Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I've been following the FreeRadius Deployment guide http://deployingradius.com/documents/configuration/active_directory.html The following software is installed on a Centos 6 VM: - Samba 3.5.4, Freeradius 2.1.9, wpa_supplicant-0.7.3, gcc v4.4.4-13, openssl, winbind. I successfully performed basic configuration tests with the 'eapol_test' command for: - PAP, EAP, EAP-TLS, EAP-TTLS, EAP-MD5 & EAP-MSCHAPv5. I've created production certificates & successfully tested for the above protocols. Installed Kerberos 1.8.2 & tested that successfully. I started to configure FreeRadius with AD and successfully tested it to use ntlm_auth. I've got to the final stage "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" in the deployment process. This stage says: 1) "... delete the testing entry used above from the users file, ...", which I've done. 2) "... fine (sic) the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It ... should be uncommented, ...", which I've done. 3) "Start the server ..." I ran 'radiusd -X'. 4) "... and use a test client to send an MS-CHAP authentication request." I've used the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123'. I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly: <snip> [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject <snip> The 'eapol_test' output reflects this: <snip> EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26 EAP-MSCHAPV2: RX identifier 8 mschapv2_id 8 EAP-MSCHAPV2: Received challenge EAP-MSCHAPV2: Authentication Servername - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME EAP-MSCHAPV2: Generating Challenge Response MSCHAPV2: Identity - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: Username - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: auth_challenge - hexdump(len=16): a5 e6 9e fa 6e 1f ec 2f 0b b6 a3 96 ef 45 15 32 MSCHAPV2: peer_challenge - hexdump(len=16): 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 MSCHAPV2: username - hexdump_ascii(len=11): 65 64 75 72 6f 61 6d 74 65 73 74 USERNAME MSCHAPV2: password - hexdump_ascii(len=20): 77 6f 72 6b 6d 61 6e 20 74 6f 64 61 79 20 61 72 PASSWORD 6e 69 63 61 MSCHAPV2: NT Response - hexdump(len=24): 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a MSCHAPV2: Auth Response - hexdump(len=20): f0 95 4d 86 ee 82 8f c0 12 84 cc a7 d0 72 fb e6 95 b3 ef d1 MSCHAPV2: Master Key - hexdump(len=16): 31 8d ae c0 3d e1 42 0f ae 05 bc f0 72 da 98 72 EAP-MSCHAPV2: TX identifier 8 mschapv2_id 8 (response) EAP-PEAP: Encrypting Phase 2 data - hexdump(len=70): 02 08 00 46 1a 02 08 00 41 31 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 00 00 00 00 00 00 00 00 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a 00 65 64 75 72 6f 61 6d 74 65 73 74 <snip> RADIUS packet matching with station decapsulated EAP packet (code=4 id=9 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE The peap-mschapv2-cert-ntlm_auth.conf file contains: # # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 # eapol_version=1 fast_reauth=0 network={ key_mgmt=WPA-EAP eap=PEAP identity="USERNAME" # anonymous_identity="anonymous" password="PASSWORD" phase2="auth=MSCHAPV2" priority=10 # # Uncomment the following to perform server certificate validation. ca_cert="/etc/raddb/certs/ca.der" } The file /etc/raddb/modules/mschap contains: # -*- text -*- # # $Id$ # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CAMPUS} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } /etc/raddb/users contains (commented lines removed for clarity): # DEFAULT Auth-Type = ntlm_auth # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP /etc/raddb/sites-enabled/default, a link to ../sites-available/default, contains (most commented lines removed): authorize { preprocess chap mschap # digest # wimax # IPASS suffix # ntdomain eap { ok = return } unix files # sql # etc_smbpasswd # ldap # daily # checkval expiration logintime pap # Autz-Type Status-Server { # # } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # digest # pam unix # Auth-Type LDAP { # ldap # } eap # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } ntlm_auth } preacct { preprocess # update request { # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" # } acct_unique # # IPASS suffix # ntdomain files } accounting { detail # daily unix radutmp # sradutmp # main_pool # sql # if (noop) { # ok # } # sql_log # pgsql-voip attr_filter.accounting_response # Acct-Type Status-Server { # # } } session { radutmp # sql } post-auth { # main_pool # reply_log # sql # sql_log # ldap exec # wimax Post-Auth-Type REJECT { # sql attr_filter.access_reject } } pre-proxy { # attr_rewrite # files # attr_filter.pre-proxy # pre_proxy_log } post-proxy { # post_proxy_log # attr_rewrite # attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } } /etc/raddb/sites-enabled/inner-tunnel, a link to ../sites-available/inner-tunnel, contains (commented lines removed): server inner-tunnel { #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} authorize { chap mschap unix # IPASS suffix # ntdomain update control { Proxy-To-Realm := LOCAL } eap { ok = return } files # sql # etc_smbpasswd # ldap # daily # checkval expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # pam unix # Auth-Type LDAP { # ldap # } eap ntlm_auth } session { radutmp # sql } post-auth { # reply_log # sql # sql_log # ldap Post-Auth-Type REJECT { # sql attr_filter.access_reject } } pre-proxy { # attr_rewrite # files # attr_filter.pre-proxy # pre_proxy_log } post-proxy { # post_proxy_log # attr_rewrite # attr_filter.post-proxy eap # Post-Proxy-Type Fail { # detail # } } } # inner-tunnel server block However, it's not clear to me where the problem lies. I've attached various files to illustrate the problem. Can anyone point me in the direction of a solution? I've not included full versions of the output due to the mailing list's message size limit. Please let me know if I've not included sufficient information to diagnose the problem. Cheers Martin. P.S. I've hidden the actual username & password used.
I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly:
<snip> [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject <snip>
You just snipped away the useful information in the log... Please include the full debug log for the EAP round where this message is produced. Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
Here's the full output from 'radiusd -X': rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=0, length=130 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001001656475726f616d74657374 Message-Authenticator = 0x19af91fa38ff062679ec1d03996186f1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 46518 EAP-Message = 0x010100160410e3c3e67208c265aca07beb7e7865d463 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d51ec2fc226b361c74f28d1a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=1, length=138 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0xd51fc6e5d51ec2fc226b361c74f28d1a Message-Authenticator = 0xd31570627564c5a11fb8b9203e310ce1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 127.0.0.1 port 46518 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d41ddffc226b361c74f28d1a Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=2, length=254 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0202007a198000000070160301006b0100006703014e96960ad361f23dc096d265af71ceffd445b4d9ae042b0c7c42b6b3846d4bee00003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000 State = 0xd51fc6e5d41ddffc226b361c74f28d1a Message-Authenticator = 0x7b23ec62a31e205a2a7ec5c7f9740229 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 112 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0035], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0824], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 127.0.0.1 port 46518 EAP-Message = 0x0103040019c000000a7e16030100350200003103014e96960af25becfff944c864c255fad5a356b511aa59ced9de668370811edd2c000039000009ff010001000023000016030108240b00082000081d00038d3082038930820271a003020102020103300d06092a864886f70d0101050500308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620456e676c616e64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c EAP-Message = 0x301e170d3131303932373132313430385a170d3132303932363132313430385a306e310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d310c300a060355040a1303555745311530130603550403130c5557452c2042726973746f6c3121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100abf8e76947fb730e676e7fe3abb28d7841bcf4766c2075580efe855329fa8c5be97b8853ed81a68a4511d890c0380cbb3fa419cccd2acd229841419fa9f08150accb9626c1ce469762a6b266 