ntlm_auth is not used by mschap

robiwan at arcor.de robiwan at arcor.de
Thu May 4 13:04:19 CEST 2006


Dear All,

Now i am a step further on, my radiusd uses the ntlm_auth module AND authenticate the user correctly !!!.
My Username = roka, Password = Gerti1000, Domain = WINLAB

Now i use the selfcompiled freeradius 1.1.1 and NOT the Debian freeradius. The Debian freeradius is unable to load EAP-Type/peap.

I activated in the file eap.cfg the peap-section:
-------------------------------snip---------------------------
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}
---------------------------snap----------------------------

Here again the mschap-section in the radiusd.conf
-------------------------------snip---------------------------
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --domain=winlab --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}"
        }
---------------------------snap----------------------------

And the file users:
-------------------------------snip---------------------------
DEFAULT Auth-Type = MS-Chap
        Fall-Through = 1

roka        Auth-Type := MS-CHAP
                Tunnel-Type = VLAN,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-ID = 40
---------------------------snap----------------------------


In my Windows XP-Box i use as 802.1X authentfication the EAP(PEAP) and as authentification-method EAP-MASCHAP v2.


Here is the radiusd output:

rad_recv: Access-Request packet from host 10.187.0.15:1645, id=132, length=137
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000100157494e4c41425c726f6b61
        Message-Authenticator = 0xbd4afc42085fcbbf08d044ae750c53fd
Sending Access-Challenge of id 132 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xeef3170dad81ebd1111e10041bb347cd
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=133, length=145
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xeef3170dad81ebd1111e10041bb347cd
        EAP-Message = 0x020100060319
        Message-Authenticator = 0xbc407e57ea0373c4d3c64172b16383e3
Sending Access-Challenge of id 133 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe31f70214e83e2de5cc7759b43818b12
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=134, length=251
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xe31f70214e83e2de5cc7759b43818b12
        EAP-Message = 0x0202007019800000006616030100610100005d03014459dd090912178089f8e3c69693534605b03bf50368573ab4d2e6b2236469142079a45d849f7096a2b2bbc38c20a1ed71682d0fd9e6debf2bc4412059da76b1df001600040005000a000900640062000300060013001200630100
        Message-Authenticator = 0x5916349f8c6defda32f07b85cec1f492
    TLS_accept:error in SSLv3 read client certificate A
Sending Access-Challenge of id 134 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0103040a19c0000006f1160301004a0200004603014459dda2b79409fcb6d4d89fac9548c3823e922e24a065fe40651a32332886db20eac3c696ce916da32ce4d48b6b696d0895a73a5c1ea3587a904d849d32fde49e00040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
        EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
        EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
        EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
        EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc7cf07a88e421df6a3b7286fe43369d6
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=135, length=145
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xc7cf07a88e421df6a3b7286fe43369d6
        EAP-Message = 0x020300061900
        Message-Authenticator = 0x3d277dba131d4505b6845d6cfd6ed376
Sending Access-Challenge of id 135 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010402f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
        EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
        EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xec08c9ae544f092c6a427e7a70dbbe23
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=136, length=331
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xec08c9ae544f092c6a427e7a70dbbe23
        EAP-Message = 0x020400c01980000000b61603010086100000820080771469fb40621c4f3c2fc1f6ec25d522e4c5d3875d9b1b2117f2d79b2bb48911db4efd1d2f5556c182f423f61a5431e811bd7269987d215bbe2a119e59c92d42743d1a1535bbf2967b575924234913beb3cdabb36c8af0f5fd8b0dc78265f24d00419c2edcb066a475f01be123c112f055ceeb8d27ef3d0769dd049e44cbcf9314030100010116030100207e447742f402496865b7ff6579e5bcfbbf3c983ee258e6792b6ae75085f6ab5f
        Message-Authenticator = 0x62b1bf32b3b16b6857c2d630fcf960e0
Sending Access-Challenge of id 136 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x01050031190014030100010116030100201efddd23acbd285af12a1314e91ffad945f58a08566adc8582c7e547d7213269
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2cb96659eeaf144836c35733c6a0a808
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=137, length=145
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x2cb96659eeaf144836c35733c6a0a808
        EAP-Message = 0x020500061900
        Message-Authenticator = 0xbda925ee01abf70665fd68a59d82bdf3
Sending Access-Challenge of id 137 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x01060020190017030100155351c3c41dd669c9851f2fc575f8195a3b48fa2e90
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xbe17fb42c27358c6e33f9980e0597b4c
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=138, length=178
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xbe17fb42c27358c6e33f9980e0597b4c
        EAP-Message = 0x020600271900170301001c23049e0e9cfc346962dda69f3bce6e63b95f3c05f8dcef9c0a8bdd29
        Message-Authenticator = 0xc46f001225f57a9f57a085d4d2217c93
rlm_eap_mschapv2: Issuing Challenge
Sending Access-Challenge of id 138 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0107003c19001703010031ddc5a0e836791a192d89b4038de58bb2b678a07041a0ef90a1623e213941ef52bb8e006d7a35737884b3eb1455a4e7e754
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x043b2578a061745314b8ad9d341c0cef
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=139, length=232
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x043b2578a061745314b8ad9d341c0cef
        EAP-Message = 0x0207005d190017030100524a31d80a4489031df02823a24f82d5829d0c4ed1bdbd1ad6474e7628b62e0e67d3fa7f307b9936c07e7a937df8f9eb75d1c35dee5c91ae462abdb628ba395fbc5f20a42f24f3b4354e407435f659be333046
        Message-Authenticator = 0x26edddab5cbe293c97ca484f91bb9a49
radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --domain=winlab --request-nt-key --username=roka --challenge=d3ebe3c71d26efdb --nt-response=e0f465788d19ac1febee280128abf37d5ce5d430c7516212
Exec-Program-Wait: plaintext: NT_KEY: 2F6C7B1EA51DEE8E0E47A627D4E5DEA5
Exec-Program: returned: 0
Sending Access-Challenge of id 139 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0108004a1900170301003fe95b4d356a5729b7513424e95b3815d5f664558f10fe45ce635500380a4d78ec71b59f36a16d8c3a196bbcca6155322203c5c2a82c4f224b8238e6f2b16606
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5141f9f539e80bf903ba740d943e82a9
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=140, length=168
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x5141f9f539e80bf903ba740d943e82a9
        EAP-Message = 0x0208001d19001703010012463c06b6275da4d04f23c9eb7e2e23aea2ee
        Message-Authenticator = 0xe00580e029f8e3c388b82938c5ffb176
Login OK: [WINLAB\\roka/<no User-Password attribute>] (from client localhost port 0)
Sending Access-Challenge of id 140 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010900261900170301001b5ca7996a37fe349ccac8e6953704bcf369ba2e3141f25b22003352
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x69d1f13c657d02f68ffb205c41c26c9c
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=141, length=177
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x69d1f13c657d02f68ffb205c41c26c9c
        EAP-Message = 0x020900261900170301001b2d01514390d15c42a319617b87af8233f59c6f67444bdaf5989a5a
        Message-Authenticator = 0x87e08fe2becd0de8192365a40e2c8b65
Login OK: [WINLAB\\roka/<no User-Password attribute>] (from client M4DEMRCO0000015 port 50103 cli 00-0B-5D-84-AE-CA)
Sending Access-Accept of id 141 to 10.187.0.15 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        MS-MPPE-Recv-Key = 0xbbfe5508b45b961e066f53e6dc8ee0ddd3d7d5893608c12de1787bd0599471fc
        MS-MPPE-Send-Key = 0x218c81973cefe42ebaa2aff5ab5ab5d315bb3a434730821ed6437f08e3d23cab
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "WINLAB\\roka"




