freeradius and ntlm_auth howto
Stieven.Struyf at komatsu.eu
Stieven.Struyf at komatsu.eu
Fri Oct 27 13:24:47 CEST 2006
Here's the full log:
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.104.254.73:1645, id=67,
length=259
User-Name = "KMT-EU.KMTG.NET\\sstruyf"
Framed-MTU = 1400
Called-Station-Id = "0016.469b.7cd0"
Calling-Station-Id = "0011.851a.cc37"
Service-Type = Login-User
Message-Authenticator = 0xfeb711c4400f8f34b9fef7c2be7f77bc
EAP-Message =
0x020900691900170301005e5971fff2b46b2f81e88ed248772a59c1860abf0ebe40379c9e20c0ac6edd9cb19abe8ebfe82595c54bc12a979c51182f9b58d130708870f1b6bb17c1cd8249a64ddae5750e9411d4e337bd0876f393e83f2015b4c783ee35db02041bad3
NAS-Port-Type = Wireless-802.11
NAS-Port = 2936
State = 0x5d8298849858ea61aec0380c81af200d
NAS-IP-Address = 10.104.254.73
NAS-Identifier = "WAP07KE"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7
rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name =
"KMT-EU.KMTG.NET\sstruyf"
rlm_realm: Found realm "KMT-EU.KMTG.NET"
rlm_realm: Adding Stripped-User-Name = "sstruyf"
rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET
rlm_realm: Adding Realm = "KMT-EU.KMTG.NET"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 105
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched sstruyf at 98
modcall[authorize]: module "files" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
0x020900521a0209004d3160a685c531c746f19621bbdd8d3f136800000000000000001af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966
PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf
PEAP: Adding old state with 46 61
PEAP: Sending tunneled request
EAP-Message =
0x020900521a0209004d3160a685c531c746f19621bbdd8d3f136800000000000000001af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "KMT-EU.KMTG.NET\\sstruyf"
State = 0x4661e4398678b434bf08ae113a631207
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7
rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name =
"KMT-EU.KMTG.NET\sstruyf"
rlm_realm: Found realm "KMT-EU.KMTG.NET"
rlm_realm: Adding Stripped-User-Name = "sstruyf"
rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET
rlm_realm: Adding Realm = "KMT-EU.KMTG.NET"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 82
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched sstruyf at 98
modcall[authorize]: module "files" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 7
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with
NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: 27
rlm_mschap: NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf
--challenge=decc4450c3b83d2c
--nt-response=1af36673f68ff26b4cc76bf8cd9f440d0c36396981ad345'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf
--challenge=decc4450c3b83d2c
--nt-response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 7
modcall: group Auth-Type returns reject for request 7
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 7
modcall: group authenticate returns reject for request 7
auth: Failed to validate the user.
Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>]
(from client localhost port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group Post-Auth-Type for request 7
hpidm: entered hpidm_post_auth
rlm_hpidm: request does not contain NAS-Port, cannot process this reply
modcall[post-auth]: module "hpidm" returns ok for request 7
modcall: group Post-Auth-Type returns ok for request 7
PEAP: Got tunneled reply RADIUS code 3
Service-Type = Login-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = 802
Tunnel-Private-Group-Id:0 = "3"
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x81c8538 3
Service-Type = Login-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = 802
Tunnel-Private-Group-Id:0 = "3"
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 7
modcall: group authenticate returns handled for request 7
Sending Access-Challenge of id 67 to 10.104.254.73:1645
Service-Type = Login-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = 802
Tunnel-Private-Group-Id:0 = "3"
EAP-Message =
0x010a00261900170301001bbea51b60bcb4566d7ef538deab44475ff7bea343dbeb8600663c15
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x53366a955095f03c779d1b7ef5a01e38
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.104.254.73:1645, id=68,
length=192
User-Name = "KMT-EU.KMTG.NET\\sstruyf"
Framed-MTU = 1400
Called-Station-Id = "0016.469b.7cd0"
Calling-Station-Id = "0011.851a.cc37"
Service-Type = Login-User
Message-Authenticator = 0x19198f9e13690ff3237353e66c498924
EAP-Message =
0x020a00261900170301001b723ec3fbfe48e768422325cbd73602c757a16c7c650e39a86cfcf5
NAS-Port-Type = Wireless-802.11
NAS-Port = 2936
State = 0x53366a955095f03c779d1b7ef5a01e38
NAS-IP-Address = 10.104.254.73
NAS-Identifier = "WAP07KE"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 8
rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name =
"KMT-EU.KMTG.NET\sstruyf"
rlm_realm: Found realm "KMT-EU.KMTG.NET"
rlm_realm: Adding Stripped-User-Name = "sstruyf"
rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET
rlm_realm: Adding Realm = "KMT-EU.KMTG.NET"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 8
rlm_eap: EAP packet type response id 10 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched sstruyf at 98
modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: group authenticate returns invalid for request 8
auth: Failed to validate the user.
Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>]
(from client WAP07KE port 2936 cli 0011.851a.cc37)
Processing the post-auth section of radiusd.conf
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf at komatsu.eu
Tel. +32 (0)2 2552551
freeradius-users-bounces+stieven.struyf=komatsu.eu at lists.freeradius.org
wrote on 10/27/2006 12:26:09 PM:
>
> HOWEVER, first you may want to check your mschap module definition:
>
> modules {
> mschap {
> ntlm_auth = "/usr/bin/ntlm_auth \
> --request-nt-key \
> --username=%{mschap:User-Name:-None} \
> --domain=%{mschap:NT-Domain:-None} \
> --challenge=%{mschap:Challenge:-00} \
> --nt-response=%{mschap:NT-Response:-00}"
>
> ...all on one line of course. Note the use of the "mschap:User-Name" and
> "mschap:NT-Domain" values.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I checked it and changed the userline value(it was stripped-username
something, but without success.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061027/68897442/attachment.html>
More information about the Freeradius-Users
mailing list