Dear freeradius-users, I have got a problem with the implementation of the freeradius and ldap-authentication. I've running a freeradius version 2.2.8 and so far, everything is working well. Connetion to the AD works well. The ntlm_auth module also works if I do the test. But now the problem: The clients are using Windows 7 , 8.1 or 10. If I do a manual login with username/password the authentication works well. But if I activate the option to use the windows login informations, the authentication fails. I got an MSCHAP error. So I tried a few things to figure out where the problem is. radtest - t mschap username password localhost 0 testing123 This works very well. Ok...but the username comes with another format, if I do an authentication via Windows. So I tried following: radtest -t mschap DOMAIN//username password localhost 0 testing123 Well...this also works. I recieve an access-accept packet. So I studied the logs more in detail and found out, that the first letter of the username is case sensitive. So I did a new test: radtest -t mschap DOMAIN//Username password localhost 0 testing123 And here I got the same mschap-error as with the (automatic) windows authentication. If I do a check with wbinfo -u I see every username written in lower case letters only. I also checked if the freerad user has permissions on winbindd_priv. Everything should be allright here. The "with-ntdomain-hack = yes" option is also enabled. So I really got no idea where to look next. I have an almost identical setup running very well, also with windows-authentication. The only difference is that I use an older freeradius version here. I think it's 2.1.18. Would be great if someone got some tipps for me. Thanks. Andreas
On Aug 24, 2016, at 9:32 AM, Andreas Zwinzscher <andreas.zwinzscher@bod-datennetze.de> wrote:
The clients are using Windows 7 , 8.1 or 10. If I do a manual login with username/password the authentication works well. But if I activate the option to use the windows login informations, the authentication fails. I got an MSCHAP error. So I tried a few things to figure out where the problem is.
Please post the debug output as suggested in the FAQ, "man" page, and web pages.
Well...this also works. I recieve an access-accept packet. So I studied the logs more in detail and found out, that the first letter of the username is case sensitive. So I did a new test:
radtest -t mschap DOMAIN//Username password localhost 0 testing123
And here I got the same mschap-error as with the (automatic) windows authentication.
What is the error? Please post the FULL debug log. Alan DeKok.
Here I have the freeradius -X output log from the failed authentication. Ready to process requests. rad_recv: Access-Request packet from host 10.0.10.2 port 2897, id=231, length=205 User-Name = "CORNET\\Administrator" Framed-MTU = 1450 EAP-Message = 0x020b001901434f524e45545c41646d696e6973747261746f72 Message-Authenticator = 0x546ef3904298a6a5d47e4da54a19bfd7 NAS-IP-Address = 10.0.10.2 NAS-Identifier = "Switch_2" NAS-Port = 16830465 NAS-Port-Id = "slot=1;subslot=0;port=13;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00-22-4D-AB-2D-19" Acct-Session-Id = "1000429113760010" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop [eap] EAP packet type response id 11 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] Entering ldap_groupcmp() [files] expand: ou=Benutzer,dc=cornet,dc=local -> ou=Benutzer,dc=cornet,dc=local [files] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=Administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to cordc.cornet.local:389, authentication 0 [ldap] bind as cn=Radius,ou=Verwaltung,ou=Benutzer,dc=cornet,dc=local/password to cordc.cornet.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Benutzer,dc=cornet,dc=local, with filter (sAMAccountName=Administrator) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 182 ++[files] = ok [ldap] performing user authorization for CORNET\Administrator [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=Administrator) [ldap] expand: ou=Benutzer,dc=cornet,dc=local -> ou=Benutzer,dc=cornet,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Benutzer,dc=cornet,dc=local, with filter (sAMAccountName=Administrator) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 231 to 10.0.10.2 port 2897 