problem with radtest and freeradius 3.0.26
I'm in the process of replacing my old radiusd 3.0.0 server with a newer version of freeradius 3.0.26. I'm having trouble getting radtest to work properly. My environment is: I have an ubuntu 22.04 container running Samba 4.15.13-Ubuntu which is my DC The domain is TESTDOMAIN.COM (TESTDOMAIN) I have an ubuntu 22.04 client running freeradius 3.0.26 It has the Samba 4.15.13-Ubuntu client installed winbind is running on the freeradius server: # ps -ef|grep win root 259 1 0 Jan25 ? 00:00:04 /usr/sbin/winbindd --foreground --no-process-group root 313 259 0 Jan25 ? 00:00:00 winbindd: domain child [RADIUS3-TEST] root 315 259 0 Jan25 ? 00:00:00 winbindd: domain child [TESTDOMAIN] root 327 259 0 Jan25 ? 00:00:00 winbindd: idmap child In mods-available/mschap I have defined: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -- challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-TESTDO MAIN.COM}" I can successfully run an ntlm_auth authentication from the freeradius server to the Samba domain: # ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=deang Password: mypassword NT_STATUS_OK: The operation completed successfully. (0x0) However, I'm unable to get radtest to authenticate successfully: # radtest -t mschap deang "mypassword" localhost 0 localsecret Sent Access-Request Id 20 from 0.0.0.0:59459 to 127.0.0.1:1812 length 131 User-Name = "deang" MS-CHAP-Password = "mypassword" NAS-IP-Address = 192.168.5.160 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mypassword" MS-CHAP-Challenge = 0xf550d266d7fbdad0 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000545a7cd05f7ad1c88fad7aaf36963c6480f007bd04421261 Received Access-Reject Id 20 from 127.0.0.1:1812 to 127.0.0.1:59459 length 61 MS-CHAP-Error = "\000E=691 R=1 C=0ca03ab284c45180 V=2" (0) -: Expected Access-Accept got Access-Reject Part of the debug log from freeradius -X shows (full log attached): (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:- TESTDOMAIN.COM}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=deang (0) mschap: mschap1: 70 (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=705afc537b41679b (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=1564af7eff18c01a21daaaf03a78f61de5802689cbb65a8b (0) mschap: ERROR: No NT-Domain was found in the User-Name (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN.COM} (0) mschap: --> --domain=TESTDOMAIN.COM (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> deang (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (mschap: No NT-Domain was found in the User-Name): [deang/<via Auth-Type = mschap>] (from client localhost port 0) (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 191 from 127.0.0.1:1812 to 127.0.0.1:56941 length 61 (0) MS-CHAP-Error = "\000E=691 R=1 C=970a944ede733eb6 V=2" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 191 with timestamp +4 due to cleanup_delay was reached Ready to process requests I've searched for some explanation why the radtest isn't working but I can't find anything related to this particular test. I am attaching the full log if needed. Any help appreciated. thanks - Dean Guenther
Hi Your workung command line was TESTDOMAIN but your FreeRADIUS configuration has TESTDOMAIN.COM On Sun, 28 Jan 2024, 01:32 Dean Guenther, <deanrguenther@gmail.com> wrote:
I'm in the process of replacing my old radiusd 3.0.0 server with a newer version of freeradius 3.0.26.
