Machine Authecitation with PEAP
James J J Hooper
jjj.hooper at bristol.ac.uk
Fri Mar 10 00:38:25 CET 2006
--On 09 March 2006 23:20 +0000 James J J Hooper <jjj.hooper at bristol.ac.uk>
wrote:
>
>
>
>>>> ------------------------------
>>>>
>>>> Message: 6
>>>> Date: Thu, 9 Mar 2006 13:17:48 -0500
>>>> From: "King, Michael" <MKing at bridgew.edu>
>>>> Subject: Machine Authecitation with PEAP
>>>>
>>>> Has anyone gotten Machine Authentication with PEAP working?
>>> Yes
>>>>
>>>> radius_xlat: '/usr/bin/ntlm_auth --request-nt-key
>>>> --username=boy-it-tel-2528$ --domain=campus
>>>> --challenge=8498683817c21d86 --nt-response=c92c
>>>> 121419368a6b599e159c9ef21bbc4d98138946d6df29 '
>>>>
>>>> Exec-Program: /usr/bin/ntlm_auth --request-nt-key
>>>> --username=boy-it-tel-2528$ --domain=campus
>>>> --challenge=8498683817c21d86 --nt-response=c92c1
>>>> 21419368a6b599e159c9ef21bbc4d98138946d6df29
>>>>
>>>> Exec-Program output: Logon failure (0xc000006d)
>>>>
>>>> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
>>>
>>> From my experience this means the credentials the machine is sending are
>>> wrong or your version of samba is too old - get 3.0.21c (or at least
>>> 3.0.21a)
>
>> I wish it was that easy. I'm using Debian Package of the Testing
>> release. It's currently at 3.0.21b
>>
>> Does it have to anything to do with the host/ getting stripped off?
>
> Nope ... --username=boy-it-tel-2528$ is in the correct format
>
> If it helps, this the ntlm command (which i think you have correct):
> /usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$
> --challenge=4de0a9c09623ab12
> --nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102
>
> for the radius packet:
> NAS-IP-Address = 172.17.51.78
> NAS-Port = 50018
> Cisco-NAS-Port = "GigabitEthernet0/18"
> NAS-Port-Type = Ethernet
> User-Name = "host/cse-mpr.cse.bris.ac.uk"
> Called-Station-Id = "00-16-C8-7C-A9-12"
> Calling-Station-Id = "00-07-E9-E7-41-50"
> Service-Type = Framed-User
> Framed-MTU = 1500
> State = 0x2155356ae073362e26296c9869da2893
> EAP-Message =
> 0x0207006d190017030100629bfa223d9efed1787d6bdeee43082a4a43adaf1792f0bd93a
> cc6fbe8e4b7ee82d8d88380e459496d97435e7225e057fac5dd15e2525bd4ff36ae085cc5
> 4c677cc3e3a96d1f7a023f6b49
>
> As far as i can tell the problem is with the windows / samba side of
> things:
> - might be a stupid question, but is the computer account properly
> registered in the domain?
> - is the account locked ??
> - does it work if you try to auth as a user?
> - if you updated samba recently - have you restarted winbindd?
> - are you passing the domain correctly? (i dont specify the domain on
> the ntlm_auth command line, whereas you have) i have the following in
> samba.conf (the domain is UOB):
>
> [global]
> workgroup = UOB
> netbios name = IS-RHUBARB
> security = domain
> password server = ads.bris.ac.uk
> realm = ads.bris.ac.uk
> winbind use default domain = no
> winbind nested groups = Yes
> winbind enum users = No
> winbind enum groups = No
> remote browse sync = ads.bris.ac.uk
>
>
> where ads.bris.ac.uk is a round robin resolving to the IPs of 11 domain
> controllers.
... on a different tack, i assume you are using the XP / 2000 builtin
supplicant? ... If your trying to use the 'MeetingHouse AEGIS 802.1x
client', I found it does not send the actual machine credentials ( it makes
up the password! - it uses the machine SID as password or something) and so
this would explain why authentication is failing.
James.
--
James J J Hooper,
Information Services
University of Bristol
--
More information about the Freeradius-Users
mailing list