We are developing a security scheme in which we use EAP TTLS MS CHAP v2 with Proxy. The TTLS phase is done with the first AAA server, and the second step, with MS CHAP v2, is proxied to another AAA (which is an LDAP server). When the first AAA server is FR and the second one is also FV, then authentication is OK. When the second AAA server is ACS (Cisco) or NPS (MS), the MS CHAP v2 authentication fails. We preformed troubleshooting and elimination testing which indicate the issue is with the pwd. Not with the user name. For example it also fails with the local DB of the 2nd AAA server. Also the verbose error log shows the user account is found. Looks like something is wrong with the pwd hash. will most appreciate your expert opinion. Thnks Sagi -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p291... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Files posted. The config files of the two FR servers and the sniffer traces of a successul authentcation with FR + FR, vs a failed one with FR + NPS. Garber, Neal wrote:
will most appreciate your expert opinion.
Post debug output!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://old.nabble.com/file/p29167377/CHAPv2%2BAuthentication%2Bissue.zip CHAPv2+Authentication+issue.zip -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p291... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Thank you for the clarification Phil. I am not sure what "radius -x" means. I posted the two output files I have. Are these the ones? If not, pls elaborate. Note that these are the output files for the two FR servers, for which eveything is just fine. What does not work is when the second server is not FR but NPS or ACS. I hope this data will suffice to identify the issue or at least give good leads. Phil Mayers wrote:
On 07/14/2010 11:17 PM, SagiBarOr wrote:
Files posted.
No.
Post the output of "radiusd -X" to the list.
We don't need anything else; just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://old.nabble.com/file/p29170161/cn-check_splitauth.log cn-check_splitauth.log http://old.nabble.com/file/p29170161/ldap_mschapv2.log ldap_mschapv2.log -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p291... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I think you need to stop the radius process and then start i with radiusd -X This will run freeradius in the window you are starting it in, in debug mode. On a Linux it will look something like this /usr/sbin/freeradius -X (Default Debian install directory) Or in a manually compiled /opt/freeradius-1.1.8/sbin/radiusd -X (My install location) And that output it comes from that is what Phil wants :) Best regards Jan Madsen -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org] På vegne af SagiBarOr Sendt: 15. juli 2010 09:46 Til: freeradius-users@lists.freeradius.org Emne: Re: FR proxy to ACS and NPS with MS CHAP v2 Thank you for the clarification Phil. I am not sure what "radius -x" means. I posted the two output files I have. Are these the ones? If not, pls elaborate. Note that these are the output files for the two FR servers, for which eveything is just fine. What does not work is when the second server is not FR but NPS or ACS. I hope this data will suffice to identify the issue or at least give good leads. Phil Mayers wrote:
On 07/14/2010 11:17 PM, SagiBarOr wrote:
Files posted.
No.
Post the output of "radiusd -X" to the list.
We don't need anything else; just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://old.nabble.com/file/p29170161/cn-check_splitauth.log cn-check_splitauth.log http://old.nabble.com/file/p29170161/ldap_mschapv2.log ldap_mschapv2.log -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p291... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________________________________________________ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center. www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you. __________________________________________________________________________________________ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center. www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you.
Thank you for the info Jan. The radiusd-x files were included in the zip files. Though I guess the other logs were overwhelming. I now posted the two log files here. The file cn-check_splitauth.log is from the first free radius. The file ldap_mschapv2.log is from the second FR server which does the MS CHAP v2 portion. Note that everything works in this confioguration. No issues. What I like the forum to advise, is what might be non std or missing in the MC CHAP v2 session, which FR overcomes it. When I replace the 2nd FR with MS NPS or Cisco NPS the authentication fails, looks like because the pwd (hash) does not match. Thnks Sagi Madsen.Jan JMD wrote:
I think you need to stop the radius process and then start i with radiusd -X This will run freeradius in the window you are starting it in, in debug mode.
On a Linux it will look something like this /usr/sbin/freeradius -X (Default Debian install directory)
Or in a manually compiled /opt/freeradius-1.1.8/sbin/radiusd -X (My install location)
And that output it comes from that is what Phil wants :)
Best regards Jan Madsen
-----Oprindelig meddelelse----- Fra: freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org] På vegne af SagiBarOr Sendt: 15. juli 2010 09:46 Til: freeradius-users@lists.freeradius.org Emne: Re: FR proxy to ACS and NPS with MS CHAP v2
Thank you for the clarification Phil. I am not sure what "radius -x" means. I posted the two output files I have. Are these the ones? If not, pls elaborate.
