Machine Authecitation with PEAP

James J J Hooper jjj.hooper at bristol.ac.uk
Fri Mar 10 00:20:07 CET 2006 



>>> ------------------------------
>>>
>>> Message: 6
>>> Date: Thu, 9 Mar 2006 13:17:48 -0500
>>> From: "King, Michael" <MKing at bridgew.edu>
>>> Subject: Machine Authecitation with PEAP
>>>
>>> Has anyone gotten Machine Authentication with PEAP working?
>> Yes
>>>
>>> radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key
>>> --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86
>>> --nt-response=c92c
>>> 121419368a6b599e159c9ef21bbc4d98138946d6df29  '
>>>
>>> Exec-Program: /usr/bin/ntlm_auth --request-nt-key
>>> --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86
>>> --nt-response=c92c1
>>> 21419368a6b599e159c9ef21bbc4d98138946d6df29
>>>
>>> Exec-Program output: Logon failure (0xc000006d)
>>>
>>> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
>>
>> From my experience this means the credentials the machine is sending are
>> wrong or your version of samba is too old - get 3.0.21c (or at least
>> 3.0.21a)

>I wish it was that easy.  I'm using Debian Package of the Testing
>release.  It's currently at 3.0.21b
>
>Does it have to anything to do with the host/ getting stripped off?

Nope ... --username=boy-it-tel-2528$ is in the correct format

If it helps, this the ntlm command (which i think you have correct):
/usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$ 
--challenge=4de0a9c09623ab12 
--nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102

for the radius packet:
NAS-IP-Address = 172.17.51.78
        NAS-Port = 50018
        Cisco-NAS-Port = "GigabitEthernet0/18"
        NAS-Port-Type = Ethernet
        User-Name = "host/cse-mpr.cse.bris.ac.uk"
        Called-Station-Id = "00-16-C8-7C-A9-12"
        Calling-Station-Id = "00-07-E9-E7-41-50"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x2155356ae073362e26296c9869da2893
        EAP-Message = 
0x0207006d190017030100629bfa223d9efed1787d6bdeee43082a4a43adaf1792f0bd93acc6fbe8e4b7ee82d8d88380e459496d97435e7225e057fac5dd15e2525bd4ff36ae085cc54c677cc3e3a96d1f7a023f6b49

As far as i can tell the problem is with the windows / samba side of things:
  - might be a stupid question, but is the computer account properly 
registered in the domain?
  - is the account locked ??
  - does it work if you try to auth as a user?
  - if you updated samba recently - have you restarted winbindd?
  - are you passing the domain correctly? (i dont specify the domain on the 
ntlm_auth command line, whereas you have) i have the following in 
samba.conf (the domain is UOB):

[global]
   workgroup = UOB
   netbios name = IS-RHUBARB
   security = domain
   password server = ads.bris.ac.uk
   realm = ads.bris.ac.uk
   winbind use default domain = no
   winbind nested groups = Yes
   winbind enum users = No
   winbind enum groups = No
   remote browse sync = ads.bris.ac.uk


where ads.bris.ac.uk is a round robin resolving to the IPs of 11 domain 
controllers.

Regards,
   James

--
James J J Hooper,
Information Services
University of Bristol
--

More information about the Freeradius-Users mailing list