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010c00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb80ddd5cb801c4b706d6087b7083c2b4 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.10.2 port 2897, id=232, length=316 User-Name = "CORNET\\Administrator" Framed-MTU = 1450 EAP-Message = 0x020c007619800000006c160301006701000063030157bc27882b1a68202e3351a2f8b715f52bc49793f8e157db73e91f877af3da4b000018c014c0130035002fc00ac00900380032000a00130005000401000022ff01000100000500050100000000000a0006000400170018000b0002010000230000 Message-Authenticator = 0x5d612487b73f60218f3187d3892486a0 NAS-IP-Address = 10.0.10.2 NAS-Identifier = "Switch_2" NAS-Port = 16830465 NAS-Port-Id = "slot=1;subslot=0;port=13;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00-22-4D-AB-2D-19" Acct-Session-Id = "1000429113760010" State = 0xb80ddd5cb801c4b706d6087b7083c2b4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop [eap] EAP packet type response id 12 length 118 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 108 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< Unknown TLS version [length 0005] [peap] <<< TLS 1.0 Handshake [length 0067], ClientHello [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 087b], Certificate [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 232 to 10.0.10.2 port 2897 EAP-Message = 0x010d040019c000000a1716030100390200003503010487d34e6a4ce252108cd33a8692e842a975b28b5c31fe207878f913aa4be40100c01400000dff01000100000b000403000102160301087b0b0008770008740003bf308203bb308202a3a00302010202021001300d06092a864886f70d01010b0500308181310b30090603550406130244453114301206035504080c0b446575747363686c616e643111300f06035504070c084368656d6e69747a31143012060355040a0c0b546572726f7420476d6248311b301906092a864886f70d010901160c697440746572726f742e64653116301406035504030c0d436f726e657420526164697573301e EAP-Message = 0x170d3136303831353130303631355a170d3137303831353130303631355a306e310b30090603550406130244453114301206035504080c0b446575747363686c616e6431143012060355040a0c0b546572726f7420476d62483116301406035504030c0d436f726e657420526164697573311b301906092a864886f70d010901160c697440746572726f742e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100f78bbe5a0de5b8616fa403038f713a9942f17eabced5952648a45a7aa58b485ae9688517c7d4de53ae0bfd588246d7265ec3532c6094fb3dcd942ef93da5a12f2a2bb3e0cb85f1f95f49332ba091 EAP-Message = 0xe8bac7158abdb17d4bf498a3414c5f3feaf13600f8bb8bbbe7c0e0b60dcff49293b84659b12f9a7c5e0027e916056901cae5f3cc1962e454a93fba2273a52699697851ad182be89c7649a30b7da823aef3c2ca0868dd027ea13d56aa9fc73d38b4cbb092a5f366192449b3bd9f378d9337d00b76caa2e10cbe397a0cefb92f65bafd04b500e48d9e28b0c49230d9d7b1aa6a6dd08bb731fbacba3de58ce445b33ca7cb0ce13faf7fd87ec5feefcb48d22b190203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f657861 EAP-Message = 0x6d706c655f63612e63726c300d06092a864886f70d01010b050003820101001dbec46407b4dd34328e60d4e8e3db47aeb0794288177ba5cc8ce30ba1a2b3a65a21e197a546b902c15506eb509fcd40560d773d9dfa9da6392433a06ca9fde54ff1c936645ec7d5f9966ffd7f2284434eaf53e6fc8a5106c2bf198bdcfa943f682c359994f6f2587700b77c97617870b83cac81c0f841b3ea7e5393f3a24dfe16c8dcb639eb4b21185203d0ec9e1aeaf53ee6d164793694f8fefc95d770918c11a543b0cdb8a0ec9fe0c05c1a0a6ccc18ac4c9a46e819d8fd4cbd42df6af607e2fd91f13dc058842cf277db06f33613dd4393ae52424bbbaad8f2e2d28b EAP-Message = 0x068fad9b93e5824966416ba7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb80ddd5cb900c4b706d6087b7083c2b4 Finished request 1. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.10.2 port 2897, id=233, length=204 User-Name = "CORNET\\Administrator" Framed-MTU = 1450 EAP-Message = 0x020d00061900 Message-Authenticator = 0xb08e06e3b448cdafef6357a1292c4eb8 NAS-IP-Address = 10.0.10.2 NAS-Identifier = "Switch_2" NAS-Port = 16830465 NAS-Port-Id = "slot=1;subslot=0;port=13;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00-22-4D-AB-2D-19" Acct-Session-Id = "1000429113760010" State = 0xb80ddd5cb900c4b706d6087b7083c2b4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop [eap] EAP packet type response id 13 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 233 to 10.0.10.2 port 2897 EAP-Message = 0x010e03fc1940aa9b641aa6a9bb2f1f1243ec58a20bcffbc249bdda120004af308204ab30820393a003020102020900cff66ec74eed107d300d06092a864886f70d01010b0500308181310b30090603550406130244453114301206035504080c0b446575747363686c616e643111300f06035504070c084368656d6e69747a31143012060355040a0c0b546572726f7420476d6248311b301906092a864886f70d010901160c697440746572726f742e64653116301406035504030c0d436f726e657420526164697573301e170d3136303831353130303631355a170d3137303831353130303631355a308181310b3009060355040613024445311430 