Note that these are the output files for the two FR servers, for which eveything is just fine. What does not work is when the second server is not FR but NPS or ACS. I hope this data will suffice to identify the issue or at least give good leads.
Phil Mayers wrote:
On 07/14/2010 11:17 PM, SagiBarOr wrote:
Files posted.
No.
Post the output of "radiusd -X" to the list.
We don't need anything else; just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://old.nabble.com/file/p29170161/cn-check_splitauth.log cn-check_splitauth.log http://old.nabble.com/file/p29170161/ldap_mschapv2.log ldap_mschapv2.log -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p291... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________________________________________________ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745
KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center.
www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com
Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you. __________________________________________________________________________________________ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745
KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center.
www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com
Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://old.nabble.com/file/p29275298/cn-check_splitauth.log cn-check_splitauth.log http://old.nabble.com/file/p29275298/ldap_mschapv2.log ldap_mschapv2.log -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p292... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Here is another pair of logs which may be more focused than the previous pair. It is of the LDAP portion only SagiBarOr wrote:
Thank you for the info Jan. The radiusd-x files were included in the zip files. Though I guess the other logs were overwhelming. I now posted the two log files here. The file cn-check_splitauth.log is from the first free radius. The file ldap_mschapv2.log is from the second FR server which does the MS CHAP v2 portion. Note that everything works in this confioguration. No issues. What I like the forum to advise, is what might be non std or missing in the MC CHAP v2 session, which FR overcomes it. When I replace the 2nd FR with MS NPS or Cisco NPS the authentication fails, looks like because the pwd (hash) does not match. Thnks Sagi
Madsen.Jan JMD wrote:
I think you need to stop the radius process and then start i with radiusd -X This will run freeradius in the window you are starting it in, in debug mode.
On a Linux it will look something like this /usr/sbin/freeradius -X (Default Debian install directory)
Or in a manually compiled /opt/freeradius-1.1.8/sbin/radiusd -X (My install location)
And that output it comes from that is what Phil wants :)
Best regards Jan Madsen
-----Oprindelig meddelelse----- Fra: freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org] På vegne af SagiBarOr Sendt: 15. juli 2010 09:46 Til: freeradius-users@lists.freeradius.org Emne: Re: FR proxy to ACS and NPS with MS CHAP v2
Thank you for the clarification Phil. I am not sure what "radius -x" means. I posted the two output files I have. Are these the ones? If not, pls elaborate.
Note that these are the output files for the two FR servers, for which eveything is just fine. What does not work is when the second server is not FR but NPS or ACS. I hope this data will suffice to identify the issue or at least give good leads.
Phil Mayers wrote:
On 07/14/2010 11:17 PM, SagiBarOr wrote:
Files posted.
No.
Post the output of "radiusd -X" to the list.
We don't need anything else; just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://old.nabble.com/file/p29170161/cn-check_splitauth.log cn-check_splitauth.log http://old.nabble.com/file/p29170161/ldap_mschapv2.log ldap_mschapv2.log -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p291... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________________________________________________ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745
KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center.
www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com
Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you. __________________________________________________________________________________________ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745
KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center.
www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com
Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://old.nabble.com/file/p29275298/cn-check_splitauth.log cn-check_splitauth.log http://old.nabble.com/file/p29275298/ldap_mschapv2.log ldap_mschapv2.log
http://old.nabble.com/file/p29295911/1st%2BAAA-ldap_mschapv2.log 1st+AAA-ldap_mschapv2.log http://old.nabble.com/file/p29295911/2nd%2BAAA-cn-check_splitauth.log 2nd+AAA-cn-check_splitauth.log -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p292... Sent from the FreeRadius - User mailing list archive at Nabble.com.
SagiBarOr wrote:
Here is another pair of logs which may be more focused than the previous pair. It is of the LDAP portion only
Could you explain in *simple* terms what you want? You've been posting large debug outputs with little or no explanation. Alan DeKok.
