freeradius and ntlm_auth howto

King, Michael MKing at bridgew.edu
Mon Nov 6 16:03:12 CET 2006 

Some things I've noticed from your attached files
 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 
I've never enabled these before, I'm unaware what affect they will have
 
 
tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
 tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
 tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/etc/raddb/certs/dh"
 tls: random_file = "/etc/raddb/certs/random"
 
Did you generate your OWN certs...  They one's that ship with the server
ARE NOT vailid. You have to generate your own.
 
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
 
That doesn't look right
 
 
 
BUT YOUR FINAL ANSWER:
 
 
xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf
--challenge=b9ee04ca891c7b7d
--nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0
Exec-Program output: Account locked out (0xc0000234) 
Exec-Program-Wait: plaintext: Account locked out (0xc0000234) 
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
 
 
Your account in the domain is not correct.
 
Looks like it's been disabled or something.
 
Fix that first before you change anymore config files.


________________________________

	From: Stieven.Struyf at komatsu.eu
[mailto:Stieven.Struyf at komatsu.eu] 
	Sent: Monday, November 06, 2006 3:16 AM
	To: King, Michael
	Subject: Fw: freeradius and ntlm_auth howto
	
	

	Michael, 
	I sent my reply already to the list, but due to the size(larger
than 100k) it had to be reviewed by the admin and after a week it was
rejected. 
	Below you can find the mail. Thanks for helping me. 
	
	Stieven Struyf
	M.I.S. Division - System Operations 
	Komatsu Europe International NV
	Mechelsesteenweg 586
	B-1800 Vilvoorde
	Stieven.Struyf at komatsu.eu
	Tel. +32 (0)2 2552551 
	----- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006
09:13 AM ----- 
	
Stieven Struyf/KEISA/BE/KOMEUR 

11/02/2006 08:55 AM 

To
FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
cc
Subject
RE: freeradius and ntlm_auth howtoLink
<Notes://BENT63KE/C1257011005324FB/DABA975B9FB113EB852564B5001283EA/625A
148B6EA233CDC125721400531414> 

	



	I added the debuglog as attachment(as it is a little large to
paste here). 
	This is the mschap config: 
	 mschap { 
	                authtype = MS-CHAP 
	                use_mppe = yes 
	                require_strong = yes 
	                with_ntdomain_hack = yes 
	                require_encryption = yes 
	                ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}" 
	        } 
	
	
	Stieven Struyf
	M.I.S. Division - System Operations 
	Komatsu Europe International NV
	Mechelsesteenweg 586
	B-1800 Vilvoorde
	Stieven.Struyf at komatsu.eu
	Tel. +32 (0)2 2552551 
	
	
freeradius-users-bounces+stieven.struyf=komatsu.eu at lists.freeradius.org
wrote on 10/27/2006 04:36:00 PM:
	
	> Let's see if we can get this solved... 
	> 
	> > -----Original Message-----
	> > Here's the full log: 
	> > Waking up in 6 seconds... 
	> > rad_recv: Access-Request packet from host
10.104.254.73:1645, 
	> 
	> This is NOT the full log.  The full log would have started
with the line
	> /path/to/radiusd -X
	> 
	> Some important stuff is printed out there, it helps us help
you.  
	> 
	> 
	> >   rlm_mschap: NT Domain delimeter found, should we have 
	> > enabled with_ntdomain_hack? 
	> >   rlm_mschap: NT Domain delimeter found, should we have 
	> > enabled with_ntdomain_hack? 
	> 
	> Did you enable Ntdomain Hack in the MSCHAP module?  (See
below)
	> 
	> 
	> Including your radius.conf file would help.
	> 
	> 
	> > > HOWEVER, first you may want to check your mschap module
definition:
	> > > 
	> > > modules {
	> > >    mschap {
	> > >      ntlm_auth = "/usr/bin/ntlm_auth \
	> > >   --request-nt-key \
	> > >   --username=%{mschap:User-Name:-None} \
	> > >   --domain=%{mschap:NT-Domain:-None} \
	> > >   --challenge=%{mschap:Challenge:-00} \
	> > >   --nt-response=%{mschap:NT-Response:-00}"
	> > > 
	> > > ...all on one line of course. Note the use of the 
	> > "mschap:User-Name" 
	> > > and "mschap:NT-Domain" values.
	> 
	> Mine radiusd.conf file's mschap section looks like this:
	> NOTE that I do NOT have the :-00 and the :-None statements,
and I DO
	> have with_ntdomain_hack=yes
	> 
	> 
	>         # Microsoft CHAP authentication
	>         #
	>         #  This module supports MS-CHAP and MS-CHAPv2
authentication.
	>         #  It also enforces the SMB-Account-Ctrl attribute.
	>         #
	>         mschap {
	>                 with_ntdomain_hack = yes
	>          ntlm_auth = "/usr/bin/ntlm_auth \
	>          --request-nt-key \
	>          --username=%{mschap:User-Name} \
	>          --challenge=%{mschap:Challenge} \
	>          --nt-response=%{mschap:NT-Response}
	>         }
	> 
	> 
	> - 
	> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061106/ed68019d/attachment.html>

More information about the Freeradius-Users mailing list