EAP-Message = 0x1206035504080c0b446575747363686c616e643111300f06035504070c084368656d6e69747a31143012060355040a0c0b546572726f7420476d6248311b301906092a864886f70d010901160c697440746572726f742e64653116301406035504030c0d436f726e65742052616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100b838d20acae95ef1dd38944b405897d83798dec693f1cb919530abcca91e314bf9e785a9b76e93a131590d5e42d1c2084f9ff4ad13290fda32232fca7e7856f7a19e91ee9f032f91e24c50311f58dec04d3d78ea7ae0722fb6205b21fb39d235c08e019dcf73caae92f8a4 EAP-Message = 0x1dfbd8fa03cf5b34809779e07859a0a794c8527fd950b4fc4350aa186eb3c4f3cfbbb4a255621af9792007047e096be226562db3b13cf1f46c79876656983e03a962dd4046613d53cfd1665b4112329f6a5eaa5fae1ff906ee6cde3c50abc83c1e9088cc3ed25862d41c0088cb3f83778591ca81f3113cf23fd54331e321392d0910a4a6a9074703ea2ec30e481f2b82a487bcc81d0203010001a38201223082011e301d0603551d0e04160414d1c8eec78a52a55df0af1ffb849c6af696aadf1c3081b60603551d230481ae3081ab8014d1c8eec78a52a55df0af1ffb849c6af696aadf1ca18187a48184308181310b30090603550406130244453114 EAP-Message = 0x301206035504080c0b446575747363686c616e643111300f06035504070c084368656d6e69747a31143012060355040a0c0b546572726f7420476d6248311b301906092a864886f70d010901160c697440746572726f742e64653116301406035504030c0d436f726e657420526164697573820900cff66ec74eed107d300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101003faebd556c4f1a5a88702531a06be7e4e5e85f801ea91b8c75bca5235e5a54d83fba75235a8d EAP-Message = 0x4dcc6170236c2c86 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb80ddd5cba03c4b706d6087b7083c2b4 Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.10.2 port 2897, id=234, length=204 User-Name = "CORNET\\Administrator" Framed-MTU = 1450 EAP-Message = 0x020e00061900 Message-Authenticator = 0x02fe848f4d30c98b3a127887012bad38 NAS-IP-Address = 10.0.10.2 NAS-Identifier = "Switch_2" NAS-Port = 16830465 NAS-Port-Id = "slot=1;subslot=0;port=13;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00-22-4D-AB-2D-19" Acct-Session-Id = "1000429113760010" State = 0xb80ddd5cba03c4b706d6087b7083c2b4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop [eap] EAP packet type response id 14 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 234 to 10.0.10.2 port 2897 EAP-Message = 0x010f02311900de6c5e3eb8d2b6528cb64951c8694febca579e1f7dc45420523c8d2aba5ba09a48d03276ee016aa833377e71f480b68bb7899c737d7d19f0e556e3cfbaf8e69da70d35ab1fc5453fc8a65e7ef8ba122988bd583562ab96e3a1901de2388bfdcca6eed24857d2db3a5f92ec3b9c3504a3222bb544772f2a03a13c87cc6d84bafea9e38faf83d9ec42c5854a2b3e869bd848f696789db3c5252f6cc4130364f780a15598401af88060ab5d34549038327c5e0663fffc5e741e3b0475527cd4bcad01b9dd08be153b799bbb29699e72b7b85f7c160301014b0c00014703001741042c237f1373c08f37d7aa8322fec731d17da31fa9d87b47 EAP-Message = 0xf2e4d13bb856e26849cc79470dcbbaa005fcf179f17451ec25869c0ad682d03bd97691f2d600f89f2901004040e9cfded8334191e6de417d23e43031bb92f15a4f283f13ccb07b44f87b09f243f940643c121e72c0671f268134ddf4618a254bf1830e30fa6800b437abe1d281d679322522e4e96f121d83a54277344e8604317cdbc5f061b022694ad0a5e322f2eb98f1727443b94d652e6033b3dbb17adf822a0c3a562437a330b0fb705f123c5aff5a70bf1b309dc2cdd76173e9262640f24c231cbe6cbb743959b059c83977dba0ba67bd4392fc3198dd68a9f1b92c23ed59cba18371a41aefd62b706d42bf40be9cbca6b55e04ff4ef651203ff4 EAP-Message = 0x7a20de1a85006c63a58897c6c76d89d2e9ad9a51551bd65e144719804bd5bd34ec4f51fdfad6590a70cbd753454f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb80ddd5cbb02c4b706d6087b7083c2b4 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.10.2 port 2897, id=235, length=342 User-Name = "CORNET\\Administrator" Framed-MTU = 1450 EAP-Message = 0x020f009019800000008616030100461000004241042fd863b65294e06048626602bfbb689c5fe2a29d1a6d953c569b4e8984ddce9087d5599dde81d8a27037e8c4666613f3286f41d4e5858e2c4084ffc02608ba371403010001011603010030fcd561477b7760bd353bf2007b5a8b58c96a89679b9d118e448e33474d2abe79eefd6abeafb39009977472c633dc5abe Message-Authenticator = 0xee577ed826384f78a93cbd5f02efdf52 NAS-IP-Address = 10.0.10.2 NAS-Identifier = "Switch_2" NAS-Port = 16830465 NAS-Port-Id = "slot=1;subslot=0;port=13;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00-22-4D-AB-2D-19" Acct-Session-Id = "1000429113760010" State = 0xb80ddd5cbb02c4b706d6087b7083c2b4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop [eap] EAP packet type response id 15 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< Unknown TLS version [length 0005] [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< Unknown TLS version [length 0005] [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< Unknown TLS version [length 0005] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> Unknown TLS version [length 0005] [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 235 to 10.0.10.2 port 2897 EAP-Message = 0x01100041190014030100010116030100307fdd0a2a9489d438599dde12320c8be4fe22bac663cbbeaefdaec79408ae612cb2588613b3a7c9972fe457c92eb6423f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb80ddd5cbc1dc4b706d6087b7083c2b4 Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.0.10.2 port 2897, id=236, length=204 User-Name = "CORNET\\Administrator" Framed-MTU = 1450 EAP-Message = 0x021000061900 Message-Authenticator = 0x88b6fa497997239eb039a29e32a1f67a NAS-IP-Address = 10.0.10.2 NAS-Identifier = "Switch_2" NAS-Port = 16830465 NAS-Port-Id = "slot=1;subslot=0;port=13;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00-22-4D-AB-2D-19" Acct-Session-Id = "1000429113760010" State = 0xb80ddd5cbc1dc4b706d6087b7083c2b4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop [eap] EAP packet type response id 16 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED [peap] >>> Unknown TLS version [length 0005] ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 236 to 10.0.10.2 port 2897 EAP-Message = 0x0111002b190017030100209e552e5abb7202d671f4084838b4ed5783740c7ae2166edec683d2ed4a67956a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb80ddd5cbd1cc4b706d6087b7083c2b4 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.0.10.2 port 2897, id=237, length=257 User-Name = "CORNET\\Administrator" Framed-MTU = 1450 EAP-Message = 0x0211003b190017030100307d53ed09d423b14c3d0f3421f8ee7dda650537ec0696ebd1383f32c358502e3560d990d26895d273391ee37899008e12 Message-Authenticator = 0xcc595e84d620788a64afb533de748b03 NAS-IP-Address = 10.0.10.2 NAS-Identifier = "Switch_2" NAS-Port = 16830465 NAS-Port-Id = "slot=1;subslot=0;port=13;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00-22-4D-AB-2D-19" Acct-Session-Id = "1000429113760010" State = 0xb80ddd5cbd1cc4b706d6087b7083c2b4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop [eap] EAP packet type response id 17 length 59 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< Unknown TLS version [length 0005] [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - CORNET\Administrator [peap] Got inner identity 'CORNET\Administrator' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0211001901434f524e45545c41646d696e6973747261746f72 server { [peap] Setting User-Name to CORNET\Administrator Sending tunneled request EAP-Message = 0x0211001901434f524e45545c41646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CORNET\\Administrator" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop [ldap] performing user authorization for CORNET\Administrator [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=Administrator) [ldap] expand: ou=Benutzer,dc=cornet,dc=local -> ou=Benutzer,dc=cornet,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Benutzer,dc=cornet,dc=local, with filter (sAMAccountName=Administrator) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = notfound ++[mschap] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 17 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] Entering ldap_groupcmp() [files] expand: ou=Benutzer,dc=cornet,dc=local -> ou=Benutzer,dc=cornet,dc=local [files] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=Administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Benutzer,dc=cornet,dc=local, with filter (sAMAccountName=Administrator) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed [ldap] ldap_release_conn: Release Id: 0 ++[files] = noop [ldap] performing user authorization for CORNET\Administrator [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=Administrator) [ldap] expand: ou=Benutzer,dc=cornet,dc=local -> ou=Benutzer,dc=cornet,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Benutzer,dc=cornet,dc=local, with filter (sAMAccountName=Administrator) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = notfound ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0112002e1a0112002910916f1a91c6d94a4e323eb431a469e9cc434f524e45545c41646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8467475784755ddfbef9adc7a7522e51 [peap] Got tunneled reply RADIUS code Access-Challenge EAP-Message = 0x0112002e1a0112002910916f1a91c6d94a4e323eb431a469e9cc434f524e45545c41646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8467475784755ddfbef9adc7a7522e51 [peap] Got tunneled Access-Challenge [peap] >>> Unknown TLS version [length 0005] ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 237 to 10.0.10.2 port 2897 EAP-Message = 0x0112004b190017030100401f14174cc5828e40e200757de75fe171b41dd2e9e8ecaf6294d31756849c58ae1a4cf00aec1b5a5785e2b5b32b78b8ed791d07cc57d6b5d559d146e93c6e7ecf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb80ddd5cbe1fc4b706d6087b7083c2b4 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.0.10.2 port 2897, id=238, length=305 User-Name = "CORNET\\Administrator" Framed-MTU = 1450 EAP-Message = 0x0212006b19001703010060c62ba8a47767fef0c328d4db9c33147720b3a043b229c5d86454d6f20c9a9eee815f4f71e330321d548269663cb66da19ee99431db1dbf09ec4728b15909b3e9d5219f745738d58a3df228557f9c1dafb1fbdd85ef8d8ee575db46b24fe08861 Message-Authenticator = 0xe3d33131e22c8175aa29fc234aba3768 NAS-IP-Address = 10.0.10.2 NAS-Identifier = "Switch_2" NAS-Port = 16830465 NAS-Port-Id = "slot=1;subslot=0;port=13;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00-22-4D-AB-2D-19" Acct-Session-Id = "1000429113760010" State = 0xb80ddd5cbe1fc4b706d6087b7083c2b4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop [eap] EAP packet type response id 18 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< Unknown TLS version [length 0005] [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0212004f1a0212004a314764102663d4a6b703e33d2f38496b38000000000000000047dddb601f337b40cbedc92fe89619468b70254dd2a7590e00434f524e45545c41646d696e6973747261746f72 server { [peap] Setting User-Name to CORNET\Administrator Sending tunneled request EAP-Message = 0x0212004f1a0212004a314764102663d4a6b703e33d2f38496b38000000000000000047dddb601f337b40cbedc92fe89619468b70254dd2a7590e00434f524e45545c41646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CORNET\\Administrator" State = 0x8467475784755ddfbef9adc7a7522e51 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop [ldap] performing user authorization for CORNET\Administrator [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=Administrator) [ldap] expand: ou=Benutzer,dc=cornet,dc=local -> ou=Benutzer,dc=cornet,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Benutzer,dc=cornet,dc=local, with filter (sAMAccountName=Administrator) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = notfound ++[mschap] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 18 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] Entering ldap_groupcmp() [files] expand: ou=Benutzer,dc=cornet,dc=local -> ou=Benutzer,dc=cornet,dc=local [files] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=Administrator) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Benutzer,dc=cornet,dc=local, with filter (sAMAccountName=Administrator) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed [ldap] ldap_release_conn: Release Id: 0 ++[files] = noop [ldap] performing user authorization for CORNET\Administrator [ldap] expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=Administrator) [ldap] expand: ou=Benutzer,dc=cornet,dc=local -> ou=Benutzer,dc=cornet,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Benutzer,dc=cornet,dc=local, with filter (sAMAccountName=Administrator) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = notfound ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: Administrator [mschap] Client is using MS-CHAPv2 for Administrator, we need NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> CORNET\\Administrator [mschap] expand: %{%{User-Name}:-None} -> CORNET\\Administrator [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=CORNET\\Administrator [mschap] Creating challenge hash with username: Administrator [mschap] expand: %{mschap:Challenge} -> 4adcd405e7337023 [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4adcd405e7337023 [mschap] expand: %{mschap:NT-Response} -> 47dddb601f337b40cbedc92fe89619468b70254dd2a7590e [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=47dddb601f337b40cbedc92fe89619468b70254dd2a7590e Exec output: Logon failure (0xc000006d) Exec plaintext: Logon failure (0xc000006d) [mschap] Exec: program returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> CORNET\\Administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\022E=691 R=1" EAP-Message = 0x04120004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "\022E=691 R=1" EAP-Message = 0x04120004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE [peap] >>> Unknown TLS version [length 0005] ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 238 to 10.0.10.2 port 2897 EAP-Message = 0x0113002b19001703010020034aa81fdd553dcbd8d2abd349b36dc21d00f68571e1ed98dfa1da7494bf7021 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb80ddd5cbf1ec4b706d6087b7083c2b4 Finished request 7. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 10.0.10.2 port 2897, id=239, length=241 User-Name = "CORNET\\Administrator" Framed-MTU = 1450 EAP-Message = 0x0213002b19001703010020ce3251e3b7ad30facad36a0d2e90bc3d481930f9721a0317ae58b5e1d4cb4b03 Message-Authenticator = 0x8c49188ed98543fb50467302c0362bf2 NAS-IP-Address = 10.0.10.2 NAS-Identifier = "Switch_2" NAS-Port = 16830465 NAS-Port-Id = "slot=1;subslot=0;port=13;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00-22-4D-AB-2D-19" Acct-Session-Id = "1000429113760010" State = 0xb80ddd5cbf1ec4b706d6087b7083c2b4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [ntdomain] Looking up realm "CORNET" for User-Name = "CORNET\Administrator" [ntdomain] No such realm "CORNET" ++[ntdomain] = noop [eap] EAP packet type response id 19 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< Unknown TLS version [length 0005] [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> CORNET\\Administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 239 to 10.0.10.2 port 2897 EAP-Message = 0x04130004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.3 seconds. Cleaning up request 0 ID 231 with timestamp +11 Waking up in 0.1 seconds. Cleaning up request 1 ID 232 with timestamp +11 Cleaning up request 2 ID 233 with timestamp +11 Cleaning up request 3 ID 234 with timestamp +11 Cleaning up request 4 ID 235 with timestamp +11 Cleaning up request 5 ID 236 with timestamp +11 Cleaning up request 6 ID 237 with timestamp +11 Waking up in 0.4 seconds. Cleaning up request 7 ID 238 with timestamp +11 Waking up in 1.0 seconds. Cleaning up request 8 ID 239 with timestamp +12 Ready to process requests. I also have a output of the debug when authentication went successful. The main difference I see is in the mschap-section - there is no error and everything is allright. Here the short excerpt of the mschap-section of the successful authentication: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: administrator [mschap] Client is using MS-CHAPv2 for administrator, we need NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> administrator [mschap] expand: %{%{User-Name}:-None} -> administrator [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=administrator [mschap] Creating challenge hash with username: administrator [mschap] expand: %{mschap:Challenge} -> 3564d0819818bbda [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=3564d0819818bbda [mschap] expand: %{mschap:NT-Response} -> c1c7cd76b5a207f96903fdf5dcba5a7fbd00723b3acf3f79 [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=c1c7cd76b5a207f96903fdf5dcba5a7fbd00723b3acf3f79 Exec output: NT_KEY: 57844B8153522FC1A76F101B98CC9E8F Exec plaintext: NT_KEY: 57844B8153522FC1A76F101B98CC9E8F [mschap] Exec: program returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success -----Ursprüngliche Nachricht----- Von: Freeradius-Users [mailto:freeradius-users-bounces+andreas.zwinzscher=bod-datennetze.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 24. August 2016 15:48 An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: LDAP / mschap Error On Aug 24, 2016, at 9:32 AM, Andreas Zwinzscher <andreas.zwinzscher@bod-datennetze.de> wrote:
The clients are using Windows 7 , 8.1 or 10. If I do a manual login with username/password the authentication works well. But if I activate the option to use the windows login informations, the authentication fails. I got an MSCHAP error. So I tried a few things to figure out where the problem is.