Sure. Here is the picture again: we are doing EAP-TTLS authnentcation with a partial proxy. We call it "split authentication". One Freeradius server is doing the TLS phase and then proxy the MS CHAP v2 portion to a second Free Radius server. This works just fine. When we try to do the same when the second server (which does the MS CHAP v2 authentication) is not Free Radius, but rather MS NPS or Cisco ACS - the authentication fails. The connection is refused becasue of bad username or pwd. My question to the forum: although thesystem with 2 FR servers works fine, can it be that there an issue with the MS CHAP v2 proxy, and only becasue the second radius is also Free radius, then it tolarates it? I know it is a weird request to look for somthing non std or wrong in logs of a susscessful session, but I still try my luck. Any lead can help. Appreciate yuor patience. Sagi Alan DeKok-2 wrote:
SagiBarOr wrote:
Here is another pair of logs which may be more focused than the previous pair. It is of the LDAP portion only
Could you explain in *simple* terms what you want? You've been posting large debug outputs with little or no explanation.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p292... Sent from the FreeRadius - User mailing list archive at Nabble.com.
SagiBarOr wrote:
Sure. Here is the picture again: we are doing EAP-TTLS authnentcation with a partial proxy. We call it "split authentication". One Freeradius server is doing the TLS phase and then proxy the MS CHAP v2 portion to a second Free Radius server. This works just fine. When we try to do the same when the second server (which does the MS CHAP v2 authentication) is not Free Radius, but rather MS NPS or Cisco ACS - the authentication fails. The connection is refused becasue of bad username or pwd.
The debug logs you posted show no such reject.
My question to the forum: although thesystem with 2 FR servers works fine, can it be that there an issue with the MS CHAP v2 proxy, and only becasue the second radius is also Free radius, then it tolarates it?
My $0.02 is that FreeRADIUS implements the specs correctly. It proxies MS-CHAP as MS-CHAP, without any butchering of the packets.
I know it is a weird request to look for somthing non std or wrong in logs of a susscessful session, but I still try my luck. Any lead can help.
This disagrees with what you said earlier. If the connection is refused, you should not see a successful session. Which one is it? Alan DeKok.
The connection is not refused. these logs are of a successful session. I did not post logs of a refused connection because this is not a free radius server. If you have no infomration about something non std with the way Free radius proxy MA CHAP v2 then I will continue to investigate in other directions. Alan DeKok-2 wrote:
SagiBarOr wrote:
Sure. Here is the picture again: we are doing EAP-TTLS authnentcation with a partial proxy. We call it "split authentication". One Freeradius server is doing the TLS phase and then proxy the MS CHAP v2 portion to a second Free Radius server. This works just fine. When we try to do the same when the second server (which does the MS CHAP v2 authentication) is not Free Radius, but rather MS NPS or Cisco ACS - the authentication fails. The connection is refused becasue of bad username or pwd.
The debug logs you posted show no such reject.
My question to the forum: although thesystem with 2 FR servers works fine, can it be that there an issue with the MS CHAP v2 proxy, and only becasue the second radius is also Free radius, then it tolarates it?
My $0.02 is that FreeRADIUS implements the specs correctly. It proxies MS-CHAP as MS-CHAP, without any butchering of the packets.
I know it is a weird request to look for somthing non std or wrong in logs of a susscessful session, but I still try my luck. Any lead can help.
This disagrees with what you said earlier. If the connection is refused, you should not see a successful session.
Which one is it?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p292... Sent from the FreeRadius - User mailing list archive at Nabble.com.
SagiBarOr wrote:
The connection is not refused. these logs are of a successful session.
Then why did you post them? You have a problem with rejected sessions, so there is *no* reason to post logs from accepted sessions.
I did not post logs of a refused connection because this is not a free radius server.
There is no magic in those logs. Maybe there's some text in them which can help us figure out the problem.
If you have no infomration about something non std with the way Free radius proxy MA CHAP v2 then I will continue to investigate in other directions.
If proxying works to another FreeRADIUS server, it should work to any other standards-compliant RADIUS server. FreeRADIUS does not edit or destroy any attributes that it proxies. Alan DeKok.
Did anyone ever managed to establish a radius proxy between FR and another Radius server, such as NPS or ACS? -- View this message in context: http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
Did anyone ever managed to establish a radius proxy between FR and another Radius server, such as NPS or ACS?
yes - just dealt with them as remote RADIUS servers...they follow the basic RADIUS RFCs fairly well - whats your issue? alan
Hi Alan The issue is that the MS CHAP v2 authentication fails. it succeeds when the 2nd Radius is FR and fails with MS NPS. Sniffer traces show tha the dialog between the MS CHAP v2 FR and the DC is different then the one between the NPS and the DC. Thnks Sagi -- View this message in context: http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
The issue is that the MS CHAP v2 authentication fails. it succeeds when the 2nd Radius is FR and fails with MS NPS. Sniffer traces show tha the dialog between the MS CHAP v2 FR and the DC is different then the one between the NPS and the DC.
