Hi there, I'm new to freeradius and I'm trying to configure it to authenticate on a AD domain using mschap and ntlm_auth. From a client I have put domain, username and password in variables to be sure that there are no typing errors, then I run:
# ntlm_auth --allow-mschapv2 --domain=$domain --username=$username --password=$password && radtest -t mschap "$domain\\$username" $password 127.0.0.1 0 testing123 NT_STATUS_OK: The operation completed successfully. (0x0) Sent Access-Request Id 58 from 0.0.0.0:55359 to 127.0.0.1:1812 length 139 User-Name = "CSATEST\\user1" MS-CHAP-Password = "Alfa.2020" NAS-IP-Address = 192.168.64.10 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Alfa.2020" MS-CHAP-Challenge = 0x6b4e461a0c35c8da MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330052688e78de5ccbba7d9d954abf1e1b85596b385 Received Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61 MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2" (0) -: Expected Access-Accept got Access-Reject
From server side freeradius said:
(5) Received Access-Request Id 58 from 127.0.0.1:55359 to 127.0.0.1:1812 length 139 (5) User-Name = "CSATEST\\user1" (5) NAS-IP-Address = 192.168.64.10 (5) NAS-Port = 0 (5) Message-Authenticator = 0x20d737038881440d2585fa1b63641a0f (5) MS-CHAP-Challenge = 0x6b4e461a0c35c8da (5) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330052688e78de5ccbba7d9d954abf1e1b85596b385 (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (5) [mschap] = ok (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "CSATEST\user1", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: No EAP-Message, not doing EAP (5) [eap] = noop (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop (5) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (5) pap: WARNING: Authentication will fail unless a "known good" password is available (5) [pap] = noop (5) } # authorize = ok (5) Found Auth-Type = mschap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) mschap: Client is using MS-CHAPv1 with NT-Password (5) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}: (5) mschap: EXPAND --domain=%{mschap:NT-Domain} (5) mschap: --> --domain=CSATEST (5) mschap: EXPAND --username=%{mschap:User-Name} (5) mschap: --> --username=user1 (5) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)' (5) mschap: External script failed (5) mschap: ERROR: External script says: Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a) (5) mschap: ERROR: MS-CHAP2-Response is incorrect (5) [mschap] = reject (5) } # authenticate = reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> CSATEST\\user1 (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Login incorrect (mschap: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)'): [CSATEST\user1] (from client localhost port 0) (5) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61 (5) MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2" Waking up in 3.9 seconds. (5) Cleaning up request packet ID 58 with timestamp +927
Someone can help me to understand where I wrong? Piviul
On Jul 7, 2020, at 9:05 AM, Piviul <piviul@riminilug.it> wrote:
Hi there, I'm new to freeradius and I'm trying to configure it to authenticate on a AD domain using mschap and ntlm_auth.
Follow my guide at http://deployingradius.com It WILL work.
From a client I have put domain, username and password in variables to be sure that there are no typing errors, then I run:
... (5) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)'
That seems pretty clear.
Someone can help me to understand where I wrong?
Follow my guide. It walks you through the process step by step. If one step succeeds and the next one fails, you know *exactly* what went wrong, and exactly what to do in order to fix it. Alan DeKok.
Alan DeKok ha scritto il 07/07/20 alle 15:15:
On Jul 7, 2020, at 9:05 AM, Piviul <piviul@riminilug.it> wrote: [...] Follow my guide. It walks you through the process step by step. If one step succeeds and the next one fails, you know *exactly* what went wrong, and exactly what to do in order to fix it.
Alan DeKok. Hi Alan, thank you very much. I have followed your guide and PAP and EAP now seems to work flawlessy; furthermore even AD authentication and ntlm_auth are successfully configured. But when I go to the section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the server I can see these logs: (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (0) mschap: EXPAND --username=%{mschap:User-Name:-None} (0) mschap: --> --username=user1 (0) mschap: mschap1: 1a (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00} (0) mschap: --> --domain=CSATEST--challenge=1a162d834a0ac705 (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=f7539949c09457385f97329664296f699d915ccd6a0a58fa (0) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)' (0) mschap: External script failed (0) mschap: ERROR: External script says: Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject
that seems that user1 doesn't exists but:
# getent passwd CSATEST\\user1 CSATEST\user1:*:11106:10513:user1:/home/user1:/bin/bash
From the log above seems that the client send a MS-CHAPv1 request... I have tried to add --allow-mschapv2 to the ntlm_auth command in the mschap configuration file but nothing changed; Do you think I've found a bug in samba? Piviul
On Jul 7, 2020, at 10:40 AM, Piviul <piviul@riminilug.it> wrote:
Hi Alan, thank you very much. I have followed your guide and PAP and EAP now seems to work flawlessy; furthermore even AD authentication and ntlm_auth are successfully configured.
