewriting the *real* username) and causes EAP to break. Sorry but that didn't help either. I did -- like you suggested -- set 'with_ntdomain_hack' back to 'no' everywhere except for modules/mschap but I still get that '[...] not the same as [...]' error message.
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2
Eh? I've never seen that before.
++[mschap] returns reject
Again a full log is appended. My modules/mschap currently looks like this (i suppose that the above problems might arise from it):
Don't see the logfile...
Hi, call it crude or whatever you want ;-) but that was my last resort: After fiddling with the code of rlm_mschap I found that all I need to do is to comment out line 1201 of rlm_mschap.c (where it says 'return RLM_MODULE_REJECT;') Maybe it has something to do with the conditions (which look a bit complicated) that are checked in the if-statement that surrounds that return clause, maybe I've misconfigured something or maybe it's actually a bug... I don't know. I virtually did every possible combination of 'yes' and 'no' settings for 'with_ntdomain_hack' in all of the four locations where you can set this option and none worked out. I'd really appreciate a non-local solution, i.e. something better than my nasty 'comment-out-everything-evil' hack and I would do it if I knew a little more about the internals of all that. Hopefully somebody finds some time to do it... Please let me know when there's an official solution. Thanks anyway! Regards Tom On Friday 01 April 2011 14:43:40 you wrote:
On Friday 01 April 2011 14:37:34 Phil Mayers wrote:
Don't see the logfile... sorry my bad...
On 01/04/11 13:43, Thomas Wunder wrote:
[mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2
What client are you using? It's sending: EAP-Identity username=winmac\tom ...then a 2nd packet: EAP-MSCHAP username=tom
Hi, On Friday 01 April 2011 18:32:21 Phil Mayers wrote:
On 01/04/11 13:43, Thomas Wunder wrote:
[mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2
What client are you using? My client is an HP ProCurve 2910al edge switch and I'm trying to connect to it via the 802.1X (wired) supplicant which is natively included in Win7 Professional. (As I said in my very first post the whole process of 802.1X authentication/authorization works well unless I check the "Automatically use my Windows logon name and password (and domain if any)." option what I actually have to)
It's sending:
EAP-Identity username=winmac\tom
...then a 2nd packet:
EAP-MSCHAP username=tom What I found particularly strange is the line of output where it says "PEAP: Setting User-Name to winmac\tom1". Is this done by the server side PEAP implementation or is this related to the client (Windows?) side behavior?
I don't like my solution of just commenting things out in the code and therefore I'd really prefer something more adequate... regards Tom
On 04/04/2011 07:57 AM, Thomas Wunder wrote:
Hi, On Friday 01 April 2011 18:32:21 Phil Mayers wrote:
On 01/04/11 13:43, Thomas Wunder wrote:
[mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2
What client are you using?
My client is an HP ProCurve 2910al edge switch and I'm trying to connect to it via the 802.1X (wired) supplicant which is natively included in Win7 Professional. (As I said in my very first post the whole process of 802.1X authentication/authorization works well unless I check the "Automatically use my Windows logon name and password (and domain if any)." option what I actually have to)
So it's the windows7 native supplicant? Then frankly I don't understand how you can be having these problems. Loads and loads of people use 802.1x under Windows (including Win7) to a FreeRadius server without problems. The code which is causing you issues is common to both the ntlm_auth helper-mode and internal mschap implementations, so everyone is hitting that code path. FWIW I think the code does the right thing - EAP-Identity replies should be the same as the inner MSCHAP username, and attempts to change username should be rejected. The only thing I can suggest it starting again from scratch with a clean install, and making one change at a time. Sorry I can't be more help.
It's sending:
EAP-Identity username=winmac\tom
...then a 2nd packet:
EAP-MSCHAP username=tom
What I found particularly strange is the line of output where it says "PEAP: Setting User-Name to winmac\tom1". Is this done by the server side PEAP implementation or is this related to the client (Windows?) side behavior?
It's complicated, but basically after the PEAP tunnel has been established, FreeRADIUS asks the client for the username and sets it from the reply - so it's the server doing it, from client data. The packet flow inside the PEAP (SSL) tunnel is as follows: server: EAP-Identity request client: EAP-Identity response username=winmac\tom server: EAP-MSCHAP challenge client: EAP-MSCHAP response=xxx username=tom ...See the problem? The client is changing the username. This could be abused for malicious purposes if allowed, so it's denied. But it doesn't happen to anyone else. It's possible the "Use my login credentials" option is broken under Win7. AFAIK most people don't use it. Is the machine in question (WINMAC) a domain member?
participants (2)
-
Phil Mayers -
Thomas Wunder