EAP-Message = 0xc50a3e8ce93a479982c31431a437fea310ce65ee129f121f47f97cd245d3144fdd154cb91a31ec2939b97a8147246d0553894b2da551783a081b7feb8eef899252668f49b0c63724ee2b6637a0494941c83399085a1408795d835ef1842b7b02b12029a785fa5cd2c0759287c39a14029cb5a2b261432c40267cecc5486ae333bf8d30eaaeddb87cffdf147429a54895f952468d51f32f56add55bed711dd29afd5d74b82952085a5c01a00aa196c2435d7e21910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100c5c2bf0108071d7d83a9a6fa3e0adb71ccf140eb3a3270 EAP-Message = 0x8b7c50da65d38a5b8d8faf512930b9f6a37c20fd24e12f83045d53774f324ca59f7dbf38c91a5db93d3daa9317bcf59ce91ee6a358fea314ebc167315ca81e6e276a28653dd2c4040777244a743040abec0b68267e6f3d5cbc09b69f9f6907800780171915d3c4e29cf5bd83e9b880871f6331219ed7b902d4831f29049a734ec7920582dc99c0d9fe2a650e563c5f0c4e50c36148e7e8b001530c461da58ac7c21920db5e8cfa11ccc807e807a2b754cf3c3323b5181e0cdc4e58b88d69dca1cd67f84cc2034c777965ff6e59b9ed1ab408d1f8b00f3b208fcc33047e3a46605b40fe70efc10490d500048a308204863082036ea003020102020900ea EAP-Message = 0x76843bb94e48ff300d06092a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d71cdffc226b361c74f28d1a Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=3, length=138 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0xd51fc6e5d71cdffc226b361c74f28d1a Message-Authenticator = 0xeac8d730967a7a82475dc0a22d887533 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 127.0.0.1 port 46518 EAP-Message = 0x010403fc1940864886f70d0101050500308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620456e676c616e64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c301e170d3131303932373132303134395a170d3132303932363132303134395a308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620456e676c616e EAP-Message = 0x64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100eca974c9469bb2b9038c9cec00bb4710b72a5158ac68aced1f90f5af352d65068848d7187b033dbc40dc216ae01b1c0f9b37a26342cfbb1d2a544f263a1e79b3934c9895c10c797cb41b67ae18ca2ae955f2ff442f477cf9084d38b43b16a12bf18401ab2cd3d28bc5528f77a231339e20ef7f5cb0b9cec2eeecc41ea475698418883a9d55011ac7959606e44437163e650c2d EAP-Message = 0x15038f9e7d0de2a28657871a47b516daf92b5920988ae0d0eda22f45a41c6b51c94e66b2d1c7c8388d35849f20ca99668862b2de96c0020e91e20b1049c122eafa7de46af7b3ff79ef88a0c4c81e2ab0aabd2861fd271b056a9a3445d83a3699e7dd5a61bcbf9f1cf5676179650203010001a381f03081ed301d0603551d0e04160414832a671a41ae7fd38f7d2a867d3caf4258a634133081bd0603551d230481b53081b28014832a671a41ae7fd38f7d2a867d3caf4258a63413a1818ea4818b308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620 EAP-Message = 0x456e676c616e64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c820900ea76843bb94e48ff300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007748eea59b2bd6a4d042a17c13f6a67f94d7de57b9df69dd50473ef15d71362d7394558cfc9b54fc48572f4cb62d3d88802d0be516d230730c2e4e6aceeaebb0098bfd2851141f3d366ece305dfee9eb5f3599e4f60f87925c294e214f576818be4db619a976343323c56ac9b4b32eef0c1c62749cba3d6bb0c36b1105ea4e570a EAP-Message = 0x9236e20dee7f5d17 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d61bdffc226b361c74f28d1a Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=4, length=138 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xd51fc6e5d61bdffc226b361c74f28d1a Message-Authenticator = 0x462ba6d707d88db45403966796b77aae +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 127.0.0.1 port 46518 EAP-Message = 0x01050298190014f24598cc95e56c2df962cf71babff85382b7162f2583c6d0a28ddf9c25b2092388203879c714a8a11b81be2c6634e462905275ad295e874bbd16614231809d913af8d79c9a3a181ae25754adec324ac9caa93299ffa779bea8ba68d03772b5d350b07012458bcc0c565c46d7d651b8c47c16bbd34842160301020d0c0002090080d11460db9abf91f947d88e633cd4e9801540e222c95cce59f1dfbcafa31699ef9e0a5cc17142ca4cf26add8a3125af5b3e671f86dcd93acd5c90610362a99f81da008eb1af2830c5019f42bb6fc709000481512754b92235c8b9b950a31a8a66b8c4212ee376d79271ed2c5c611dd8629961e904dc EAP-Message = 0xa746dfc00b07d867f1cf2300010200809acc0ffd2632f9bd6395fc75fcce6532c87fb8a72104774d5a30e09aee6647ccd17c9b1a8d8e7fb1ee681202b869040b90a5b92f743483956a7c0ab1d0e6793a9fe24b1e412766db333b2955144d7a37f4d7387421ee4edf206d9fce49bb1e855270d0c8e18f9ecae79f836aff647120715bc033b723b3b66c4ec7e346cba30701007246ace4b95fb4e321e49c08e373f86ebf6aee6921fb0bd7b6da516f55614b006f69a275899c538cc150d44aab98d20fd628a62b83a31c269ac46970a4f83a2c1465027b5e653392f3ed802ba74e361a6687b4664f743b5d8fcb8554987db224d147519c09f5eabca4051b