That's good. Does ntlm_auth work when you run it from the command line?
But when I go to the section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the server I can see these logs:
If ntlm_auth works from the command line, then it should work when run from FreeRADIUS.
(0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (0) mschap: EXPAND --username=%{mschap:User-Name:-None} (0) mschap: --> --username=user1 (0) mschap: mschap1: 1a (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00} (0) mschap: --> --domain=CSATEST--challenge=1a162d834a0ac705
That's a typo. You need a space between "CSATEST" and "--challenge".
(0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=f7539949c09457385f97329664296f699d915ccd6a0a58fa (0) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)'
That seems pretty definitive
(0) mschap: External script failed (0) mschap: ERROR: External script says: Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject
that seems that user1 doesn't exists but:
# getent passwd CSATEST\\user1 CSATEST\user1:*:11106:10513:user1:/home/user1:/bin/bash
From the log above seems that the client send a MS-CHAPv1 request... I have tried to add --allow-mschapv2 to the ntlm_auth command in the mschap configuration file but nothing changed;
Do you think I've found a bug in samba?
No. Carefully reading the debug output is _very_ useful. Alan DeKok.
Alan DeKok ha scritto il 07/07/20 alle 19:58:
On Jul 7, 2020, at 10:40 AM, Piviul <piviul@riminilug.it> wrote:
Hi Alan, thank you very much. I have followed your guide and PAP and EAP now seems to work flawlessy; furthermore even AD authentication and ntlm_auth are successfully configured.
That's good. I think so ;)
Does ntlm_auth work when you run it from the command line? of course: # ntlm_auth --request-nt-key --domain=$domain --username=$username --password=$password NT_STATUS_OK: The operation completed successfully. (0x0)
But when I go to the section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the server I can see these logs: If ntlm_auth works from the command line, then it should work when run from FreeRADIUS. but didn't! these are the authentication logs from freeradius server (forget the previous logs because there was an error in mschap config file): (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CSATEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (0) mschap: EXPAND --username=%{mschap:User-Name:-None} (0) mschap: --> --username=user1 (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST} (0) mschap: --> --domain=CSATEST (0) mschap: mschap1: 7f (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (0) mschap: --> --challenge=7f51b8630dacf162 (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313 (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject
I can observe that mschap contact the freeradius server using the old mschap v1 version (we can read "Client is using MS-CHAPv1") but at the end of the auth logs we can read "ERROR: MS-CHAP2-Response is incorrect". In your opinion that's OK? Furthermore I have successfully completed the "Configuring FreeRADIUS to use ntlm_auth" section and the server correctly complete the authentication:
(0) Found Auth-Type = ntlm_auth (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=CSATEST --username=%{mschap:User-Name} --password=%{User-Password}: [...] (0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: The operation completed successfully. (0x0)' (0) ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) } # authenticate = ok
But mschap use the same ntlm_auth command to authenticate the user! From the server logs we can affirm that domain and username are correctly expanded. Password is not used but --challenge and --nt-response are. How mschap module expand challenge and nt-response? In effect I have tried but this command fails:
# /usr/bin/ntlm_auth --request-nt-key --username=user1 --domain=CSATEST --challenge=7f51b8630dacf162 --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313 The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
So challenge or nt-response are not correct. I am very confused... Any way thank you very much. Piviul
On Jul 8, 2020, at 3:46 AM, Piviul <piviul@riminilug.it> wrote:
Does ntlm_auth work when you run it from the command line? of course: # ntlm_auth --request-nt-key --domain=$domain --username=$username --password=$password NT_STATUS_OK: The operation completed successfully. (0x0)
Ok, but that doesn't test the MS-CHAP side.
