Hi I’m using FreeRadius 2.1.12 wih mschap and ntlm_auth external execution module as follows: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" I want to run ntlm_auth from command line so enabled auth_log to get challenge and response: MS-CHAP-Challenge = 0x8f89ccd88332fd05b75cd39a9d08c296 MS-CHAP2-Response = 0x0100a6a4eb77926c3f1e7f78254b08f720a800000000000000002a0c1f094749304c3d11cdc8376cbe4373de0d61c2823011 I’m running ntlm_auth from command line with those parameters: /usr/bin/ntlm_auth --request-nt-key –username=kimia-mo --challenge=8f89ccd88332fd05b75cd39a9d08c296 --nt-response=0100a6a4eb77926c3f1e7f78254b08f720a800000000000000002a0c1f094749304c3d11cdc8376cbe4373de0d61c2823011 And Got error: hex decode of 8f89ccd88332fd05b75cd39a9d08c296 failed! (only got 16 bytes) with radius –X , I saw that the challenge and response is differ from that I got in auth_log in same session. So if I run ntlm_auth with new values, it’s OK! what’s wrong?
with radius –X , I saw that the challenge and response is differ from that I got in auth_log in same session. So if I run ntlm_auth with new values, it’s OK! what’s wrong?
Freeradius processes the mschapv2 challenge into a different format required by samba. There's nothing "wrong". This is expected. -- Sent from my phone. Please excuse brevity and typos.
Hi Tnx for Ur fast reply. As I explained, I know that the format is differ from the original attributes. I want to know that: If I want to run it from commandline, how can I convert the challenge and response attributes to which they can be used in command line? In other word, I want to use ntlm_auth in my own external pre_auth or post_auth script with those attributes. 2012/4/15 Phil Mayers <p.mayers@imperial.ac.uk>
with radius –X , I saw that the challenge and response is differ from that I got in auth_log in same session. So if I run ntlm_auth with new values, it’s OK! what’s wrong?
Freeradius processes the mschapv2 challenge into a different format required by samba. There's nothing "wrong". This is expected. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ali Majdzadeh wrote:
As I explained, I know that the format is differ from the original attributes. I want to know that:
If I want to run it from commandline, how can I convert the challenge and response attributes to which they can be used in command line?
You read the MS-CHAP RFCs, and do the calculations yourself.
In other word, I want to use ntlm_auth in my own external pre_auth or post_auth script with those attributes.
Read the documents describing how to do it. It's how *we* learned. Alan DeKok.
On 04/15/2012 09:51 PM, Ali Majdzadeh wrote:
Hi
Tnx for Ur fast reply.
As I explained, I know that the format is differ from the original attributes. I want to know that:
If I want to run it from commandline, how can I convert the challenge and response attributes to which they can be used in command line?
This is documented in the MS-CHAPv2 RFC. Or read the source code in the server. There's no readily-available tool to "do this for you". You'll need to write a script.
Hi I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet into other format that used in ntlm_auth. Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2fb358 Radius –X output for Ntlm_auth: expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4487f1f9d023e69b U told that is normal, based on RFC. I checked the rlm_mschap.c and rlm_exec.c and also src/main/util.c, It seems that they are copying variable one by one from radius packet into ntlm_auth and I did not find any function to do converting. May give me more information? My problem is: I need to call ntlm_auth from command line, not from modules/mschap. So when I’m running via commandline with same ms-chap-challenge as radius packet but response from LDAP is not OK. 2012/4/16 Phil Mayers <p.mayers@imperial.ac.uk>
On 04/15/2012 09:51 PM, Ali Majdzadeh wrote:
Hi
Tnx for Ur fast reply.
As I explained, I know that the format is differ from the original attributes. I want to know that:
If I want to run it from commandline, how can I convert the challenge and response attributes to which they can be used in command line?
This is documented in the MS-CHAPv2 RFC. Or read the source code in the server.
There's no readily-available tool to "do this for you". You'll need to write a script.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 24/04/12 13:44, Ali Majdzadeh wrote:
Hi
I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet into other format that used in ntlm_auth.
Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2fb358
Radius –X output for Ntlm_auth: expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4487f1f9d023e69b
U told that is normal, based on RFC. I checked the rlm_mschap.c and rlm_exec.c and also src/main/util.c, It seems that they are copying
Did you read the RFC?
variable one by one from radius packet into ntlm_auth and I did not find any function to do converting. May give me more information?
