hi, my configuration: radius 2.X , win 2003 AD, domain: TEST, 802.1x I have a problem: If the pc is in the domain(TEST) it can authenticate good. If it is not in domain it can't auth, it is good, BUT when i set the computer name to TEST and it is not in the domain(simple workgroup) it CAN authenticate. I use ntml_auth for the authentigation. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" How can I fix this risk? What are the solutions?
my configuration: radius 2.X , win 2003 AD, domain: TEST, 802.1x
I have a problem:
If the pc is in the domain(TEST) it can authenticate good. If it is not in domain it can't auth, it is good, BUT when i set the computer name to TEST and it is not in the domain(simple workgroup) it CAN authenticate. I use ntml_auth for the authentigation. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Debug (radiusd -X). Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
my configuration: radius 2.X , win 2003 AD, domain: TEST, 802.1x
I have a problem:
If the pc is in the domain(TEST) it can authenticate good. If it is not in domain it can't auth, it is good, BUT when i set the computer name to TEST and it is not in the domain(simple workgroup) it CAN authenticate. I use ntml_auth for the authentigation. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Debug (radiusd -X).
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
here is the debug: (user-test- who is not in domain but his computer name is TEST authenticate successfully) rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=234, length=246 NAS-IP-Address = 192.168.3.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "TEST\\test" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xb4d9bca1b3d1a56aa83deffb03301769 EAP-Message = 0x020800561900170301004b70414bb754d5972dbf56e05aebf049af1a0ab69f67432122002d22c83e316d653444c9d47e3354733ecfc7d96cbcfd9d6d2df91f812c48cce9c300d9e9ffb09ea87d05f76fda12dab39168 Message-Authenticator = 0x6ed87b7fe86db42fcae2b6f15124f8ce +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST\test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 86 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x0208003f1a0208003a31b2e512df868f6a94b69f521554c63d2d00000000000000002b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff50074657374 server (null) { PEAP: Setting User-Name to TEST\test Sending tunneled request EAP-Message = 0x0208003f1a0208003a31b2e512df868f6a94b69f521554c63d2d00000000000000002b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff50074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TEST\\test" State = 0xaa9b924faa9388a2f1432c8ee6fbd40f server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "TEST\test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for test with NT-Password [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=TEST [mschap] expand: --username=%{mschap:User-Name} -> --username=test [mschap] mschap2: 10 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ad923676ac4c1b76 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff5 Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d44453836304437453245334344333045343338363130463136393441413135323336323135423546 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaa9b924fab9288a2f1432c8ee6fbd40f [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d44453836304437453245334344333045343338363130463136393441413135323336323135423546 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaa9b924fab9288a2f1432c8ee6fbd40f [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 234 to 192.168.1.1 port 1812 EAP-Message = 0x0109004a1900170301003fe817a2e6b0a4c4309346367a44095fe7ea9742736898483f2080549951d5e2dc4151f7712ecfd5fdba90332c0f4b89db1a23b16a6a991044146b6fb344809e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4d9bca1bcd0a56aa83deffb03301769 Finished request 29. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=235, length=189 NAS-IP-Address = 192.168.3.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "TEST\\test" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xb4d9bca1bcd0a56aa83deffb03301769 EAP-Message = 0x0209001d1900170301001230e9ce1a3503f108ecd90427705c68e280ac Message-Authenticator = 0x463b0d4785d32b7bf4986bf6dec88485 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST\test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020900061a03 server (null) { PEAP: Setting User-Name to TEST\test Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "TEST\\test" State = 0xaa9b924fab9288a2f1432c8ee6fbd40f server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "TEST\test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [TEST\\test/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "TEST\test" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "TEST\test" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 235 to 192.168.1.1 port 1812 EAP-Message = 0x010a00261900170301001b8c55c76f0d24fb92434676d72046739ed84941fe26a30c82e5bdda Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4d9bca1bdd3a56aa83deffb03301769 Finished request 30. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=236, length=198 NAS-IP-Address = 192.168.3.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = "TEST\\test" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xb4d9bca1bdd3a56aa83deffb03301769 EAP-Message = 0x020a00261900170301001bd24263fc9ac1eef3d671fa747f746186131d8853b3a2b6012ad712 Message-Authenticator = 0x9139df60acb7037efc1fbd2e563f570a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST\test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok Login OK: [TEST\\test/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 236 to 192.168.1.1 port 1812 User-Name = "TEST\test" MS-MPPE-Recv-Key = 0xab1fd2c591043fac4eb5c0ea15494ea129152fcda9169b260ce76c97d1190310 MS-MPPE-Send-Key = 0x4509bdc4294e7fe6cf1ea584080c5a3710093b96e74b7880217272a1ce9ee17b EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 31.
participants (2)
-
Hegedus Gabor -
tnt@kalik.net