ntlm_auth and MSCHAP issues
Howdy, I am experiencing problems with an existing working install of FreeRADIUS to get it to use AD to part authenticate users. Following the instructions found here: http://deployingradius.com/documents/configuration/active_directory.html I can sucessfully get FreeRADUS to authenticate using ntlm_auth. # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [ntlm_auth] expand: --username=%{mschap:User-Name} -> -- username=mcpartlana [ntlm_auth] expand: --password=%{User-Password} -> -- password=redactedpassword Exec output: NT_STATUS_OK: Success (0x0) Exec plaintext: NT_STATUS_OK: Success (0x0) However, making the switch to MSCHAP as per the instructions i get the following outcome: radtest -t mschap mcpartlana redactedpassword localhost 0 redactedsecret Sending Access-Request of id 8 to 127.0.0.1 port 1812 User-Name = "mcpartlana" NAS-IP-Address = 192.168.172.45 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x58b0f84e08b68e46 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003c312cfc3724df41c 5adb769615849f47a081cbb22c73c45 rad_recv: Access-Request packet from host 127.0.0.1 port 48263, id=8, length=136 User-Name = "mcpartlana" NAS-IP-Address = 192.168.172.45 NAS-Port = 0 Message-Authenticator = 0x0651b559ed7f1e615e14b10e56fed797 MS-CHAP-Challenge = 0x58b0f84e08b68e46 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003c312cfc3724df41c 5adb769615849f47a081cbb22c73c45 # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [ntlm_auth] expand: --username=%{mschap:User-Name} -> -- username=mcpartlana [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) [ntlm_auth] Exec: program returned: 1 ++[ntlm_auth] = reject Sending Access-Reject of id 8 to 127.0.0.1 port 48263 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=8, length=20 To me this looks like the password is not being sent to the AD server - hence the "WRONG_PASSWORD" message - It could just be hidden which is ok. I can only pressume I have messed something up in my configuration. Many thanks Adam CONFIDENTIALITY WARNING: This email has been sent from NYnet Ltd, a UK limited company controlled by North Yorkshire County Council. The information in this email (and any document(s) attached to it) is confidential or legally privileged, and is intended solely for the use of the person named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this E-mail is strictly prohibited. An individual with the title of director does not necessarily mean they are a statutory director. A full list of statutory directors is available for inspection at our registered office.
If you followed it exactly it should work. Which samba version is used? Did you set this on the ad-dc and member (the proxy). : ntlm auth = mschapv2-and-ntlmv2-only Run also: adduser proxy winbindd_priv And also if you have apparmor enabled, you need to adjust that also a bit. Syslog tells what. Greetz, Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Adam McPartlan Verzonden: woensdag 19 februari 2020 17:57 Aan: freeradius-users@lists.freeradius.org Onderwerp: ntlm_auth and MSCHAP issues
Howdy,
I am experiencing problems with an existing working install of FreeRADIUS to get it to use AD to part authenticate users.
Following the instructions found here: http://deployingradius.com/documents/configuration/active_dire ctory.html
I can sucessfully get FreeRADUS to authenticate using ntlm_auth.
# Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [ntlm_auth] expand: --username=%{mschap:User-Name} -> -- username=mcpartlana [ntlm_auth] expand: --password=%{User-Password} -> -- password=redactedpassword Exec output: NT_STATUS_OK: Success (0x0) Exec plaintext: NT_STATUS_OK: Success (0x0)
However, making the switch to MSCHAP as per the instructions i get the following outcome:
radtest -t mschap mcpartlana redactedpassword localhost 0 redactedsecret
Sending Access-Request of id 8 to 127.0.0.1 port 1812 User-Name = "mcpartlana" NAS-IP-Address = 192.168.172.45 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x58b0f84e08b68e46 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003c312cfc 3724df41c 5adb769615849f47a081cbb22c73c45 rad_recv: Access-Request packet from host 127.0.0.1 port 48263, id=8, length=136 User-Name = "mcpartlana" NAS-IP-Address = 192.168.172.45 NAS-Port = 0 Message-Authenticator = 0x0651b559ed7f1e615e14b10e56fed797 MS-CHAP-Challenge = 0x58b0f84e08b68e46 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003c312cfc 3724df41c 5adb769615849f47a081cbb22c73c45
# Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [ntlm_auth] expand: --username=%{mschap:User-Name} -> -- username=mcpartlana [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) [ntlm_auth] Exec: program returned: 1 ++[ntlm_auth] = reject
Sending Access-Reject of id 8 to 127.0.0.1 port 48263 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=8, length=20
To me this looks like the password is not being sent to the AD server - hence the "WRONG_PASSWORD" message - It could just be hidden which is ok. I can only pressume I have messed something up in my configuration.
Many thanks
Adam
CONFIDENTIALITY WARNING: This email has been sent from NYnet Ltd, a UK limited company controlled by North Yorkshire County Council. The information in this email (and any document(s) attached to it) is confidential or legally privileged, and is intended solely for the use of the person named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this E-mail is strictly prohibited. An individual with the title of director does not necessarily mean they are a statutory director. A full list of statutory directors is available for inspection at our registered office.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Adam McPartlan -
L.P.H. van Belle