I'm having trouble getting radtest to work properly. My environment is:
I have an ubuntu 22.04 container running Samba 4.15.13-Ubuntu which is my DC The domain is TESTDOMAIN.COM (TESTDOMAIN)
I have an ubuntu 22.04 client running freeradius 3.0.26 It has the Samba 4.15.13-Ubuntu client installed winbind is running on the freeradius server:
# ps -ef|grep win root 259 1 0 Jan25 ? 00:00:04 /usr/sbin/winbindd --foreground --no-process-group root 313 259 0 Jan25 ? 00:00:00 winbindd: domain child [RADIUS3-TEST] root 315 259 0 Jan25 ? 00:00:00 winbindd: domain child [TESTDOMAIN] root 327 259 0 Jan25 ? 00:00:00 winbindd: idmap child
In mods-available/mschap I have defined:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -- challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-TESTDO MAIN.COM}"
I can successfully run an ntlm_auth authentication from the freeradius server to the Samba domain:
# ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=deang Password: mypassword NT_STATUS_OK: The operation completed successfully. (0x0)
However, I'm unable to get radtest to authenticate successfully:
# radtest -t mschap deang "mypassword" localhost 0 localsecret Sent Access-Request Id 20 from 0.0.0.0:59459 to 127.0.0.1:1812 length 131 User-Name = "deang" MS-CHAP-Password = "mypassword" NAS-IP-Address = 192.168.5.160 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mypassword" MS-CHAP-Challenge = 0xf550d266d7fbdad0 MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000545a7cd05f7ad1c88fad7aaf36963c6480f007bd04421261 Received Access-Reject Id 20 from 127.0.0.1:1812 to 127.0.0.1:59459 length 61 MS-CHAP-Error = "\000E=691 R=1 C=0ca03ab284c45180 V=2" (0) -: Expected Access-Accept got Access-Reject
Part of the debug log from freeradius -X shows (full log attached):
(0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:- TESTDOMAIN.COM}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=deang (0) mschap: mschap1: 70 (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=705afc537b41679b (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=1564af7eff18c01a21daaaf03a78f61de5802689cbb65a8b (0) mschap: ERROR: No NT-Domain was found in the User-Name (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN.COM} (0) mschap: --> --domain=TESTDOMAIN.COM (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> deang (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (mschap: No NT-Domain was found in the User-Name): [deang/<via Auth-Type = mschap>] (from client localhost port 0) (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 191 from 127.0.0.1:1812 to 127.0.0.1:56941 length 61 (0) MS-CHAP-Error = "\000E=691 R=1 C=970a944ede733eb6 V=2" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 191 with timestamp +4 due to cleanup_delay was reached Ready to process requests
I've searched for some explanation why the radtest isn't working but I can't find anything related to this particular test.
I am attaching the full log if needed.
Any help appreciated.
thanks - Dean Guenther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, The "TESTDOMAIN" is the workgroup specification in the Samba smb.conf. And " TESTDOMAIN.COM" is the realm in the smb.conf. If I use TESTDOMAIN in the mschap file's ntlm_auth specification then run radtest it fails. And using TESTDOMAIN while running ntlm_auth from the command line succeeds. And if I use TESTDOMAIN.COM in the mschap file's ntlm_auth specification then radtest still fails. And using TESTDOMAIN.COM while running ntlm_auth from the command line succeeds. What else should I be looking at? - Dean On Sun, Jan 28, 2024 at 5:43 AM Alan Buxey <alan.buxey@gmail.com> wrote:
Hi
Your workung command line was TESTDOMAIN but your FreeRADIUS configuration has TESTDOMAIN.COM
On Sun, 28 Jan 2024, 01:32 Dean Guenther, <deanrguenther@gmail.com> wrote:
I'm in the process of replacing my old radiusd 3.0.0 server with a newer version of freeradius 3.0.26.