But when I go to the section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the server I can see these logs: If ntlm_auth works from the command line, then it should work when run from FreeRADIUS. but didn't! these are the authentication logs from freeradius server (forget the previous logs because there was an error in mschap config file): (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CSATEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (0) mschap: EXPAND --username=%{mschap:User-Name:-None} (0) mschap: --> --username=user1 (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST} (0) mschap: --> --domain=CSATEST (0) mschap: mschap1: 7f (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (0) mschap: --> --challenge=7f51b8630dacf162 (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313 (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
That's pretty definitive.
I can observe that mschap contact the freeradius server using the old mschap v1 version (we can read "Client is using MS-CHAPv1") but at the end of the auth logs we can read "ERROR: MS-CHAP2-Response is incorrect". In your opinion that's OK?
Yes, that's how it works.
Furthermore I have successfully completed the "Configuring FreeRADIUS to use ntlm_auth" section and the server correctly complete the authentication:
That's good.
But mschap use the same ntlm_auth command to authenticate the user!
With different parameters. If the client was given the wrong password, then it will do the MS-CHAP calculations, and get a different answer than what Samba has. Samba will then reject the user.
From the server logs we can affirm that domain and username are correctly expanded. Password is not used but --challenge and --nt-response are. How mschap module expand challenge and nt-response? In effect I have tried but this command fails:
# /usr/bin/ntlm_auth --request-nt-key --username=user1 --domain=CSATEST --challenge=7f51b8630dacf162 --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313 The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
So challenge or nt-response are not correct.
Yes. There isn't much you can do on the FreeRADIUS side to fix this. Either the user is entering the wrong password, or something between ntlm_auth and Samba is causing an issue. FreeRADIUS does the MS-CHAP calculations correctly. There are tests run on every code change to ensure that it is correct. Plus, everyone *else* has a working MS-CHAP with FreeRADIUS. So something in your local system is broken. It's hard to say exactly what. Alan DeKok.
Piviul ha scritto il 08/07/20 alle 09:46:
[...] I can observe that mschap contact the freeradius server using the old mschap v1 version (we can read "Client is using MS-CHAPv1") but at the end of the auth logs we can read "ERROR: MS-CHAP2-Response is incorrect". In your opinion that's OK? I answer myself: seems to be correct; in mschap module I can read: # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
the defult value doesn't set use_mppe to no. Piviul
Is your AD-DC also a samba server ? Try adding this to smb.conf (globel) # Add for freeradius support ntlm auth = mschapv2-and-ntlmv2-only Greetz, Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Piviul Verzonden: dinsdag 7 juli 2020 15:05 Aan: freeradius-users@lists.freeradius.org Onderwerp: mschap configuration problem
Hi there, I'm new to freeradius and I'm trying to configure it to authenticate on a AD domain using mschap and ntlm_auth. From a client I have put domain, username and password in variables to be sure that there are no typing errors, then I run:
# ntlm_auth --allow-mschapv2 --domain=$domain --username=$username --password=$password && radtest -t mschap "$domain\\$username" $password 127.0.0.1 0 testing123 NT_STATUS_OK: The operation completed successfully. (0x0) Sent Access-Request Id 58 from 0.0.0.0:55359 to 127.0.0.1:1812 length 139 User-Name = "CSATEST\\user1" MS-CHAP-Password = "Alfa.2020" NAS-IP-Address = 192.168.64.10 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Alfa.2020" MS-CHAP-Challenge = 0x6b4e461a0c35c8da MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330 052688e78de5ccbba7d9d954abf1e1b85596b385 Received Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61 MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2" (0) -: Expected Access-Accept got Access-Reject
From server side freeradius said:
(5) Received Access-Request Id 58 from 127.0.0.1:55359 to 127.0.0.1:1812 length 139 (5) User-Name = "CSATEST\\user1" (5) NAS-IP-Address = 192.168.64.10 (5) NAS-Port = 0 (5) Message-Authenticator = 0x20d737038881440d2585fa1b63641a0f (5) MS-CHAP-Challenge = 0x6b4e461a0c35c8da (5) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330 052688e78de5ccbba7d9d954abf1e1b85596b385 (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (5) [mschap] = ok (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "CSATEST\user1", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: No EAP-Message, not doing EAP (5) [eap] = noop (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop (5) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (5) pap: WARNING: Authentication will fail unless a "known good" password is available (5) [pap] = noop (5) } # authorize = ok (5) Found Auth-Type = mschap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) mschap: Client is using MS-CHAPv1 with NT-Password (5) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}: (5) mschap: EXPAND --domain=%{mschap:NT-Domain} (5) mschap: --> --domain=CSATEST (5) mschap: EXPAND --username=%{mschap:User-Name} (5) mschap: --> --username=user1 (5) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)' (5) mschap: External script failed (5) mschap: ERROR: External script says: Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a) (5) mschap: ERROR: MS-CHAP2-Response is incorrect (5) [mschap] = reject (5) } # authenticate = reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> CSATEST\\user1 (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Login incorrect (mschap: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)'): [CSATEST\user1] (from client localhost port 0) (5) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61 (5) MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2" Waking up in 3.9 seconds. (5) Cleaning up request packet ID 58 with timestamp +927
Someone can help me to understand where I wrong?