Please post the debug output as suggested in the FAQ, "man" page, and web pages.
Well...this also works. I recieve an access-accept packet. So I studied the logs more in detail and found out, that the first letter of the username is case sensitive. So I did a new test:
radtest -t mschap DOMAIN//Username password localhost 0 testing123
And here I got the same mschap-error as with the (automatic) windows authentication.
What is the error? Please post the FULL debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, ignoring the object not found LDAP error...... (as obviously, if using local windows login names you may have issues with what their local name is and what your AD/LDAP names are...) your main problem is obviously here: [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=CORNET\\Administrator [mschap] Creating challenge hash with username: Administrator [mschap] expand: %{mschap:Challenge} -> 4adcd405e7337023 [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4adcd405e7337023 [mschap] expand: %{mschap:NT-Response} -> 47dddb601f337b40cbedc92fe89619468b70254dd2a7590e [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=47dddb601f337b40cbedc92fe89619468b70254dd2a7590e Exec output: Logon failure (0xc000006d) Exec plaintext: Logon failure (0xc000006d) [mschap] Exec: program returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject the output of debug is clearly showing you this..... so, as the RELAM wasnt known...it hasnt been stripped therefore Stripped-User-Name is the same as User-Name.... and is something that either you need to verify that realm is your AD one... or, you need to handle this. it'll probably work if you simply use mschap:User-Name instead of Stripped-User-Name or User-Name..... alan
Hi alan, thanks for the hint with "mschap:User-Name". I will try this. What I'am wondering about: On my other freeradius setup (older version) everything works well. Were there some changes within the mschap - module that causes this problem? Andreas -----Ursprüngliche Nachricht----- Von: Freeradius-Users [mailto:freeradius-users-bounces+andreas.zwinzscher=bod-datennetze.de@lists.freeradius.org] Im Auftrag von Alan Buxey Gesendet: Donnerstag, 25. August 2016 11:45 An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: LDAP / mschap Error hi, ignoring the object not found LDAP error...... (as obviously, if using local windows login names you may have issues with what their local name is and what your AD/LDAP names are...) your main problem is obviously here: [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=CORNET\\Administrator [mschap] Creating challenge hash with username: Administrator [mschap] expand: %{mschap:Challenge} -> 4adcd405e7337023 [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4adcd405e7337023 [mschap] expand: %{mschap:NT-Response} -> 47dddb601f337b40cbedc92fe89619468b70254dd2a7590e [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=47dddb601f337b40cbedc92fe89619468b70254dd2a7590e Exec output: Logon failure (0xc000006d) Exec plaintext: Logon failure (0xc000006d) [mschap] Exec: program returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject the output of debug is clearly showing you this..... so, as the RELAM wasnt known...it hasnt been stripped therefore Stripped-User-Name is the same as User-Name.... and is something that either you need to verify that realm is your AD one... or, you need to handle this. it'll probably work if you simply use mschap:User-Name instead of Stripped-User-Name or User-Name..... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Aug 25, 2016 at 10:17:18AM +0000, Andreas Zwinzscher wrote:
What I'am wondering about: On my other freeradius setup (older version) everything works well. Were there some changes within the mschap - module that causes this problem?