EAP-Message = 0x8337529fd094e68c5c78268fd43410af0f1f9f416c06dbc5e243057665b49f117bf74812d67c7c6dbe45c32dc490d2fd652d0f37fdd788ae15950dfb530f4ce72464ba58923a0653c13df28248b3bf89e05853950f56c1008a31d2fe679c91066597c8c595763fa7a3fbd646186bfe548aab39f9376b5421b12964d4f92c85ebed27359eb43db6bdc7e68c6e95452a0f876700143416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d11adffc226b361c74f28d1a Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=5, length=340 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500d01980000000c616030100861000008200805acce1c3b4c2a661c04cabe6fc26f48d4ed47fa45c3df4cb1c7c198f7c9b28d95b7d585f79b7cd9c26c7af3f3c7ba9e83b0a37080d3e4e4ff3546172818cc481b603ce2b263fa1498313f5de4b7a44bd8cbea28c311e1e00bd247f1b96ae5484c793807e128ab22ea20af058d351b40025e4325585af1afa450135fc530c23c01403010001011603010030524764251831c4f454d5f934ca8f4cbcfd9a1989b40a91517a7abd51792d649083fadb08e6f89c7d3af7c2c0b15f7445 State = 0xd51fc6e5d11adffc226b361c74f28d1a Message-Authenticator = 0xadda94034436b0ff221189c2f4be6eb4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 Handshake [length 00aa]??? [peap] TLS_accept: SSLv3 write session ticket A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 127.0.0.1 port 46518 EAP-Message = 0x010600f0190016030100aa040000a60000000000a0cc8d70c52047f8b3e2dd5eefa0c6b68d481713110eb10c139a032c9ccd16342bf0bacdba48a21cf380436517e2bf9f38cc9fc56b5bc36ebb97838a7973a5b544716c3e17ea3f50d274da7a2b9fa370521419dfe016961a232f312861f6cfedf1853882db6d9da6d47f95b823935675a40a37f8c3a96a5a41abbd79cf0bb245769988ed24af435f6a1574077885f47c7dac0152caa18a44b3924694afbba260fd1403010001011603010030979402d9cc8285d5b3b688a55259b7d425d77f8cd866491751234dfc0f00fbf507399d0ed2d17862747152c72bdeb1a5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d019dffc226b361c74f28d1a Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=6, length=138 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600061900 State = 0xd51fc6e5d019dffc226b361c74f28d1a Message-Authenticator = 0xa8d2d0aa1f4e696f304941c4d6aea9c5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 6 to 127.0.0.1 port 46518 EAP-Message = 0x0107002b19001703010020fde5e4f975c631461bf812654c521bf751cbd50328326c22c4314b1dc22b5981 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d318dffc226b361c74f28d1a Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=7, length=228 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700601900170301002082ca809e8b71e1737e6f283824f1fc57f516b406a52edcde740635aff970657a1703010030db98915cf59fb0fbd86b01c9c93f2f071441050e4cb24444dc1750d86c0048ad2630960eee387a8b9e917906d101a5e5 State = 0xd51fc6e5d318dffc226b361c74f28d1a Message-Authenticator = 0x9fd3dfdc80fadb9dae243e30fd904c67 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - USERNAME [peap] Got tunneled request EAP-Message = 0x0207001001656475726f616d74657374 server { PEAP: Got tunneled identity of USERNAME PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to USERNAME Sending tunneled request EAP-Message = 0x0207001001656475726f616d74657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "USERNAME" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800251a0108002010753b806a5a6af658f2d316d30c12ecc1656475726f616d74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf52c5994f52443b388bfb7acfc0b1196 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800251a0108002010753b806a5a6af658f2d316d30c12ecc1656475726f616d74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf52c5994f52443b388bfb7acfc0b1196 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 127.0.0.1 port 46518 EAP-Message = 0x0108004b19001703010040bebe64dc1329ef2740f8e42c59e1120733b64c36c16a9475d047b551a74dfc12c69cbb404408eab8f872620679d76339d572e88b33e38a385546ae0b37847a85 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5d217dffc226b361c74f28d1a Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=8, length=276 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0208009019001703010020ee50e7ff63126c0c1bd3205c1b5329263a41d41fe547b9c71e7fff5021f0990217030100608d63c97a880115c98a6c4912eef2cc8e592bf71ef659f8f13327695b6d066a45c194cb99e0e351e1533c5d6a4b4a80a9137ea22d7fc5dda4b8afbe2e08da5246c1edaea83f2d550a0ed20eab76d634f48076a74b99e3e38db6647e67adbc4390 