Piviul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
L.P.H. van Belle via Freeradius-Users ha scritto il 07/07/20 alle 15:18:
Is your AD-DC also a samba server ?
Try adding this to smb.conf (globel) # Add for freeradius support ntlm auth = mschapv2-and-ntlmv2-only After changing ntlm_auth, as you suggest, on the samba AD the problem seems to be solved.
But now I have another problem using the CA certificate. I would like to use freeradius server to authenticate wifi users on WPA2 enterprise security settings using peap authentication. If I configure a linux, win xp and win7 clients using the ca certificate and WPA2 Enterprise auth protocol using PEAP and MSCHAP linux seems to work but win xp and win7 client didn't. On the winxp logs I can find:
(30) Found Auth-Type = eap (30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (30) authenticate { (30) eap: Expiring EAP session with state 0x1cc2a6451cccbf2e (30) eap: Finished EAP session with state 0x1cc2a6451cccbf2e (30) eap: Previous EAP request found for state 0x1cc2a6451cccbf2e, released from the list (30) eap: Peer sent packet with method EAP PEAP (25) (30) eap: Calling submodule eap_peap to process data (30) eap_peap: Continuing EAP-TLS (30) eap_peap: Peer indicated complete TLS record size will be 77 bytes (30) eap_peap: Got complete TLS record (77 bytes) (30) eap_peap: [eaptls verify] = length included (30) eap_peap: (other): before SSL initialization (30) eap_peap: TLS_accept: before SSL initialization (30) eap_peap: TLS_accept: before SSL initialization (30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (30) eap_peap: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error (30) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher (30) eap_peap: ERROR: System call (I/O) error (-1) (30) eap_peap: ERROR: TLS receive handshake failed during operation (30) eap_peap: ERROR: [eaptls process] = fail (30) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (30) eap: Sending EAP Failure (code 4) ID 14 length 4 (30) eap: Failed in EAP select (30) [eap] = invalid (30) } # authenticate = invalid (30) Failed to authenticate the user (30) Using Post-Auth-Type Reject
and on the win7 client:
(14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x211f359d22552ca2 (14) eap: Finished EAP session with state 0x211f359d22552ca2 (14) eap: Previous EAP request found for state 0x211f359d22552ca2, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer indicated complete TLS record size will be 7 bytes (14) eap_peap: Got complete TLS record (7 bytes) (14) eap_peap: [eaptls verify] = length included (14) eap_peap: <<< recv TLS 1.2 [length 0002] (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (14) eap_peap: TLS_accept: Need to read more data: error (14) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (14) eap_peap: In SSL Handshake Phase (14) eap_peap: In SSL Accept mode (14) eap_peap: SSL Application Data (14) eap_peap: ERROR: TLS failed during operation (14) eap_peap: ERROR: [eaptls process] = fail (14) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (14) eap: Sending EAP Failure (code 4) ID 74 length 4 (14) eap: Failed in EAP select (14) [eap] = invalid (14) } # authenticate = invalid (14) Failed to authenticate the user (14) Using Post-Auth-Type Reject
Winxp e win7 client both seems to fail during handshake phase; linux didn't. From successfully linux logs I can find:
eap_peap: Peer indicated complete TLS record size will be 126
but reading winxp logs I can see:
eap_peap: Peer indicated complete TLS record size will be 77 bytes
and win7:
eap_peap: Peer indicated complete TLS record size will be 7 bytes
77 or 7 bytes seems to me not to be enought for a TLS record size isn't it? That's the problem? Any way can anyone please help me to find why win{xp,7} clients can't communicate using EAP-TLS? Best regards Piviul
XP.. :-/ .. Expect more problems... But for your XP you can try this, if that doesnt work upgrade to W10 https://msfn.org/board/topic/178092-enable-tls-11-and-12-in-windows-xp-corre... And for Win7 this. https://manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-12-... Greetz, Louis
-----Oorspronkelijk bericht----- Van: Freeradius-Users [mailto:freeradius-users-bounces+belle=bazuin.nl@lists.freerad ius.org] Namens Piviul Verzonden: dinsdag 14 juli 2020 14:54 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: mschap configuration problem
L.P.H. van Belle via Freeradius-Users ha scritto il 07/07/20 alle 15:18:
Is your AD-DC also a samba server ?