Many thanks to all
Robert






----- Original Nachricht ----
Von:     robiwan at arcor.de
An:      freeradius-users at lists.freeradius.org
Datum:   04.05.2006 07:46
Betreff: ntlm_auth is not used by mschap

> You send a packet that does not contain any MS-CHAP attributes. Because of 
> that, the server is not doing MS-CHAP:
> 
> >   modcall[authorize]: module "mschap" returns noop for request 0
> 
> As this line tells you.
> 
> Send a MS-CHAP request, and look what happens then.
> 
> Stefan
> 
> Hi ,
> 
> Now i send a mschap request (EAP/PEAP with WindowsXP) and that is the output
> of my radiusd:
> 
> rad_recv: Access-Request packet from host 10.187.0.15:1645, id=229,
> length=137
>         NAS-IP-Address = 10.187.0.15
>         NAS-Port = 50103
>         NAS-Port-Type = Ethernet
>         User-Name = "WINLAB\\roka"
>         Called-Station-Id = "00-14-69-5B-8B-03"
>         Calling-Station-Id = "00-0B-5D-84-AE-CA"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         EAP-Message = 0x020000100157494e4c41425c726f6b61
>         Message-Authenticator = 0x90f61cee340a78e94ee24fe3c625baa0
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: EAP packet type response id 0 length 16
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 0
>     users: Matched entry DEFAULT at line 174
>     users: Matched entry DEFAULT at line 198
>   modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns updated for request 0
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
>   rlm_eap: EAP Identity
>   rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
>   modcall[authenticate]: module "eap" returns handled for request 0
> modcall: group authenticate returns handled for request 0
> Sending Access-Challenge of id 229 to 10.187.0.15:1645
>         Framed-IP-Address = 255.255.255.254
>         Framed-MTU = 576
>         Service-Type = Framed-User
>         EAP-Message = 0x010100160410be8025aedc237e79bb769d7448c5e684
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x01aa44a4c384c8d0b88b27a8f803a381
> Finished request 0
> Going to the next request
>  
> 
> Again the   
> modcall[authorize]: module "mschap" returns noop for request 0
> You said, this mean i do not send a mschap request.
> 
> What else can i do ?
> 
> Many thanks in Advance
> Robert
> 
> 
> Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
> ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig
> und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer,
> nur  44,85 €  inkl. DSL- und ISDN-Grundgebühr!
> http://www.arcor.de/rd/emf-dsl-2
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig
und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer,
nur  44,85 €  inkl. DSL- und ISDN-Grundgebühr!
http://www.arcor.de/rd/emf-dsl-2




More information about the Freeradius-Users mailing list