Sigh. See here: https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_m... ...and here: https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_m... ...which is an implementation of this: http://www.ietf.org/rfc/rfc2759.txt If you actually READ the RFC, you will see it contains detailed pseudo-code describing how this work, and even gives sample hex data that you can test your script with.
Yes I did. I also read rlm_mschap sources and dependent libraries. May lead me which section explain this function? 2012/4/24 Phil Mayers <p.mayers@imperial.ac.uk>
On 24/04/12 13:44, Ali Majdzadeh wrote:
Hi
I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet into other format that used in ntlm_auth.
Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2f**b358
Radius –X output for Ntlm_auth: expand: --challenge=%{%{mschap:**Challenge}:-00} -> --challenge=4487f1f9d023e69b
U told that is normal, based on RFC. I checked the rlm_mschap.c and rlm_exec.c and also src/main/util.c, It seems that they are copying
Did you read the RFC?
variable one by one from radius packet into ntlm_auth and I did not find
any function to do converting. May give me more information?
Sigh.
See here:
https://github.com/alandekok/**freeradius-server/blob/master/** src/modules/rlm_mschap/rlm_**mschap.c#L278<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/rlm_mschap.c#L278>
...and here:
https://github.com/alandekok/**freeradius-server/blob/master/** src/modules/rlm_mschap/mschap.**c#L70<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/mschap.c#L70>
...which is an implementation of this:
http://www.ietf.org/rfc/**rfc2759.txt<http://www.ietf.org/rfc/rfc2759.txt>
If you actually READ the RFC, you will see it contains detailed pseudo-code describing how this work, and even gives sample hex data that you can test your script with.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
متأسفانه فرستادم... 2012/4/24 Ali Majdzadeh <ali.majdzadeh@gmail.com>
Yes I did. I also read rlm_mschap sources and dependent libraries.
May lead me which section explain this function?
2012/4/24 Phil Mayers <p.mayers@imperial.ac.uk>
On 24/04/12 13:44, Ali Majdzadeh wrote:
Hi
I checked that rlm_mschap converts the CHAP_CHALLENGE from radius packet into other format that used in ntlm_auth.
Radius Packet: MS-CHAP-Challenge = 0x7e95c31b02cd054fd1dcacea7c2f**b358
Radius –X output for Ntlm_auth: expand: --challenge=%{%{mschap:**Challenge}:-00} -> --challenge=4487f1f9d023e69b
U told that is normal, based on RFC. I checked the rlm_mschap.c and rlm_exec.c and also src/main/util.c, It seems that they are copying
Did you read the RFC?
variable one by one from radius packet into ntlm_auth and I did not find
any function to do converting. May give me more information?
Sigh.
See here:
https://github.com/alandekok/**freeradius-server/blob/master/** src/modules/rlm_mschap/rlm_**mschap.c#L278<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/rlm_mschap.c#L278>
...and here:
https://github.com/alandekok/**freeradius-server/blob/master/** src/modules/rlm_mschap/mschap.**c#L70<https://github.com/alandekok/freeradius-server/blob/master/src/modules/rlm_mschap/mschap.c#L70>
...which is an implementation of this:
http://www.ietf.org/rfc/**rfc2759.txt<http://www.ietf.org/rfc/rfc2759.txt>
If you actually READ the RFC, you will see it contains detailed pseudo-code describing how this work, and even gives sample hex data that you can test your script with.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Ali Majdzadeh wrote:
Yes I did. I also read rlm_mschap sources and dependent libraries.
May lead me which section explain this function?
We did. The RFC's are clear. The source code in rlm_mschap is clear. This list is about FreeRADIUS. It is *not* the place to learn how MS-CHAP works. We're being nice by explaining it to you. You're being rude by ignoring our explanation, and asking the same question again. If you keep asking questions we've already answered, you will be unsubscribed and banned. Alan DeKok.
On 24/04/12 15:48, Ali Majdzadeh wrote:
Yes I did. I also read rlm_mschap sources and dependent libraries.
May lead me which section explain this function?
I'm sorry, I don't understand you. This discussion has become off-topic for this list. I'm afraid you are going to have to work this out for yourself. If you have basic programming knowledge, it should not be hard.
participants (3)
-
Alan DeKok -
Ali Majdzadeh -
Phil Mayers