Try adding this to smb.conf (globel) # Add for freeradius support ntlm auth = mschapv2-and-ntlmv2-only After changing ntlm_auth, as you suggest, on the samba AD the problem seems to be solved.
But now I have another problem using the CA certificate. I would like to use freeradius server to authenticate wifi users on WPA2 enterprise security settings using peap authentication. If I configure a linux, win xp and win7 clients using the ca certificate and WPA2 Enterprise auth protocol using PEAP and MSCHAP linux seems to work but win xp and win7 client didn't. On the winxp logs I can find:
(30) Found Auth-Type = eap (30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (30) authenticate { (30) eap: Expiring EAP session with state 0x1cc2a6451cccbf2e (30) eap: Finished EAP session with state 0x1cc2a6451cccbf2e (30) eap: Previous EAP request found for state 0x1cc2a6451cccbf2e, released from the list (30) eap: Peer sent packet with method EAP PEAP (25) (30) eap: Calling submodule eap_peap to process data (30) eap_peap: Continuing EAP-TLS (30) eap_peap: Peer indicated complete TLS record size will be 77 bytes (30) eap_peap: Got complete TLS record (77 bytes) (30) eap_peap: [eaptls verify] = length included (30) eap_peap: (other): before SSL initialization (30) eap_peap: TLS_accept: before SSL initialization (30) eap_peap: TLS_accept: before SSL initialization (30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (30) eap_peap: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error (30) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher (30) eap_peap: ERROR: System call (I/O) error (-1) (30) eap_peap: ERROR: TLS receive handshake failed during operation (30) eap_peap: ERROR: [eaptls process] = fail (30) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (30) eap: Sending EAP Failure (code 4) ID 14 length 4 (30) eap: Failed in EAP select (30) [eap] = invalid (30) } # authenticate = invalid (30) Failed to authenticate the user (30) Using Post-Auth-Type Reject
and on the win7 client:
(14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x211f359d22552ca2 (14) eap: Finished EAP session with state 0x211f359d22552ca2 (14) eap: Previous EAP request found for state 0x211f359d22552ca2, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer indicated complete TLS record size will be 7 bytes (14) eap_peap: Got complete TLS record (7 bytes) (14) eap_peap: [eaptls verify] = length included (14) eap_peap: <<< recv TLS 1.2 [length 0002] (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (14) eap_peap: TLS_accept: Need to read more data: error (14) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (14) eap_peap: In SSL Handshake Phase (14) eap_peap: In SSL Accept mode (14) eap_peap: SSL Application Data (14) eap_peap: ERROR: TLS failed during operation (14) eap_peap: ERROR: [eaptls process] = fail (14) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (14) eap: Sending EAP Failure (code 4) ID 74 length 4 (14) eap: Failed in EAP select (14) [eap] = invalid (14) } # authenticate = invalid (14) Failed to authenticate the user (14) Using Post-Auth-Type Reject
Winxp e win7 client both seems to fail during handshake phase; linux didn't. From successfully linux logs I can find:
eap_peap: Peer indicated complete TLS record size will be 126
but reading winxp logs I can see:
eap_peap: Peer indicated complete TLS record size will be 77 bytes
and win7:
eap_peap: Peer indicated complete TLS record size will be 7 bytes
77 or 7 bytes seems to me not to be enought for a TLS record size isn't it? That's the problem?
Any way can anyone please help me to find why win{xp,7} clients can't communicate using EAP-TLS?
Best regards
Piviul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
L.P.H. van Belle via Freeradius-Users ha scritto il 14/07/20 alle 15:01:
XP.. :-/ ..
Expect more problems...
But for your XP you can try this, if that doesnt work upgrade to W10 https://msfn.org/board/topic/178092-enable-tls-11-and-12-in-windows-xp-corre... ...it's not so simple upgrade to win10, we have instruments software that works only on that OS version... anyway I'll think at xp problems later...
