radtest passes test, phone connects to WiFi, but laptop does not
I am a FreeRADIUS newbie but have read a lot (maybe too much - One gripe is that much of the forums on the internet does not clearly list a FreeRADIUS version). I set FreeRADIUS 3 times (test network - FR 2.1 on Ubuntu 14.04, test network - FR 3.0.12 on upgraded Ubuntu 16.04, and prod network - FR 3.0.12 on Ubuntu 16.04) but still could have missed some little important step. I have FreeRADIUS 3.0.12 set up on an Ubuntu 16.04 box. I believe that I have most everything working (except maybe sql). I have an AD forest with 1 domain (fbcexample.com) and 3 child domains (hac.fbcexample.com, cbs.fbcexample.com, and hac.fbcexample.com). I created 4 named mschap modules so that I could hard code the --domain property in each one. I can successfully rad test from each of my 4 domains against it including group membership. Then I setup a test SSID on my aruba controller. I can connect via my android phone (with just username & pass), but connecting a laptop to is not working (it appears that it is sending domain as a part of username). It seems that there is more security stuff going on when the laptop connects; maybe I don't have MSCHAPv2 configured right? Something broken in realms? When the Win 10 x64 laptop connects, radius -X first shows that it is trying to connect via computer name. Then a box pops up asking for username and password with a checkmark for 'Use my Windows user account", I choose and continue. Radius -X shows that several more requests are made and then windows sows 'Can't connect to this network'. Any suggestions on where my problem is? I created the CA and server certs and have believe them to be correctly installed. But not sure that this has anything to do with the problem descripted above. Examples of the code that I am running. I included a pastebin for the 3000 lines of radius -X output. WORKING RADTEST LINE radtest -t mschap daniel.radius passw0rd 127.0.0.1 0 testing123 ABBREVIATED MSCHAP MODULE mschap mschap_fbc { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=fbcexample --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_fbc:Challenge}:-00} --nt-response=%{%{mschap_fbc:NT-Response}:-00} --require-membership-of='fbcexample\\LDAP_WiFi'" . . . } DEFAULT SITE AUTHENICATE SECTION authenticate { . . . # MSCHAP authentication. Auth-Type MS-CHAP { mschap_fbc { reject = 2 } if (reject){ mschap_hac reject = 2 } if (reject){ mschap_hbs reject = 2 } if (reject){ mschap_cbs reject = 2 } } . . . } Small part of the Radius -X WHEN CONNECTING WITH LAPTOP, all 3000+ lines are in pastebin below (16) mschap_fbc: Creating challenge hash with username: daniel.radius (16) mschap_fbc: Client is using MS-CHAPv2 (16) mschap_fbc: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=fbcexample --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_fbc:Challenge}:-00} --nt-response=%{%{mschap_fbc:NT-Response}:-00} --require-membership-of='fbcexample\\LDAP_WiFi': (16) mschap_fbc: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (16) mschap_fbc: --> --username=FBCEXAMPLE\\daniel.radius (16) mschap_fbc: Creating challenge hash with username: daniel.radius (16) mschap_fbc: EXPAND --challenge=%{%{mschap_fbc:Challenge}:-00} (16) mschap_fbc: --> --challenge=63abafd041820bf2 (16) mschap_fbc: EXPAND --nt-response=%{%{mschap_fbc:NT-Response}:-00} (16) mschap_fbc: --> --nt-response=6bdebf5ac39680b7070c457fefacbdc1596103429c14eb64 (16) mschap_fbc: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (16) mschap_fbc: External script failed (16) mschap_fbc: ERROR: External script says: Logon failure (0xc000006d) (16) mschap_fbc: ERROR: MS-CHAP2-Response is incorrect Full output of Radius -X output when laptop trys to connect http://pastebin.com/TJpYVYnK Daniel W
On Nov 2, 2016, at 2:48 PM, Daniel Wruck <daniel.wruck@fbchammond.com> wrote:
I have FreeRADIUS 3.0.12 set up on an Ubuntu 16.04 box. I believe that I have most everything working (except maybe sql). I have an AD forest with 1 domain (fbcexample.com) and 3 child domains (hac.fbcexample.com, cbs.fbcexample.com, and hac.fbcexample.com). I created 4 named mschap modules so that I could hard code the --domain property in each one.
