PEAP/MS-CHAPv2 authentication to active directory

Alan DeKok aland at deployingradius.com
Sat Apr 12 08:23:41 CEST 2008


Mitchell, Mark wrote:
> I'm trying to get 802.1x authentication going using PEAP/MS-CHAPv2 but
> cant quite get it going (I think I'm pretty cloise though) so I'm hoping
> someone here can take a look at my debug output below and perhaps offer
> some helpful advice. Here's the specifics:  Ubuntu 7.10, freeRADIUS
> 1.1.7, Samba 3.0.

  I would suggest using v2.0.3, which is much simpler and more flexible.
 It also has built-in VMPS support, which means there's less need for
perl "glue".

>  Note that there are calls to a freeNAC perl module
> called check_mac that performs mac-auth-bypass vlan assignment for
> non-802.1x compliant devices.

  Ah.  If you're using freenac, that might explain it.

> I've followed the freeNAC instructions and tried some slight variations
> that I've found posted elsewhere but still not gettting it.

  Quite frankly, don't use third-party instructions.  They're almost
always wrong.  The documentation in FreeRADIUS is more up to date, and
correct.

> I've gotten
> to the point where I can issue the ntlm_auth command "manually" and
> authenticate to AD so Samba, Winbind, and Kerberos seem to be OK. When I
> attempt to get freeRADIUS to do the ntlm_auth for me as described in the
> freeNAC docs and other web resources like deployingradius.com and the
> freeradius wiki, I keep getting logon failures. See attached radius
> debug output below.

  Running the ntlm_auth command manually means you're giving it
clear-text passwords.  Running it from FreeRADIUS means it's being given
MS-CHAP hashes.  The two are different, and add additional complexity.

> I'm just attaching the last part of the debug
> because for one it's quite large and two, it seems to be going well up
> to a certain point. My EAP-TLS tunnel appears to be getting setup fine
> but it just act as if my password is wrong.

  I would suggest not using EAP until you have the MS-CHAP stuff
working.  See src/tests/mschapv1 for a "known working" MS-CHAP sample.
You can do:

$ radclient -f src/tests/mschapv1 -xx localhost auth testing123

  Of course, you'll have to add user "bob" with password "bob" to Active
Directory.  But you should be able to test MS-CHAP with a known working
sample.

...
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)

  There isn't much else that FreeRADIUS can do at this point.  If the
domain is returning failure, that means failure.

  You could also try putting the cleartext-password for the user into
the "users" file.  That would tell you if (maybe) the client is broken,
and isn't doing MS-CHAP properly.

  i.e. (1) test PEAP with local user && password
       (2) test MS-CHAP with bob/bob against ntlm_auth

  If both work, then the problem is something complicated somewhere in
between ntlm_auth, winbind, or Active Directory.  And that's pretty hard
to track down, to be frank.  Active Directory isn't very good about
telling even an admin *why* something went wrong.

  Alan DeKok.



More information about the Freeradius-Users mailing list