State = 0xd51fc6e5d217dffc226b361c74f28d1a Message-Authenticator = 0xe7ced67503caf2dc1389e6b832ec8252 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800461a020800413140c4b30b46c9ec6da33aad308ce5eb96000000000000000027fce3051abca58436d4737a54e109bf7485f073cf95b00900656475726f616d74657374 server { PEAP: Setting User-Name to USERNAME Sending tunneled request EAP-Message = 0x020800461a020800413140c4b30b46c9ec6da33aad308ce5eb96000000000000000027fce3051abca58436d4737a54e109bf7485f073cf95b00900656475726f616d74657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "USERNAME" State = 0xf52c5994f52443b388bfb7acfc0b1196 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 8 to 127.0.0.1 port 46518 EAP-Message = 0x0109002b190017030100208c4e2f1cf1bae28345164884c2d88d6076154baf708a8d14257705571de8bdc2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd51fc6e5dd16dffc226b361c74f28d1a Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=9, length=212 User-Name = "USERNAME" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209005019001703010020d9cfaefa5e285c9f5f3f69feb289acf8d93c592efca5a111d9de338781b85fb917030100201d132513a9b552a9e5e7f85cb6c0158ad889b9367619656d3dd80a869ef4cd11 State = 0xd51fc6e5dd16dffc226b361c74f28d1a Message-Authenticator = 0x05a869fff5928f065bcf99af65e0681f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "USERNAME", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> USERNAME attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 9 to 127.0.0.1 port 46518 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +111 Cleaning up request 1 ID 1 with timestamp +111 Cleaning up request 2 ID 2 with timestamp +111 Cleaning up request 3 ID 3 with timestamp +111 Cleaning up request 4 ID 4 with timestamp +111 Cleaning up request 5 ID 5 with timestamp +111 Cleaning up request 6 ID 6 with timestamp +111 Cleaning up request 7 ID 7 with timestamp +111 Cleaning up request 8 ID 8 with timestamp +111 Waking up in 1.0 seconds. Cleaning up request 9 ID 9 with timestamp +111 Ready to process requests. From: freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: 14 October 2011 16:04 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly: <snip> [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject <snip> You just snipped away the useful information in the log... Please include the full debug log for the EAP round where this message is produced. Arran Cudbard-Bell a.cudbardb@freeradius.org<mailto:a.cudbardb@freeradius.org> Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
On 14/10/2011 16:13, Martin Ubank wrote:
Here’s the full output from ‘radiusd –X’:
The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James
Thanks for that. I had left some previous versions of files in the modules directory not knowing that they are still active. Moving them to another location progressed me to the following error: "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly." This was fixed by issuing this command: 'chgrp radiusd /var/lib/samba/winbindd_privileged' The next problem I got was "EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request" Googling this suggests there is a bug in the version of Samba I'm using and that I need to install version 3.0.30. A job for tomorrow morning ... Thanks for everyone's help so far. Martin. -----Original Message----- From: freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org] On Behalf Of James J J Hooper Sent: 14 October 2011 18:29 To: freeradius-users@lists.freeradius.org Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP On 14/10/2011 16:13, Martin Ubank wrote:
Here’s the full output from ‘radiusd –X’:
The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thanks for that. I had left some previous versions of files in the modules directory not knowing that they are still active. Moving them to another location progressed me to the following error:
yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem)
This was fixed by issuing this command:
'chgrp radiusd /var/lib/samba/winbindd_privileged'
yep
The next problem I got was
"EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request"
Googling this suggests there is a bug in the version of Samba I'm using and that I need to install version 3.0.30.