I'm having trouble getting radtest to work properly. My environment is:
I have an ubuntu 22.04 container running Samba 4.15.13-Ubuntu which is my DC The domain is TESTDOMAIN.COM (TESTDOMAIN)
I have an ubuntu 22.04 client running freeradius 3.0.26 It has the Samba 4.15.13-Ubuntu client installed winbind is running on the freeradius server:
# ps -ef|grep win root 259 1 0 Jan25 ? 00:00:04 /usr/sbin/winbindd --foreground --no-process-group root 313 259 0 Jan25 ? 00:00:00 winbindd: domain child [RADIUS3-TEST] root 315 259 0 Jan25 ? 00:00:00 winbindd: domain child [TESTDOMAIN] root 327 259 0 Jan25 ? 00:00:00 winbindd: idmap child
In mods-available/mschap I have defined:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -- challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-TESTDO MAIN.COM}"
I can successfully run an ntlm_auth authentication from the freeradius server to the Samba domain:
# ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=deang Password: mypassword NT_STATUS_OK: The operation completed successfully. (0x0)
However, I'm unable to get radtest to authenticate successfully:
# radtest -t mschap deang "mypassword" localhost 0 localsecret Sent Access-Request Id 20 from 0.0.0.0:59459 to 127.0.0.1:1812 length 131 User-Name = "deang" MS-CHAP-Password = "mypassword" NAS-IP-Address = 192.168.5.160 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "mypassword" MS-CHAP-Challenge = 0xf550d266d7fbdad0 MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000545a7cd05f7ad1c88fad7aaf36963c6480f007bd04421261
Received Access-Reject Id 20 from 127.0.0.1:1812 to 127.0.0.1:59459 length 61 MS-CHAP-Error = "\000E=691 R=1 C=0ca03ab284c45180 V=2" (0) -: Expected Access-Accept got Access-Reject
Part of the debug log from freeradius -X shows (full log attached):
(0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:- TESTDOMAIN.COM}: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=deang (0) mschap: mschap1: 70 (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=705afc537b41679b (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=1564af7eff18c01a21daaaf03a78f61de5802689cbb65a8b (0) mschap: ERROR: No NT-Domain was found in the User-Name (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN.COM} (0) mschap: --> --domain=TESTDOMAIN.COM (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> deang (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (mschap: No NT-Domain was found in the User-Name): [deang/<via Auth-Type = mschap>] (from client localhost port 0) (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 191 from 127.0.0.1:1812 to 127.0.0.1:56941 length 61 (0) MS-CHAP-Error = "\000E=691 R=1 C=970a944ede733eb6 V=2" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 191 with timestamp +4 due to cleanup_delay was reached Ready to process requests
I've searched for some explanation why the radtest isn't working but I can't find anything related to this particular test.
I am attaching the full log if needed.
Any help appreciated.
thanks - Dean Guenther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 29, 2024, at 1:33 PM, Dean Guenther <deanrguenther@gmail.com> wrote:
The "TESTDOMAIN" is the workgroup specification in the Samba smb.conf. And " TESTDOMAIN.COM" is the realm in the smb.conf.
If I use TESTDOMAIN in the mschap file's ntlm_auth specification then run radtest it fails. And using TESTDOMAIN while running ntlm_auth from the command line succeeds.
And if I use TESTDOMAIN.COM in the mschap file's ntlm_auth specification then radtest still fails. And using TESTDOMAIN.COM while running ntlm_auth from the command line succeeds.
It's good to test all options, but there is a lot more information there than "it succeeds" or "it fails". The issue is also that "running ntlm_auth from the command line" is testing ntlm_auth with passwords, not with the MS-CHAP data. So it's not really the same test.
What else should I be looking at?
The debug output. You can't debug the server by looking at the raddest output. The server debug output will tell you WHY it fails, and WHAT is failing. The MS-CHAP calculations depend on both the password and the user name which is entered. The client system (e.g. Windows) does the MS-CHAP calculations, and hands the result to FreeRADIUS. FreeRADIUS then takes that, and hands it to Windows. So if it fails, then the issue is almost always outside of FreeRADIUS. I've put some updated documentation into the mschap module: https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-avail... Try the instructions there for debugging it. That should help. Alan DeKok.
