domain security problem
Hegedus Gabor
hegedus.gabor at euroway.hu
Wed Dec 10 09:19:42 CET 2008
tnt at kalik.net wrote:
>> my configuration:
>> radius 2.X , win 2003 AD, domain: TEST, 802.1x
>>
>> I have a problem:
>>
>> If the pc is in the domain(TEST) it can authenticate good.
>> If it is not in domain it can't auth, it is good, BUT when i set the
>> computer name to TEST and it is not in the domain(simple workgroup) it
>> CAN authenticate.
>> I use ntml_auth for the authentigation.
>> ntlm_auth = "/usr/bin/ntlm_auth
>> --request-nt-key --domain=%{mschap:NT-Domain}
>> --username=%{mschap:User-Name}
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>>
>>
>
> Debug (radiusd -X).
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
here is the debug: (user-test- who is not in domain but his computer
name is TEST authenticate successfully)
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=234,
length=246
NAS-IP-Address = 192.168.3.1
NAS-Port = 50003
Cisco-NAS-Port = "FastEthernet0/3"
NAS-Port-Type = Ethernet
User-Name = "TEST\\test"
Called-Station-Id = "00-09-B7-94-CA-83"
Calling-Station-Id = "00-13-D4-E7-B3-FB"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xb4d9bca1b3d1a56aa83deffb03301769
EAP-Message =
0x020800561900170301004b70414bb754d5972dbf56e05aebf049af1a0ab69f67432122002d22c83e316d653444c9d47e3354733ecfc7d96cbcfd9d6d2df91f812c48cce9c300d9e9ffb09ea87d05f76fda12dab39168
Message-Authenticator = 0x6ed87b7fe86db42fcae2b6f15124f8ce
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 86
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message =
0x0208003f1a0208003a31b2e512df868f6a94b69f521554c63d2d00000000000000002b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff50074657374
server (null) {
PEAP: Setting User-Name to TEST\test
Sending tunneled request
EAP-Message =
0x0208003f1a0208003a31b2e512df868f6a94b69f521554c63d2d00000000000000002b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff50074657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "TEST\\test"
State = 0xaa9b924faa9388a2f1432c8ee6fbd40f
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test with NT-Password
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=TEST
[mschap] expand: --username=%{mschap:User-Name} -> --username=test
[mschap] mschap2: 10
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=ad923676ac4c1b76
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff5
Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010900331a0308002e533d44453836304437453245334344333045343338363130463136393441413135323336323135423546
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaa9b924fab9288a2f1432c8ee6fbd40f
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010900331a0308002e533d44453836304437453245334344333045343338363130463136393441413135323336323135423546
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaa9b924fab9288a2f1432c8ee6fbd40f
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 234 to 192.168.1.1 port 1812
EAP-Message =
0x0109004a1900170301003fe817a2e6b0a4c4309346367a44095fe7ea9742736898483f2080549951d5e2dc4151f7712ecfd5fdba90332c0f4b89db1a23b16a6a991044146b6fb344809e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4d9bca1bcd0a56aa83deffb03301769
Finished request 29.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=235,
length=189
NAS-IP-Address = 192.168.3.1
NAS-Port = 50003
Cisco-NAS-Port = "FastEthernet0/3"
NAS-Port-Type = Ethernet
User-Name = "TEST\\test"
Called-Station-Id = "00-09-B7-94-CA-83"
Calling-Station-Id = "00-13-D4-E7-B3-FB"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xb4d9bca1bcd0a56aa83deffb03301769
EAP-Message =
0x0209001d1900170301001230e9ce1a3503f108ecd90427705c68e280ac
Message-Authenticator = 0x463b0d4785d32b7bf4986bf6dec88485
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020900061a03
server (null) {
PEAP: Setting User-Name to TEST\test
Sending tunneled request
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "TEST\\test"
State = 0xaa9b924fab9288a2f1432c8ee6fbd40f
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [TEST\\test/<via Auth-Type = EAP>] (from client switch port 0
via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "TEST\test"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "TEST\test"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 235 to 192.168.1.1 port 1812
EAP-Message =
0x010a00261900170301001b8c55c76f0d24fb92434676d72046739ed84941fe26a30c82e5bdda
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4d9bca1bdd3a56aa83deffb03301769
Finished request 30.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=236,
length=198
NAS-IP-Address = 192.168.3.1
NAS-Port = 50003
Cisco-NAS-Port = "FastEthernet0/3"
NAS-Port-Type = Ethernet
User-Name = "TEST\\test"
Called-Station-Id = "00-09-B7-94-CA-83"
Calling-Station-Id = "00-13-D4-E7-B3-FB"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xb4d9bca1bdd3a56aa83deffb03301769
EAP-Message =
0x020a00261900170301001bd24263fc9ac1eef3d671fa747f746186131d8853b3a2b6012ad712
Message-Authenticator = 0x9139df60acb7037efc1fbd2e563f570a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [TEST\\test/<via Auth-Type = EAP>] (from client switch port
50003 cli 00-13-D4-E7-B3-FB)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 236 to 192.168.1.1 port 1812
User-Name = "TEST\test"
MS-MPPE-Recv-Key =
0xab1fd2c591043fac4eb5c0ea15494ea129152fcda9169b260ce76c97d1190310
MS-MPPE-Send-Key =
0x4509bdc4294e7fe6cf1ea584080c5a3710093b96e74b7880217272a1ce9ee17b
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 31.
More information about the Freeradius-Users
mailing list