I manage a system that involves several hundred RADIUS servers - in which there are around two thirds FreeRADIUS, proxied through other systems (including RADIATOR) and onto NPS for authentication and it works. I'd suggest that you check the attribute filtering that you are doing - you must ensure that some basic attributes pass through to the NPS or it will flop. eg Proxy-State =* ANY, EAP-Message =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, MS-CHAP-MPPE-Keys =* ANY, Message-Authenticator =* ANY, State =* ANY, alan
sbaror wrote:
Hi Alan The issue is that the MS CHAP v2 authentication fails. it succeeds when the 2nd Radius is FR and fails with MS NPS. Sniffer traces show tha the dialog between the MS CHAP v2 FR and the DC is different then the one between the NPS and the DC.
Yes. NPS uses magic AD protocols. Samba (which FreeRADIUS uses) implements the old NT protocols. That doesn't matter. What matters is configuring FreeRADIUS correctly. It's not hard to set up ntlm_auth to AD. It's documented in a number of places, including my web site: http://deployingradius.com Alan DeKok.
Thnks Alan. The challenge is that it doesn't work although it is all NTLM std. you mention Samba ad NTLM Auth. In our design we don't use Samba because the server which performs auth with the AD is the NPS. Are you suggesting that the FR server needs to have Samaba when doing the MS CHAP v2 proxy to NPS? Our design: 1) Protocol is EAP-TTLS with inner MA CHAP v2 2) FR server authenticate the TLS part 3) FR proxies the MS CHAP Authentication to NPS 4) NPS performs the MS CHAP v2 auth. thnks Sagi -- View this message in context: http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP... Sent from the FreeRadius - User mailing list archive at Nabble.com.
sbaror wrote:
In our design we don't use Samba because the server which performs auth with the AD is the NPS.
OK.
Are you suggesting that the FR server needs to have Samaba when doing the MS CHAP v2 proxy to NPS?
No.
Our design: 1) Protocol is EAP-TTLS with inner MA CHAP v2 2) FR server authenticate the TLS part 3) FR proxies the MS CHAP Authentication to NPS 4) NPS performs the MS CHAP v2 auth.
Do "divide and conquer" to find the problem: 1) Does EAP-TTLS/MS-CHAP work when you define the user locally in the "users" file? i.e. *not* proxying? 2) does MS-CHAP work when you use "radclient" to send a request from the proxy? (use 2.1.10 for this) 3) Does EAP-TTLS/PAP work when you do proxying to NPS? The system includes a lot of moving parts. Narrow down the problem to the part that's broken. Alan DeKok.
Hi,
Our design: 1) Protocol is EAP-TTLS with inner MA CHAP v2 2) FR server authenticate the TLS part 3) FR proxies the MS CHAP Authentication to NPS 4) NPS performs the MS CHAP v2 auth.
yes, this is feasible note this will break when clients start to check the end of the tunnel is the same (cyptobinding TLV) - this may become common. 1 and 2 will just work with the main outer tunnel and default config 3) you need to configure the EAP and inner tunnel to proxy the request to the remote server - at which point it will be a naked MSCHAPv2 going to the NPS 4) the NPS will do its work...so long as shared secrets are correct, note, theres lots of other bits that need to be right - eg the users entry in the NPS AD needs to be correct - remote dial-in connection enabled. the FR - NPS stuff that you talk about is basic bread and butter stuff. alan
thank you guys for all the help. It still does not work, but I made some progress with the elimination testing. I cannot test PAP with my system. it support TTLS-MS CHAP v2 only. I used a test client (RadEap test) and successfully authenticated using EAP-MS CHAP v2 with the NPS. Also tested successfully PEAP-MS CHAP v2 using Wirelss 802.1x. So my NPS is fine. problem is with it conversation with the FR. I could not test naked MS CHAP v2 becasue i cannot find any system or test client which support it. Maybe the issue lies here. Maybe there is a misunderrstanding between the FR and NPS about the protocol. Do you know if the MS CHAP v2 proxy from FR is naked or supposed to be EAP-MS CHAP v2? The NPS clearly shows it identifies it as naked. Has anyone ever manage to do this split authentication thing, when the FR is doing TLS and then proxy MS CHAP v2 to a non-FR server? Thnks Sagi -- View this message in context: http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP... Sent from the FreeRadius - User mailing list archive at Nabble.com.
sbaror wrote:
thank you guys for all the help. It still does not work, but I made some progress with the elimination testing. I cannot test PAP with my system. it support TTLS-MS CHAP v2 only. I used a test client (RadEap test) and successfully authenticated using EAP-MS CHAP v2 with the NPS. Also tested successfully PEAP-MS CHAP v2 using Wirelss 802.1x. So my NPS is fine. problem is with it conversation with the FR. I could not test naked MS CHAP v2 becasue i cannot find any system or test client which support it.
