mschap with ntlm_auth and Active Directory
I am trying to setup freeRadius to process requests from our Wireless Controller. The controller uses the wireless devices MAC address as the username, and a predefined password. These MAC addresses all excist in Active Directory as user accounts, with the same password set. This works fine with our current Windows 2003 Server but Im trying to get it going with FreeRadius. the mschap module line in MSCHAP for ntlm_auth is as such: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" the ntlm_auth module itself contains: program = "/usr/bin/ntlm_auth --request-nt-key --domain=MY.ACTUAL.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" I havent changed anything to the users file except adding in a test local user as part of the initial FreeRadius install guide, and uncommenting the DEFAULT Auth-Type = ntlm_auth line for using the following to test: root@FREERADIUS:/etc/freeradius# radtest localhost 0 sharedsecret which seems to work: rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=217, length=20 but when I set the Wireless controller to point to the FreeRadius server, this is the debug log: ----start---- rad_recv: Access-Request packet from host 10.0.9.101 port 32987, id=83, length=163 User-Name = "001E52805980" MS-CHAP-Challenge = 0x86acd2fc97136970 MS-CHAP-Response = 0x33013cd70c5db14d0ff0ba01097baeee613883c7711e96028461bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662 NAS-IP-Address = 0.0.0.0 NAS-Port = 0 NAS-Port-Type = Wireless-Other NAS-Identifier = "redlan1" Calling-Station-Id = "001E52805980" Called-Station-Id = "001F457E67A8" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "001E52805980", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=001E52805980 [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN} -> --domain=MY.ACTUAL.DOMAIN [mschap] mschap1: 86 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=86acd2fc97136970 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 001E52805980 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request ----END---- Hoping somone can point me in the right direction of where I might have messed up, or what further readiing I might need to do? Many Thanks Robert -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschap-with-ntlm-auth-and-Active-Dir... Sent from the FreeRadius - User mailing list archive at Nabble.com.
robert22 wrote:
I am trying to setup freeRadius to process requests from our Wireless Controller. The controller uses the wireless devices MAC address as the username, and a predefined password. These MAC addresses all excist in Active Directory as user accounts, with the same password set. This works fine with our current Windows 2003 Server but Im trying to get it going with FreeRadius.
See the Wikie for "Active Directory". This is documented.
but when I set the Wireless controller to point to the FreeRadius server, this is the debug log: ... Hoping somone can point me in the right direction of where I might have messed up, or what further readiing I might need to do?
Read eap.conf, and look for the comments on Samba. You may need to upgrade Samba. Alan DeKok.
Hi,
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MY.ACTUAL.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
I havent changed anything to the users file except adding in a test local user as part of the initial FreeRadius install guide, and uncommenting the DEFAULT Auth-Type = ntlm_auth line for using the following to test:
root@FREERADIUS:/etc/freeradius# radtest localhost 0 sharedsecret
which seems to work:
..and what about when you run the appropriate ntlm_auth command directly on the command line too? alan
Alan Buxey wrote:
Hi,
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MY.ACTUAL.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
I havent changed anything to the users file except adding in a test local user as part of the initial FreeRadius install guide, and uncommenting the DEFAULT Auth-Type = ntlm_auth line for using the following to test:
root@FREERADIUS:/etc/freeradius# radtest localhost 0 sharedsecret
which seems to work:
..and what about when you run the appropriate ntlm_auth command directly on the command line too?
alan
Sorry I should have included that in my original post. That all authenticates fine from the command line too. Im using Samba version 3.5.4 and FreeRADIUS Version 2.1.9 on Ubuntu 10.10. I fololowed the wiki and documentation pages to get this far, but Im just triple checking all the confs now to make sure I havent missed anything. -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschap-with-ntlm-auth-and-Active-Dir... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=001E52805980 [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN} -> --domain=MY.ACTUAL.DOMAIN [mschap] mschap1: 86 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=86acd2fc97136970 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user.
First things first. When you run this on the command line, what exactly do you get? ntlm_auth --request-nt-key \ --username=001E52805980 \ --domain=MY.ACTUAL.DOMAIN \ --challenge=86acd2fc97136970 \ --nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662 (You may need to run FreeRADIUS in debug mode, observe another failure, and then copy the challenge and response values from that *recent* failure in there for this to work. I don't know what the lifetime is on those values. Using the ones from hours ago may not work.) Second question is, is "request-nt-key" appropriate in this case? I only ask because I've only ever used ntlm_auth to authenticate Windows hosts directly. In this case, the wireless controller is doing the authentication, and the wireless controller is not a Windows box. Sure, it's using a set of credentials in AD, but that's not exactly the same. The *Windows* box is not doing the authentication. The *controller* is. --J
I am trying to setup freeRadius to process requests from our Wireless Controller. The controller uses the wireless devices MAC address as the username, and a predefined password. These MAC addresses all excist in Active Directory as user accounts, with the same password set. This works fine with our current Windows 2003 Server but Im trying to get it going with FreeRadius.
the mschap module line in MSCHAP for ntlm_auth is as such: ...