And for Win7 this. https://manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-12-... done but nothing changed. I have created the tlsv1.2.reg: Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000
other ideas? If you need more infos to shoot the problem please let me know. Piviul
Hello dear there all, Regarding the Windows TLS issue I have used the tool on https://www.nartac.com/Products/IISCrypto/ site and restart it. Everything worked like a charm. Hope this is going to work for you as well. Have a great day. İbrahim AKŞİT Best Regards and Wishes Yours Sincerely. On Tue, Jul 14, 2020 at 6:02 PM Piviul <piviul@riminilug.it> wrote:
L.P.H. van Belle via Freeradius-Users ha scritto il 14/07/20 alle 15:01:
XP.. :-/ ..
Expect more problems...
But for your XP you can try this, if that doesnt work upgrade to W10
https://msfn.org/board/topic/178092-enable-tls-11-and-12-in-windows-xp-corre... ...it's not so simple upgrade to win10, we have instruments software that works only on that OS version... anyway I'll think at xp problems later...
And for Win7 this.
https://manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-12-... done but nothing changed. I have created the tlsv1.2.reg:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
other ideas?
If you need more infos to shoot the problem please let me know.
Piviul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ibrahim AKSIT ha scritto il 14/07/20 alle 21:30:
Hello dear there all, Regarding the Windows TLS issue I have used the tool on https://www.nartac.com/Products/IISCrypto/ site and restart it. Everything worked like a charm. Hope this is going to work for you as well. Have a great day. Thank you very much indeed!
IISCrypto say it is compatible with "Windows Server 2008, 2012, 2016 and 2019" but more over I can even read "IIS Crypto updates the registry using the same settings from this article[¹] by Microsoft.". The MS article says that the registry settings found on the article are compatible with "Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003 Standard Edition (32-bit x86), Microsoft Windows Server 2003 Web Edition, Microsoft Windows XP Professional, Microsoft Windows XP Home Edition". I can't find win7... any way I have run it on a win7 client: all settings seems to be checked so all protocols seems to be supported until TLS 1.2 and SSL 3.0. I have selected the best practices template that disable old protocols, I have selected all protocols even old ones, applyed and rebooted the win7 client but nothing changed but the fails log are ever the same:
(4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xbe242a7dbdc83389 (4) eap: Finished EAP session with state 0xbe242a7dbdc83389 (4) eap: Previous EAP request found for state 0xbe242a7dbdc83389, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 7 bytes (4) eap_peap: Got complete TLS record (7 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (4) eap_peap: TLS_accept: Need to read more data: error (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (4) eap_peap: In SSL Handshake Phase (4) eap_peap: In SSL Accept mode (4) eap_peap: SSL Application Data (4) eap_peap: ERROR: TLS failed during operation (4) eap_peap: ERROR: [eaptls process] = fail (4) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (4) eap: Sending EAP Failure (code 4) ID 236 length 4 (4) eap: Failed in EAP select (4) [eap] = invalid (4) } # authenticate = invalid
I have tried to run IISCrypto to a win10 client but the protocols supported seems to be the same... I'm very confused... :? Piviul [¹] https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-c...
On Jul 14, 2020, at 8:53 AM, Piviul <piviul@riminilug.it> wrote:
(30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (30) eap_peap: ERROR: TLS Alert
Windows is doing TLS 1.3. There is no standard yet for EAP with TLS 1.3 Edit mods-available/eap, and set: tls_max_version = "1.2"
and on the win7 client:
(14) eap_peap: <<< recv TLS 1.2 [length 0002] (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
You didn't put the root CA onto the Windows machine.
Winxp e win7 client both seems to fail during handshake phase; linux didn't. From successfully linux logs I can find:
eap_peap: Peer indicated complete TLS record size will be 126
but reading winxp logs I can see:
eap_peap: Peer indicated complete TLS record size will be 77 bytes
and win7:
eap_peap: Peer indicated complete TLS record size will be 7 bytes
77 or 7 bytes seems to me not to be enought for a TLS record size isn't it? That's the problem?
No. The record sizes depend on all kinds of things. You don't debug a TCP connection by noting that some packets are 64 bytes and others are 200 bytes.
Any way can anyone please help me to find why win{xp,7} clients can't communicate using EAP-TLS?