That's not a good idea.
I can successfully rad test from each of my 4 domains against it including group membership.
Those domains should all be part of one AD forest. i.e. they are NOT 4 different AD servers. They are one server, with 4 domains.
Then I setup a test SSID on my aruba controller. I can connect via my android phone (with just username & pass), but connecting a laptop to is not working (it appears that it is sending domain as a part of username). It seems that there is more security stuff going on when the laptop connects; maybe I don't have MSCHAPv2 configured right? Something broken in realms?
The recommendation as always is to start simple, and then once it works, add something else. Starting with a complex configuration is a guaranteed way to never get it working.
When the Win 10 x64 laptop connects, radius -X first shows that it is trying to connect via computer name. Then a box pops up asking for username and password with a checkmark for 'Use my Windows user account", I choose and continue. Radius -X shows that several more requests are made and then windows sows 'Can't connect to this network'. Any suggestions on where my problem is?
Start with a simple configuration. One domain, and see if it works. This should be simple: http://deployingradius.com/documents/configuration/active_directory.html
I created the CA and server certs and have believe them to be correctly installed. But not sure that this has anything to do with the problem descripted above.
Probably not.
Examples of the code that I am running. I included a pastebin for the 3000 lines of radius -X output. WORKING RADTEST LINE radtest -t mschap daniel.radius passw0rd 127.0.0.1 0 testing123
That's a good test.
ABBREVIATED MSCHAP MODULE mschap mschap_fbc { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=fbcexample --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_fbc:Challenge}:-00} --nt-response=%{%{mschap_fbc:NT-Response}:-00} --require-membership-of='fbcexample\\LDAP_WiFi'"
. . . }
That's... likely a problem. It should work, but why hard-code the domain?
DEFAULT SITE AUTHENICATE SECTION authenticate { . . . # MSCHAP authentication. Auth-Type MS-CHAP { mschap_fbc { reject = 2 } if (reject){ mschap_hac reject = 2 } if (reject){ mschap_hbs reject = 2 } if (reject){ mschap_cbs reject = 2 } } . . . }
That's a *terrible* idea. Don't do that. Ever. It will destroy your AD servers with traffic. AD can't really handle any kind of traffic load. Maybe a few dozens of packets a second. Increasing the load by a factor of 4 is bad. The simpler solution, and the one everyone else uses, is to just require users to login with their domain. Follow the examples from the web site, which have a hard-coded domain. Then, change the MS-CHAP module configuration to: exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password}" } Which should work. The idea is that once you have the domain in the Access-Request, you just pass it to AD. You don't care what the *value* of the domain is, because AD will do the checking for you. That way you have one RADIUS configuration, and it works for 4 domains. Your current configuration is slow, complex, and will regularly take down your AD server. Alan DeKok.
Hi,
Examples of the code that I am running. I included a pastebin for the 3000 lines of radius -X output. WORKING RADTEST LINE radtest -t mschap daniel.radius passw0rd 127.0.0.1 0 testing123
radtest is a basic non EAP tool. therefore the authentication doesnt use the EAP module, therefore inner-tunnel isnt used....all you need to configure is stuff in 'default' (out of the box) or whatever you've called your non EAP virtual server
DEFAULT SITE AUTHENICATE SECTION authenticate {
fine.... testing from a client using 802.1X will activate the EAP module...and, with the default config you will see that hits the other virtual server - inner-tunnel - so THAT virtual server needs configuring. now, note, pay careful attention to the debug output....as the innerID info may be different to the outerID info - may have no realm in it...so stripped-user-name isnt populated etc. this needs to be dealt with. the debug output is big...but most of it can be skipped...you can clearly follow the RADIUS conversation in the output...remember, when the packet comes to the server it goes through the whole engine..all policies , from the start...so there is a lot of duplication (if there are no changes). you can skip straight to the part where is tells you its now using inner-tunnel (ie EAP has been started up and theres no big EAP-Message attributes being chucked around.... ignore those (for now, thats more advanced) - just look at the basics...like what the server is doing for authorize/authenticate in the inner tunnel. it DOES suddenly become easier and comprehensible (unlike those magic eye pictures which I've never been able to see) alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Daniel Wruck