There's an MS-CHAPv1 client. You were already told where it was.
Maybe the issue lies here. Maybe there is a misunderrstanding between the FR and NPS about the protocol.
I doubt that.
Do you know if the MS CHAP v2 proxy from FR is naked or supposed to be EAP-MS CHAP v2? The NPS clearly shows it identifies it as naked.
You configured FreeRADIUS to proxy it that way.
Has anyone ever manage to do this split authentication thing, when the FR is doing TLS and then proxy MS CHAP v2 to a non-FR server?
All the time. It works. Alan DeKok.
Alan, if it is working for others it will be probably very easy to the relevant expert to resolve our issue. Can we engage with someone (yourself or someone else) for consulting? Sagi -- View this message in context: http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP... Sent from the FreeRadius - User mailing list archive at Nabble.com.
There was one things I think I neglected to mention: we use FR 1.1.7. Quite old. We cannot uograde right now. I found info about some MS CHAP v2 related issue in the older versions of FR, but not the exact same issue I have. Does that ring a bell to you about knwon issues with older versions? Maybe there are avaialble patches instead of upgrading to 2.x? Sagi -- View this message in context: http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP... Sent from the FreeRadius - User mailing list archive at Nabble.com.
sbaror wrote:
There was one things I think I neglected to mention: we use FR 1.1.7. Quite old. We cannot uograde right now. I found info about some MS CHAP v2 related issue in the older versions of FR, but not the exact same issue I have. Does that ring a bell to you about knwon issues with older versions? Maybe there are avaialble patches instead of upgrading to 2.x?
It may be related to the MS-CHAP patches put into 2.1.10. All I can say is I don't know... IAS is weird. Alan DeKok.
Are the MS CHAP patched available separately to apply on previous versions? -- View this message in context: http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Thank you for all the inputs. I resolved the issue. The root casue was the missing domain name. Although the username is found in the active directory, the domain name must be sent because it is part of the blob and most likley part of the hash (the function is probably LsaLogonUser). if the domain name is not sent than the error on the Domain Controller is pwd incorrect. In my config the username was sent without a domain name. So first I changed the specific realm (nps.com) from strip to nostrip. This send the username with nps.com. than I created a rule in NPS to replace "nps.com" with the right Intel domain. ...and it worked :) The same applies for any other proxy server, not just NPS. Thnks Sagi -- View this message in context: http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP... Sent from the FreeRadius - User mailing list archive at Nabble.com.
SagiBarOr wrote:
Thank you for the clarification Phil. I am not sure what "radius -x" means.
It's "radiusd -X", not "radius -x". And see "man radiusd" for what it means. Debugging this issue requires basic Unix sysadmin skills. Reading "man" pages should be part of those skills.
I posted the two output files I have. Are these the ones? If not, pls elaborate.
Note that these are the output files for the two FR servers, for which eveything is just fine. What does not work is when the second server is not FR but NPS or ACS. I hope this data will suffice to identify the issue or at least give good leads.
Yes, you've said that already. Everyone here understands that. You need to understand that we are trying to help you, and that you need to follow instructions. If you don't follow instructions, you will not solve the problem. Alan DeKok.
SagiBarOr wrote:
Files posted. The config files of the two FR servers and the sniffer traces of a successul authentcation with FR + FR, vs a failed one with FR + NPS.
Why did you do that? You were told:
Garber, Neal wrote:
Post debug output!
What part of that suggestion is unclear? Alan DeKok.
Sorry Alan. I am not a FR expert. I posted the question to get initial info and guidelines and then see what is required to continue. I am the lead integration engineer of this project. I will hand it over to the relevant expert. Sagi Alan DeKok-2 wrote:
SagiBarOr wrote:
Files posted. The config files of the two FR servers and the sniffer traces of a successul authentcation with FR + FR, vs a failed one with FR + NPS.
Why did you do that? You were told:
Garber, Neal wrote:
Post debug output!
What part of that suggestion is unclear?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p291... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (7)
-
Alan Buxey -
Alan DeKok -
Garber, Neal -
Madsen.Jan JMD -
Phil Mayers -
SagiBarOr -
sbaror