I forgot to mention: Also check that winbind is working like this: wbinfo --all-domains If you don't see a list of all valid NT-style domains, winbind is broken and you'll have to fix that first. --J
McNutt, Justin M. wrote:
Also check that winbind is working like this:
wbinfo --all-domains
If you don't see a list of all valid NT-style domains, winbind is broken and you'll have to fix that first.
that command displays all the domains correctly. However, running the ntlm_auth command with the challange and response gives a "Logon failure (0xc000006d)" root@FREERADIUS:~# ntlm_auth --request-nt-key --username=0024D6650564 --domain=MY.ACTUAL.DOMAIN --challenge=9034daf90ecd43a3 --nt-response=cd206503887edb3e33ac801d348cd30a7aefa411651be9d0 Logon failure (0xc000006d) I have also upgraded to 3.5.7 samba as well. I have no idea about the --request-nt-key to be honest, that was just part of the wiki/documentation I followed... -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschap-with-ntlm-auth-and-Active-Dir... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 03/03/2011 11:07 PM, robert22 wrote:
McNutt, Justin M. wrote:
Also check that winbind is working like this:
wbinfo --all-domains
If you don't see a list of all valid NT-style domains, winbind is broken and you'll have to fix that first.
that command displays all the domains correctly.
However, running the ntlm_auth command with the challange and response gives a "Logon failure (0xc000006d)"
root@FREERADIUS:~# ntlm_auth --request-nt-key --username=0024D6650564 --domain=MY.ACTUAL.DOMAIN --challenge=9034daf90ecd43a3 --nt-response=cd206503887edb3e33ac801d348cd30a7aefa411651be9d0 Logon failure (0xc000006d)
Well, that's pretty clear. The response is not valid, meaning that either the password is wrong somewhere, or samba is corrupting things (which has happened in some buggy versions) Are you sure the mschap client is using the right password, and matches the password in the domain? Can you do a plaintext auth with the password you expect it to be? ntlm_auth --username=<themac> --password=<the value>
Phil Mayers wrote:
Are you sure the mschap client is using the right password, and matches the password in the domain?
Can you do a plaintext auth with the password you expect it to be?
ntlm_auth --username= --password=
Works fine with plaintext auth: root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) The password Pa$$w0rd is set in the Wireless Controller, if thats what you mean by mschap client? Is there a tool I can use to test this with that will send mschap challanges etc to the freeradius, rather than using the wireless controller? someone recommended NTRadPing but I cant seem to set it to send the mschap challenges? If I posted up my confs, would someone be willing to take a look at them? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschap-with-ntlm-auth-and-Active-Dir... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Interestingly, when I launch freeradius -X for debug mode, I see the following in the startup info: ... home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no ... Is this secret what is being used by the freeradius?? As I have no idea where this is coming from as I have replaced all instances of the "testing123" in all of the configs I can find with the actual shared secret. Could this be what my problem is? -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschap-with-ntlm-auth-and-Active-Dir... Sent from the FreeRadius - User mailing list archive at Nabble.com.
robert22 wrote:
Interestingly, when I launch freeradius -X for debug mode, I see the following in the startup info: ... Is this secret what is being used by the freeradius?? As I have no idea where this is coming from as I have replaced all instances of the "testing123" in all of the configs I can find with the actual shared secret. Could this be what my problem is?
Read the debug log. It shows which files it is loading. Then, look in those files for "home_server localhost". It's probably raddb/proxy.conf. It shouldn't be hard to find. Alan DeKok.
Hi,
home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no ...
Is this secret what is being used by the freeradius?? As I have no idea where this is coming from as I have replaced all instances of the "testing123" in all of the configs I can find with the actual shared secret. Could this be what my problem is?
thats from proxy.conf - its the default entry which you can use with eg 'radtest' direct on command line to talk to localhost alan
On 03/04/2011 01:32 AM, robert22 wrote:
Phil Mayers wrote:
Are you sure the mschap client is using the right password, and matches the password in the domain?
Can you do a plaintext auth with the password you expect it to be?
ntlm_auth --username= --password=
Works fine with plaintext auth:
Ok
root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0)
The password Pa$$w0rd is set in the Wireless Controller, if thats what you mean by mschap client?
I do. Since the password in the domain is definitely right, and winbind appears to be working, I'd have to guess the password in the wireless controller is wrong somehow, but that seems unlikely to be something you'd have missed.
Is there a tool I can use to test this with that will send mschap challanges etc to the freeradius, rather than using the wireless controller? someone
Under recent versions of FreeRadius, "radtest" can do it. If you can't upgrade the version on the server, perhaps install a newer copy on a separate machine.
root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0)
The password Pa$$w0rd is set in the Wireless Controller, if thats what you mean by mschap client?
May I suggest two things: 1) I'm assuming that the password is not actually 'Pa$$w0rd', but that string reminds me that certain special characters - the dollar sign is a notable one - are not always handled correctly in password strings. Even if FreeRADIUS is handling it correctly, AD may not, and the wireless controller may not. I suggest setting the password to something simpler. If your password policy requires special characters, use dash, equals, underscore, or dot. I have used passwords with these characters successfully when authenticating via EAP/PEAP through FreeRADIUS and then on through MSCHAPv2 to AD via ntlm_auth. (Same chain as you.) 2) Even if you are confident that your real password's characters are not a problem, re-enter it on the wireless controller, MANUALLY. You may have accidentally entered an unprintable character or a space or some similar thing that causes the password to APPEAR to be correct, when in fact it doesn't match. --J
participants (5)
-
Alan Buxey -
Alan DeKok -
McNutt, Justin M. -
Phil Mayers -
robert22