Problem with PEAP and MS-CHAPv2 and AD

Graham, Robert rgraham at mem-ins.com
Tue Sep 27 22:11:41 CEST 2005 

I am having a strange problem, and was hoping for some expertise in this matter and I need to get this working very quickly since I am running out of time.  I have freeradius configured to authenticate our users for a wired 802.1x environment.  Authentication works succesfully if the supplicant (odyssey client) sends only the username and not domain\username.  The problem is when I install the odyssey gina module to configure the supplicant to authenticate prior to windows login it passes the credentials as domain\username, whichs fails authentication.  I did some searches and made the following changes:

proxy.conf

added:

realm domain {
	type		= radius
	authhost	= LOCAL
	accthost	= LOCAL
}

and uncommented the ntdomain section in radiusd.conf

This did not work, so I tried another suggestion and changed the ntlm_auth string from:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MEM --username=%{User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

to:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

Now when I login I get the following error:  This also occurs at the desktop level

  rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=RGraham --domain=MEM --challenge=71c3373eb458a75e --nt-response=c410b4f18e8527df26495cad16d20a09679b03969efa3d3e'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=RGraham --domain=MEM --challenge=71c3373eb458a75e --nt-response=c410b4f18e8527df26495cad16d20a09679b03969efa3d3e
Exec-Program output: Logon failure (0xc000006d) 
Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 7
modcall: group Auth-Type returns reject for request 7
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 7
modcall: group authenticate returns reject for request 7
auth: Failed to validate the user.
  PEAP: Got tunneled reply RADIUS code 3
	MS-CHAP-Error = "\007E=691 R=1"
	EAP-Message = 0x04070004
	Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Processing from tunneled session code 0xf8716a50 3
	MS-CHAP-Error = "\007E=691 R=1"
	EAP-Message = 0x04070004
	Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE

If I change the ntlm_auth back to the original string and authenticate at the desktop (not gina) it authenticates.  

So my question is: What do I need to do to configure Freeradius to strip the domain portion where EAP-PEAP is successful at both gina (login) and desktop?

Any help would be greatly appreciated.

Thanks
Robert Graham

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050927/758ca7be/attachment.html>

More information about the Freeradius-Users mailing list