the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan
I took Alan Buxey's advice and installed FreeRADIUS 2.1.10 and Samba 3.5.6-86. After solving other problems along the way, I got to the final test of FR with AD and ntlm_auth using 'eapol_test'. This gave the Certificate_Compatibility warning. I then went back through the process of creating production certificates: Deleted *csr, *key, ca.pem, server.crt, server.p12. Cleared the contents of index.txt (to prevent an error with openssl). Ran 'make'. Ensured all files in certs directory are group owned by 'radiusd' group. Successfully ran 'eapol_test' against various config files with ca_cert entry un-commented. However, running 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' on the server on which FreeRadius is installed still fails with the Certificate Compatibility warning. Can anyone help me work out what I've done wrong or not done? Thanks Martin. peap-mschapv2-cert-ntlm_auth.conf ================================= # # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 # # eapol_version=1 # fast_reauth=0 network={ key_mgmt=WPA-EAP eap=PEAP identity="USERNAME" # anonymous_identity="anonymous" password="PASSWORD" phase2="autheap=MSCHAPV2" # priority=10 # # Uncomment the following to perform server certificate validation. ca_cert="/etc/raddb/certs/ca.der" } ca.cnf ====== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/ca.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = INPUT_PW output_password = OUTPUT_PW x509_extensions = v3_ca [certificate_authority] countryName = UK stateOrProvinceName = United Kingdom localityName = West of England organizationName = UWE emailAddress = email_address@uwe.ac.uk commonName = "UWE, Bristol" [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true server.cnf ========== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = server default_bits = 2048 input_password = INPUT_PW output_password = OUTPUT_PW [server] countryName = UK stateOrProvinceName = United Kingdom localityName = West of England organizationName = UWE emailAddress = email_address@uwe.ac.uk commonName = "UWE, Bristol" client.cnf ========== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = client default_bits = 2048 input_password = INPUT_PW output_password = OUTPUT_PW [client] countryName = UK stateOrProvinceName = United Kingdom localityName = West of ENgland organizationName = UWE emailAddress = email_address@uwe.ac.uk commonName = "UWE, Bristol" P.S. Let me know if it would help to include other files. -----Original Message----- From: freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 17 October 2011 09:21 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Hi,
Thanks for that. I had left some previous versions of files in the modules directory not knowing that they are still active. Moving them to another location progressed me to the following error:
yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem)
This was fixed by issuing this command:
'chgrp radiusd /var/lib/samba/winbindd_privileged'
yep
The next problem I got was
"EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request"
Googling this suggests there is a bug in the version of Samba I'm using and that I need to install version 3.0.30.