Hi Alan, I've followed your suggestion on debugging. I still am unable to get a successful authentication. I can see "what" is failing, (the autentication). But I don't see the "why". So I went back to your mschap documentation to ensure I have things setup properly. Let me review that first. I think it is setup correctly. 1) I am running freeradius 3.0.26 on an ubuntu 22.04 host. I have installed Samba 4.15.13-Ubuntu client. My DC is another ubuntu 22.04 host with Samba 4.15.13-Ubuntu server installed. The config says server role = active directory domain controller 2) On the freeradius server, which is a Samba 4.15.13-Ubuntu client (not server) in the smb.conf I added: 3) On the freeradius server I have run wbinfo -a deang and verified that the password for deang is good. 4) I also ran ntlm_auth --username=deang --password=******* --domain=TESTDOMAIN and that works. I also did ntlm_auth --username=deang --password=******* without the --domain and that also works. NOTE: per your explanation I now understand that this execution does not actually call mschap 5) My endgame is I want to authenticate a wireless access point through this freeradius server. But when I couldn't get that to initially work is when I decided to try radtest. So now my most recent test is going through the access point which uses WPA2 Enterprise. 6) It asks for the name and password. 7) In the freeradius log (attached) it shows that it successfully passes the username "deang" to mschap. 8) But then it says it (7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' 9) In your new mschap documentation it mentioned trying ntlm_auth from the command line using the mschap:Challenge and mschap:NT-Response. I couldn't get that to work. Not sure what I entered wrong here: # ntlm_auth --request-nt-key --allow-mschapv2 --username=deang --challenge=878e648b0127ef34 --nt-response=cea5231c4fe1a9d111433e9473010416e8ca426578904d35 --domain=TESTDOMAIN The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) 10) in the mschap documentation it says another option is to comment out ntlm_auth and uncomment "winbind_username" and "winbind_domain" in mschap. I tried this but it still failed. I did not include a log of that attempt. One more question, so I can learn more about this process. The password is never shown in the mschap debug log. Is the password when entered on the wireless access point somehow hashed into a combination of the challenge and nt-response? Just trying to understand how they fit together. Thanks Alan - Dean Guenthr On Mon, Jan 29, 2024 at 11:31 AM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 29, 2024, at 1:33 PM, Dean Guenther <deanrguenther@gmail.com> wrote:
The "TESTDOMAIN" is the workgroup specification in the Samba smb.conf. And " TESTDOMAIN.COM" is the realm in the smb.conf.
If I use TESTDOMAIN in the mschap file's ntlm_auth specification then run radtest it fails. And using TESTDOMAIN while running ntlm_auth from the command line succeeds.
And if I use TESTDOMAIN.COM in the mschap file's ntlm_auth specification then radtest still fails. And using TESTDOMAIN.COM while running ntlm_auth from the command line succeeds.
It's good to test all options, but there is a lot more information there than "it succeeds" or "it fails".
The issue is also that "running ntlm_auth from the command line" is testing ntlm_auth with passwords, not with the MS-CHAP data. So it's not really the same test.
What else should I be looking at?
The debug output.
You can't debug the server by looking at the raddest output.
The server debug output will tell you WHY it fails, and WHAT is failing.
The MS-CHAP calculations depend on both the password and the user name which is entered. The client system (e.g. Windows) does the MS-CHAP calculations, and hands the result to FreeRADIUS. FreeRADIUS then takes that, and hands it to Windows.
So if it fails, then the issue is almost always outside of FreeRADIUS.
I've put some updated documentation into the mschap module: https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-avail...
Try the instructions there for debugging it. That should help.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 30, 2024, at 10:11 PM, Dean Guenther <deanrguenther@gmail.com> wrote:
I've followed your suggestion on debugging. I still am unable to get a successful authentication. I can see "what" is failing, (the autentication). But I don't see the "why".
The "why" is buried somewhere in a log file in Active Directory. Pretty much the only thing it's returning to FreeRADIUS is "failed".
4) I also ran ntlm_auth --username=deang --password=******* --domain=TESTDOMAIN and that works. I also did ntlm_auth --username=deang --password=******* without the --domain and that also works. NOTE: per your explanation I now understand that this execution does not actually call mschap
Yes. You can *also* run radtest, and tell it to send MS-CHAP data to the server. i.e. you give radtest a clear-text password, and it does the MS-CHAP calculations for you. That should work. If it doesn't, then something weird is going on. If it does work, then you know that the other device creating the MS-CHAP data is doing it wrong. And so the only way to fix it is to fix the other device.