The error messages from OpenSSL aren't perfect, but they explain exactly what the issue is. Alan DeKok.
Alan DeKok ha scritto il 14/07/20 alle 16:17:
On Jul 14, 2020, at 8:53 AM, Piviul <piviul@riminilug.it> wrote:
(30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (30) eap_peap: ERROR: TLS Alert
Windows is doing TLS 1.3. There is no standard yet for EAP with TLS 1.3
Edit mods-available/eap, and set:
tls_max_version = "1.2" but win 10 can connect... any way I have uncommented the option but nothing changed
and on the win7 client:
(14) eap_peap: <<< recv TLS 1.2 [length 0002] (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
You didn't put the root CA onto the Windows machine. no, I did it; I have installed the ca.der putting it in the Trusted Root CA. Furthermore on the connection I have selected to validate server certificate and selected the certificate imported in the trusted root ca.
And are the same settings I've set in win10... Piviul
On Jul 14, 2020, at 11:00 AM, Piviul <piviul@riminilug.it> wrote:
Alan DeKok ha scritto il 14/07/20 alle 16:17:
On Jul 14, 2020, at 8:53 AM, Piviul <piviul@riminilug.it> wrote:
(30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (30) eap_peap: ERROR: TLS Alert
Windows is doing TLS 1.3. There is no standard yet for EAP with TLS 1.3 Edit mods-available/eap, and set: tls_max_version = "1.2" but win 10 can connect... any way I have uncommented the option but nothing changed
Windows 10 can connect because it's different. Did you restart the server after the configuration change? Which version are you running? I doubt *very* much that the systems do TLS 1.3 if it's disabled on the server.
and on the win7 client:
(14) eap_peap: <<< recv TLS 1.2 [length 0002] (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
You didn't put the root CA onto the Windows machine. no, I did it; I have installed the ca.der putting it in the Trusted Root CA. Furthermore on the connection I have selected to validate server certificate and selected the certificate imported in the trusted root ca.
Apparently it's not enough. Look, it's very simple. You can believe that you configured everything perfectly AND the error messages are lying to you. Or, you can believe that the error messages are correct, and you're missing some configuration somewhere.
And are the same settings I've set in win10...
Ask Microsoft how to configure their systems. Alan DeKok.
Alan DeKok ha scritto il 14/07/20 alle 18:50:
[...] Did you restart the server after the configuration change? Which version are you running? if you mean the freeradius service yes, I have restarted it.
I doubt *very* much that the systems do TLS 1.3 if it's disabled on the server. when you say server do you mean the pc where I have installed freeradius? Do you know how can I test the ssl version protocol supoorted?
[...] Look, it's very simple. You can believe that you configured everything perfectly AND the error messages are lying to you. Or, you can believe that the error messages are correct, and you're missing some configuration somewhere. no, it's not lying me simply I think saying "unknown CA" means that the server can't find the CA certificate to validate the client certificate. The reason why the server can't find the certificate should be that I have not well configured the CA certificate (but I fear that's not) or should be that the client can't decide wich ssl version to use... didn't you?
Do you know a way to get the ssl protocol version supported by a windows client and the ssl protocol supported by the server (the server where it is installed freeradius)?
And are the same settings I've set in win10... Ask Microsoft how to configure their systems. yes, you are right... I wouldn't use windows but it's not so simple remove it from my LAN...
Thank you very much! My best regards Piviul
I have solved all my problems. _Win7_ As supposed by Alan the problem was truly relative to the certificate; the "unknown CA" means that the client can't get the CA certificate to validate the certificate. The problem was tied to the way I installed the certificate in win7. Right button on the certificate and choose install certificate doesn't works correctly even if on the client configuration settings I can find the certificate installed. In win7 to install a certificate you have to use mmc.exe[¹] or command line[²] as suggested from L.P.H. van Belle. No updates to the freeradius eap configuration file are needed relative to tls version to use. _WinXP_ In winXP it is needed to update ssl support. I have installed the KB942288 and kb4019276 and update this registry key: [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001 I have installed the CA certificate in winxp using the mmc method[¹] All works like a charm. Thank you very much indeed to all Piviul [¹] https://www.thesslstore.com/knowledgebase/ssl-install/how-to-import-intermed... [²] https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-ce...
participants (4)
-
Alan DeKok -
Ibrahim AKSIT -
L.P.H. van Belle -
Piviul