Run FreeRADIUS in debug mode on the old server and see what ntlm_auth command it runs. Compare with the same on the new server to see if it runs the same ntlm_auth command. If different, run the ntlm_auth command from the old server on the new server and see if you get a successful authentication. If so, fix up the FreeRADIUS config on the new server to use the same ntlm_auth command as the old server. Otherwise I'd check the Samba config and domain join is all the same and working correctly. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I have just started the backup image of the freeradius I have running there and only changed domain-related settings to test it within my domain here. radtest -t mschap username password localhost 0 testing123 - that works. radtest -t mschap DOMAIN//username password localhost 0 testing123 - does not work. But the similar test went ok on the other domain. I then tried to use mschap:User-Name within die mschap-Module. If do the same tests I got the following results: First radtest: successful # Executing group from file /etc/freeradius/sites-enabled/default +group MS-CHAP { [mschap] Client is using MS-CHAPv1 with NT-Password [mschap] expand: %{mschap:User-Name} -> andreas [mschap] expand: --username=%{%{mschap:User-Name}:-%{%{mschap:User-Name}:-None}} -> --username=andreas [mschap] mschap1: 6e [mschap] expand: %{mschap:Challenge} -> 6e675028a7b86d2b [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=6e675028a7b86d2b [mschap] expand: %{mschap:NT-Response} -> 2cc24f730d5712e709f82ffea1b52a97dbbfa18dba2397f0 [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=2cc24f730d5712e709f82ffea1b52a97dbbfa18dba2397f0 Exec output: NT_KEY: 98C1AA64F940C56ACE56C8ED4180CD12 Exec plaintext: NT_KEY: 98C1AA64F940C56ACE56C8ED4180CD12 [mschap] Exec: program returned: 0 [mschap] adding MS-CHAPv1 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok Second radtest: failed # Executing group from file /etc/freeradius/sites-enabled/default +group MS-CHAP { [mschap] Client is using MS-CHAPv1 with NT-Password [mschap] expand: %{mschap:User-Name} -> BOD//andreas [mschap] expand: --username=%{%{mschap:User-Name}:-%{%{mschap:User-Name}:-None}} -> --username=BOD//andreas [mschap] mschap1: 5a [mschap] expand: %{mschap:Challenge} -> 5a8ba3f949317ff7 [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=5a8ba3f949317ff7 [mschap] expand: %{mschap:NT-Response} -> 4e9fb02ee0b213c62a0cb02d393fba46bd2587602625ff2d [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=4e9fb02ee0b213c62a0cb02d393fba46bd2587602625ff2d Exec output: Logon failure (0xc000006d) Exec plaintext: Logon failure (0xc000006d) [mschap] Exec: program returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] = reject +} # group MS-CHAP = reject Failed to authenticate the user. In the startup-settings of the freeradius I found the following lines for mschapv2 (which is used by windows): Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Is there a option to enable the ntdomain-hack? Where can I find this line? It seems not to be /etc/freeradius/modules/mschap -----Ursprüngliche Nachricht----- Von: Freeradius-Users [mailto:freeradius-users-bounces+andreas.zwinzscher=bod-datennetze.de@lists.freeradius.org] Im Auftrag von Matthew Newton Gesendet: Donnerstag, 25. August 2016 12:37 An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: LDAP / mschap Error On Thu, Aug 25, 2016 at 10:17:18AM +0000, Andreas Zwinzscher wrote:
What I'am wondering about: On my other freeradius setup (older version) everything works well. Were there some changes within the mschap - module that causes this problem?
Run FreeRADIUS in debug mode on the old server and see what ntlm_auth command it runs. Compare with the same on the new server to see if it runs the same ntlm_auth command. If different, run the ntlm_auth command from the old server on the new server and see if you get a successful authentication. If so, fix up the FreeRADIUS config on the new server to use the same ntlm_auth command as the old server. Otherwise I'd check the Samba config and domain join is all the same and working correctly. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sounds like your not calling the ntdomain module and don't have the mschap 'domain hack' enabled alan
participants (4)
-
Alan Buxey -
Alan DeKok -
Andreas Zwinzscher -
Matthew Newton