5) My endgame is I want to authenticate a wireless access point through this freeradius server. But when I couldn't get that to initially work is when I decided to try radtest. So now my most recent test is going through the access point which uses WPA2 Enterprise. 6) It asks for the name and password. 7) In the freeradius log (attached) it shows that it successfully passes the username "deang" to mschap. 8) But then it says it (7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
Because Active Directory doesn't like "something" about the MS-CHAP data. What doesn't it like? No idea. That information is buried in the Active Directory logs.
9) In your new mschap documentation it mentioned trying ntlm_auth from the command line using the mschap:Challenge and mschap:NT-Response. I couldn't get that to work. Not sure what I entered wrong here: # ntlm_auth --request-nt-key --allow-mschapv2 --username=deang --challenge=878e648b0127ef34
--nt-response=cea5231c4fe1a9d111433e9473010416e8ca426578904d35 --domain=TESTDOMAIN The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
The challenge is a random field. The nt-response is calculated from a hash of the username and challenge. So the point is to test small variations of the username to see what works. i.e. the other device may be doing the MS-CHAP calculations with username "deang@testdomain", but then instead of sending that to FreeRADIUS, sends a username of "deang". But still sends the MS-CHAP data calculated with "deang@testdomain". So it will *never* work. The purpose of running ntlm_auth from the command line is to see if the device sent you one format for the username, but secretly calculated the MS-CHAP data with a different username, So try different variations of the username, and maybe one will work.
10) in the mschap documentation it says another option is to comment out ntlm_auth and uncomment "winbind_username" and "winbind_domain" in mschap. I tried this but it still failed. I did not include a log of that attempt.
That won't work if the MS-CHAP data sent by the device is wrong.
One more question, so I can learn more about this process. The password is never shown in the mschap debug log. Is the password when entered on the wireless access point somehow hashed into a combination of the challenge and nt-response? Just trying to understand how they fit together.
Yes. My $0.02 is to try radtest: $ radtest -t mschap deang my-password localhost And then also different variations of the username... $ radtest -t mschap deang@testdomain.com my-password localhost My guess is that one of them will work. If not, then something in your local changes are mangling the username and/or the MS-CHAP data. Most people get this working pretty quickly. So either the device is broken, or your local RADIUS configuration is broken. There isn't much else which can go wrong. If this is still a mystery after a few more tests, then it's time to start over. Wipe the entire configuration, and start with the default configuration. Then, follow my Active Directory guide: http://deployingradius.com/documents/configuration/active_directory.html It has a step-by-step approach. It works. Alan DeKok.
Hi Alan, I appreciate all your help. Its working now. I turned on debugging on the Samba server and was able to see that the problem was that Samba was being sent an NTLMv1 request from freeradius, which by default is not accepted in Samba now. I went back to the freeradius server and used wbinfo to send the request and sure enough it worked because wbinfo was sending an NTLMv2 request. Then I saw somewhere that somebody mentioned to put the following global option in the Samba smb.conf file on the client, the freeradius server: ntlm auth = mschapv2-and-ntlmv2-only And sure enough, its working. I assume the freeradius server is now sending NTLMv2 requests and everything is happy. Again, I really appreciate your help in working through this. - Dean Guenther On Wed, Jan 31, 2024 at 4:15 AM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 30, 2024, at 10:11 PM, Dean Guenther <deanrguenther@gmail.com> wrote:
I've followed your suggestion on debugging. I still am unable to get a successful authentication. I can see "what" is failing, (the autentication). But I don't see the "why".
The "why" is buried somewhere in a log file in Active Directory. Pretty much the only thing it's returning to FreeRADIUS is "failed".
4) I also ran ntlm_auth --username=deang --password=******* --domain=TESTDOMAIN and that works. I also did ntlm_auth --username=deang --password=******* without the --domain and that also works. NOTE: per your explanation I now understand that this execution does not actually call mschap
Yes.
