freeradius windows machine authentication
Hi all, first of all thanks for your great help in my past questions! Sadly, I have yet another one, that I can not quite figure out. Maybe I missed something, I don’t know. I tried looking for past list-threads, to no avail. When my Windows client connects to the WiFi and subsequently to the FreeRADIUS server, it first authenticates via machine authentication (host/HOSTNAME.MYDOMAIN.COM). This fails and the client cannot connect to the WiFi: (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) eap_mschapv2: authenticate { (6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM (6) mschap: Client is using MS-CHAPv2 (6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (6) mschap: --> --username=host/HOSTNAME.DOMAIN.COM (6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM (6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (6) mschap: --> --challenge=ef98e59da6aea4aa (6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (6) mschap: --> --nt-response=1e7106295666480efb781446f97f618e57e09017da042590 (6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (6) mschap: External script failed (6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (6) mschap: ERROR: MS-CHAP2-Response is incorrect (6) eap_mschapv2: [mschap] = reject (6) eap_mschapv2: } # authenticate = reject However, if I manually configure the WiFi on my Windows device to only use user authentication, it works flawlessly (as expected): (14) eap_mschapv2: authenticate { (14) mschap: Creating challenge hash with username: calvin.haertl (14) mschap: Client is using MS-CHAPv2 (14) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (14) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (14) mschap: --> --username=MYUSERNAME (14) mschap: Creating challenge hash with username: MYUSERNAME (14) mschap: Program returned code (0) (14) mschap: Adding MS-CHAPv2 MPPE keys (14) eap_mschapv2: [mschap] = ok (14) eap_mschapv2: } # authenticate = ok (14) eap_mschapv2: MSCHAP Success (14) eap: Sending EAP Request (code 1) ID 9 length 51 My FreeRADIUS server is connected to our Active Directory via SAMBA and winbind, and I checked that the users can authenticate via radtest. Is FreeRADIUS natively capable of doing machine authentication via AD, do I have to configure some additional files or are there any modules that I can install to do this for me? Kind regards, Calvin
On 30/08/2023 11:09, Härtl, Calvin wrote:
(6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (6) mschap: --> --username=host/HOSTNAME.DOMAIN.COM (6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM (6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (6) mschap: --> --challenge=ef98e59da6aea4aa (6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (6) mschap: --> --nt-response=1e7106295666480efb781446f97f618e57e09017da042590 (6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (6) mschap: External script failed (6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
I think this used to work, but not 100% sure. You might need to mangle the username into the format AD uses for computers, "HOSTNAME.DOMAIN.COM$" or "HOSTNAME$" for example.
My FreeRADIUS server is connected to our Active Directory via SAMBA and winbind, and I checked that the users can authenticate via radtest. Is FreeRADIUS natively capable of doing machine authentication via AD, do I have to configure some additional files or are there any modules that I can install to do this for me?
The usual way to do this is to set up EAP-TLS and use the AD-managed machine certificate for auth. Much more secure and faster authentication as well. It's one of the easiest setups for EAP-TLS with Windows clients because AD manages all the certificates for you. I would investigate that rather than spending time on trying to get MSCHAPv2 working for machine auth. -- Matthew
On 30/08/2023 11:57, Matthew Newton via Freeradius-Users wrote:
On 30/08/2023 11:09, Härtl, Calvin wrote:
(6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (6) mschap: --> --username=host/HOSTNAME.DOMAIN.COM (6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM (6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (6) mschap: --> --challenge=ef98e59da6aea4aa (6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (6) mschap: --> --nt-response=1e7106295666480efb781446f97f618e57e09017da042590 (6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (6) mschap: External script failed (6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
I think this used to work, but not 100% sure. You might need to mangle the username into the format AD uses for computers, "HOSTNAME.DOMAIN.COM$" or "HOSTNAME$" for example.
A Matthew said, EAP-TLS is likely a better option, however, if you have to use MSCHAPv2, I have done this by using the winbind authentication method instead of ntlml_auth. In mods_enabled/mschap: - comment out ntlm_auth = .... - uncomment winbind_username = "%{mschap:User-Name}" - uncomment winbind_domain = "%{mschap:NT-Domain}" The "%{winbind:...}" xlat goes hunting in the request attributes for data representing the requested MS CHAP attribute in commonly formats. The request for "User-Name" finds data that represents users and machines and does "the right thing" in most cases. -- Nick Porter
On 30/08/2023 12:11, Nick Porter wrote:
A Matthew said, EAP-TLS is likely a better option, however, if you have to use MSCHAPv2, I have done this by using the winbind authentication method instead of ntlml_auth.
Good catch. We set the WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT and WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT flags so these auths are allowed. (To be fair it's been over 7 years since I wrote that... so some excuse for forgetting it!) I just tried ntlm_auth and it doesn't seem to like using a computer account, but someone would need to look at the code to see if those flags are set to confirm for certain.
In mods_enabled/mschap:
- comment out ntlm_auth = ....
- uncomment winbind_username = "%{mschap:User-Name}"
Yes, the %{mschap:User-Name} xlat code specifically looks for host/ and fixes things up with the $ suffix as required. But... use TLS :) -- Matthew
@Matthew and Nick: Yeah, since we are currently in the process of testing out all the different protocols (PEAP, EAP-TTLS, etc.) it seems like EAP-TLS is the winner. We just need to set up the certificates for our devices in the Windows AD. Nonetheless: Thank you for clarifying and your help!
Mandi! Härtl, Calvin In chel di` si favelave...
Is FreeRADIUS natively capable of doing machine authentication via AD, do I have to configure some additional files or are there any modules that I can install to do this for me?
Sure! I'm using it against an Samba AD domain,but i think it is exactly the same. I've not done some strange configuration, the same plain configuration that work for user work also for computers; currently i use: winbind_username = "%{mschap:%{User-Name}:-None}" winbind_domain = "LNFFVG" But NOTE that, clearly, if you have setup LDAP filters: 1) your LDAP 'base_dn' HAVE TO contain also machine account OU. 2) if you have setup group filters, filters HAVE TO match also computer account. On windows client side, i set explicitly in advanced options only the 'computer account' auth. -- Does anybody here remember Vera Lynn? (Pink Floyd)
participants (4)
-
Härtl, Calvin -
Marco Gaiarin -
Matthew Newton -
Nick Porter