the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've been following the FreeRadius Deployment guide http://deployingradius.com/documents/configuration/active_directory.html The following software is installed on a Centos 6 VM: - Samba 3.5.6, Freeradius 2.1.10, wpa_supplicant-0.7.3, gcc v4.4.4-13, openssl, winbind. I successfully performed basic configuration tests with the 'eapol_test' command for: - PAP, EAP, EAP-TLS, EAP-TTLS, EAP-MD5 & EAP-MSCHAPv5. I've created production certificates & successfully tested for the above protocols. Installed Kerberos 1.8.2 & tested that successfully. I've edited /etc/krb5.conf, as follows: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CAMPUS.ADS.UWE.AC.UK dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] CAMPUS.ADS.UWE.AC.UK = { kdc = campus.ads.uwe.ac.uk admin_server = radius.uwe.ac.uk default_domain = CAMPUS.ADS.UWE.AC.UK } [domain_realm] .campus.ads.uwe.ac.uk = CAMPUS.ADS.UWE.AC.UK campus.ads.uwe.ac.uk = CAMPUS.ADS.UWE.AC.UK I've also edited /etc/samba/smb.conf (comments & blank lines excluded): [global] workgroup = CAMPUS server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 security = ads passdb backend = tdbsam realm = campus.ads.uwe.ac.uk password server = campus.ads.uwe.ac.uk load printers = yes cups options = raw winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/rbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0 [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes I then run 'net join -U USERNAME' and get: Unable to find a suitable server for domain CAMPUS Unable to find a suitable server for domain CAMPUS Running 'wbinfo -a USERNAME%PASSWORD' returns: plaintext password authentication failed Could not authenticate user USERNAME%PASSWORD with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error messsage was: No logon servers Could not authenticate user USERNAME with challenge/response Can anyone tell me what I've done wrong? Thanks Martin.
On Fri, Oct 21, 2011 at 3:10 PM, Martin Ubank <Martin.Ubank@uwe.ac.uk> wrote:
I've been following the FreeRadius Deployment guide http://deployingradius.com/documents/configuration/active_directory.html
I've edited /etc/krb5.conf, as follows: kdc = campus.ads.uwe.ac.uk
does this server exists and reachable?
I've also edited /etc/samba/smb.conf (comments & blank lines excluded):
realm = campus.ads.uwe.ac.uk password server = campus.ads.uwe.ac.uk
those two usually aren't the same. Are you sure you're using the correct information? Does the server exists and reachable?
I then run 'net join -U USERNAME' and get:
Unable to find a suitable server for domain CAMPUS
Unable to find a suitable server for domain CAMPUS
Basically you'd need to get samba to correctly join the domain. Don't bother going further until this works. samba user list/forum might be able to provide more help. -- Fajar
Thanks Fajar. 'campus.ads.uwe.ac.uk' is a DNS alias to 6 AD servers and had been working previously. I changed /etc/krb5.conf & /etc/samba/smb.conf to point to 1 of the 6 AD servers and 'net join ...' & 'wbinfo -a ...' now work. The commands also work with 2 other AD servers. Why the DNS alias has stopped working is an issue to investigate later. I will continue the FreeRadius deployment using a single AD server. Thanks again for your help. Martin. -----Original Message----- From: freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac.uk@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: 21 October 2011 09:25 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to authenticate against AD On Fri, Oct 21, 2011 at 3:10 PM, Martin Ubank <Martin.Ubank@uwe.ac.uk> wrote:
I've been following the FreeRadius Deployment guide http://deployingradius.com/documents/configuration/active_directory.html
I've edited /etc/krb5.conf, as follows: kdc = campus.ads.uwe.ac.uk
does this server exists and reachable?
I've also edited /etc/samba/smb.conf (comments & blank lines excluded):
realm = campus.ads.uwe.ac.uk password server = campus.ads.uwe.ac.uk
those two usually aren't the same. Are you sure you're using the correct information? Does the server exists and reachable?
I then run 'net join -U USERNAME' and get:
Unable to find a suitable server for domain CAMPUS
Unable to find a suitable server for domain CAMPUS
Basically you'd need to get samba to correctly join the domain. Don't bother going further until this works. samba user list/forum might be able to provide more help. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 21/10/11 10:27, Martin Ubank wrote:
Thanks Fajar.
'campus.ads.uwe.ac.uk' is a DNS alias to 6 AD servers and had been working previously.
I'm amazed. It shouldn't. If you have a properly setup AD environment, just let the DNS-based autodiscovery work.
participants (6)
-
Alan Buxey -
Arran Cudbard-Bell -
Fajar A. Nugraha -
James J J Hooper -
Martin Ubank -
Phil Mayers