You can *also* run radtest, and tell it to send MS-CHAP data to the server. i.e. you give radtest a clear-text password, and it does the MS-CHAP calculations for you.
That should work. If it doesn't, then something weird is going on.
If it does work, then you know that the other device creating the MS-CHAP data is doing it wrong. And so the only way to fix it is to fix the other device.
5) My endgame is I want to authenticate a wireless access point through this freeradius server. But when I couldn't get that to initially work is when I decided to try radtest. So now my most recent test is going through the access point which uses WPA2 Enterprise. 6) It asks for the name and password. 7) In the freeradius log (attached) it shows that it successfully passes the username "deang" to mschap. 8) But then it says it (7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
Because Active Directory doesn't like "something" about the MS-CHAP data.
What doesn't it like? No idea. That information is buried in the Active Directory logs.
9) In your new mschap documentation it mentioned trying ntlm_auth from the command line using the mschap:Challenge and mschap:NT-Response. I couldn't get that to work. Not sure what I entered wrong here: # ntlm_auth --request-nt-key --allow-mschapv2 --username=deang --challenge=878e648b0127ef34
--nt-response=cea5231c4fe1a9d111433e9473010416e8ca426578904d35 --domain=TESTDOMAIN The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
The challenge is a random field. The nt-response is calculated from a hash of the username and challenge. So the point is to test small variations of the username to see what works.
i.e. the other device may be doing the MS-CHAP calculations with username "deang@testdomain", but then instead of sending that to FreeRADIUS, sends a username of "deang". But still sends the MS-CHAP data calculated with "deang@testdomain".
So it will *never* work.
The purpose of running ntlm_auth from the command line is to see if the device sent you one format for the username, but secretly calculated the MS-CHAP data with a different username, So try different variations of the username, and maybe one will work.
10) in the mschap documentation it says another option is to comment out ntlm_auth and uncomment "winbind_username" and "winbind_domain" in mschap. I tried this but it still failed. I did not include a log of that attempt.
That won't work if the MS-CHAP data sent by the device is wrong.
One more question, so I can learn more about this process. The password is never shown in the mschap debug log. Is the password when entered on the wireless access point somehow hashed into a combination of the challenge and nt-response? Just trying to understand how they fit together.
Yes.
My $0.02 is to try radtest:
$ radtest -t mschap deang my-password localhost
And then also different variations of the username...
$ radtest -t mschap deang@testdomain.com my-password localhost
My guess is that one of them will work. If not, then something in your local changes are mangling the username and/or the MS-CHAP data.
Most people get this working pretty quickly. So either the device is broken, or your local RADIUS configuration is broken. There isn't much else which can go wrong.
If this is still a mystery after a few more tests, then it's time to start over. Wipe the entire configuration, and start with the default configuration.
Then, follow my Active Directory guide: http://deployingradius.com/documents/configuration/active_directory.html
It has a step-by-step approach. It works.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 01/02/2024 20:16, Dean Guenther wrote:
I turned on debugging on the Samba server and was able to see that the problem was that Samba was being sent an NTLMv1 request from freeradius, which by default is not accepted in Samba now. ... Then I saw somewhere that somebody mentioned to put the following global option in the Samba smb.conf file on the client, the freeradius server:
ntlm auth = mschapv2-and-ntlmv2-only
This is specifically mentioned in the mods-enabled/mschap configuration, right above the ntlm_auth command line, so that people see they need to do it.
And sure enough, its working. I assume the freeradius server is now sending NTLMv2 requests and everything is happy.
No, it's sending NTLMv1, which is a direct conversion from MSCHAPv2. AD (and Samba) finally disabled it by default because it's insecure. You have to re-enable it because this is the only way that MSCHAPv2 auth can work. Good to hear you got it working anyway. -- Matthew
participants (4)
-
Alan Buxey -
Alan DeKok -
Dean Guenther -
Matthew Newton