domain security problem

Hegedus Gabor hegedus.gabor at euroway.hu
Wed Dec 10 09:19:42 CET 2008


tnt at kalik.net wrote:
>> my configuration:
>> radius 2.X , win 2003 AD,  domain: TEST,  802.1x
>>
>> I have a problem:
>>
>> If the pc is in the domain(TEST) it can authenticate good.
>> If it is not in domain it can't auth, it is good, BUT when i set the
>> computer name to TEST and it is not in the domain(simple workgroup) it
>> CAN authenticate.
>> I use ntml_auth for the authentigation.
>>    ntlm_auth = "/usr/bin/ntlm_auth
>>        --request-nt-key --domain=%{mschap:NT-Domain}
>>        --username=%{mschap:User-Name}
>>        --challenge=%{mschap:Challenge:-00}
>>        --nt-response=%{mschap:NT-Response:-00}"
>>
>>
>>     
>
> Debug (radiusd -X).
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
here is the debug: (user-test- who is not in domain but his computer 
name is TEST authenticate successfully)

rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=234, 
length=246
   NAS-IP-Address = 192.168.3.1
   NAS-Port = 50003
   Cisco-NAS-Port = "FastEthernet0/3"
   NAS-Port-Type = Ethernet
   User-Name = "TEST\\test"
   Called-Station-Id = "00-09-B7-94-CA-83"
   Calling-Station-Id = "00-13-D4-E7-B3-FB"
   Service-Type = Framed-User
   Framed-MTU = 1500
   State = 0xb4d9bca1b3d1a56aa83deffb03301769
   EAP-Message = 
0x020800561900170301004b70414bb754d5972dbf56e05aebf049af1a0ab69f67432122002d22c83e316d653444c9d47e3354733ecfc7d96cbcfd9d6d2df91f812c48cce9c300d9e9ffb09ea87d05f76fda12dab39168 

   Message-Authenticator = 0x6ed87b7fe86db42fcae2b6f15124f8ce
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 86
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
   EAP-Message = 
0x0208003f1a0208003a31b2e512df868f6a94b69f521554c63d2d00000000000000002b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff50074657374 

server (null) {
 PEAP: Setting User-Name to TEST\test
Sending tunneled request
   EAP-Message = 
0x0208003f1a0208003a31b2e512df868f6a94b69f521554c63d2d00000000000000002b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff50074657374 

   FreeRADIUS-Proxied-To = 127.0.0.1
   User-Name = "TEST\\test"
   State = 0xaa9b924faa9388a2f1432c8ee6fbd40f
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test with NT-Password
[mschap]     expand: --domain=%{mschap:NT-Domain} -> --domain=TEST
[mschap]     expand: --username=%{mschap:User-Name} -> --username=test
[mschap]  mschap2: 10
[mschap]     expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=ad923676ac4c1b76
[mschap]     expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff5
Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
   EAP-Message = 
0x010900331a0308002e533d44453836304437453245334344333045343338363130463136393441413135323336323135423546 

   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0xaa9b924fab9288a2f1432c8ee6fbd40f
[peap] Got tunneled reply RADIUS code 11
   EAP-Message = 
0x010900331a0308002e533d44453836304437453245334344333045343338363130463136393441413135323336323135423546 

   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0xaa9b924fab9288a2f1432c8ee6fbd40f
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 234 to 192.168.1.1 port 1812
   EAP-Message = 
0x0109004a1900170301003fe817a2e6b0a4c4309346367a44095fe7ea9742736898483f2080549951d5e2dc4151f7712ecfd5fdba90332c0f4b89db1a23b16a6a991044146b6fb344809e 

   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0xb4d9bca1bcd0a56aa83deffb03301769
Finished request 29.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=235, 
length=189
   NAS-IP-Address = 192.168.3.1
   NAS-Port = 50003
   Cisco-NAS-Port = "FastEthernet0/3"
   NAS-Port-Type = Ethernet
   User-Name = "TEST\\test"
   Called-Station-Id = "00-09-B7-94-CA-83"
   Calling-Station-Id = "00-13-D4-E7-B3-FB"
   Service-Type = Framed-User
   Framed-MTU = 1500
   State = 0xb4d9bca1bcd0a56aa83deffb03301769
   EAP-Message = 
0x0209001d1900170301001230e9ce1a3503f108ecd90427705c68e280ac
   Message-Authenticator = 0x463b0d4785d32b7bf4986bf6dec88485
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
   EAP-Message = 0x020900061a03
server (null) {
 PEAP: Setting User-Name to TEST\test
Sending tunneled request
   EAP-Message = 0x020900061a03
   FreeRADIUS-Proxied-To = 127.0.0.1
   User-Name = "TEST\\test"
   State = 0xaa9b924fab9288a2f1432c8ee6fbd40f
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [TEST\\test/<via Auth-Type = EAP>] (from client switch port 0 
via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
   EAP-Message = 0x03090004
   Message-Authenticator = 0x00000000000000000000000000000000
   User-Name = "TEST\test"
[peap] Got tunneled reply RADIUS code 2
   EAP-Message = 0x03090004
   Message-Authenticator = 0x00000000000000000000000000000000
   User-Name = "TEST\test"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 235 to 192.168.1.1 port 1812
   EAP-Message = 
0x010a00261900170301001b8c55c76f0d24fb92434676d72046739ed84941fe26a30c82e5bdda 

   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0xb4d9bca1bdd3a56aa83deffb03301769
Finished request 30.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=236, 
length=198
   NAS-IP-Address = 192.168.3.1
   NAS-Port = 50003
   Cisco-NAS-Port = "FastEthernet0/3"
   NAS-Port-Type = Ethernet
   User-Name = "TEST\\test"
   Called-Station-Id = "00-09-B7-94-CA-83"
   Calling-Station-Id = "00-13-D4-E7-B3-FB"
   Service-Type = Framed-User
   Framed-MTU = 1500
   State = 0xb4d9bca1bdd3a56aa83deffb03301769
   EAP-Message = 
0x020a00261900170301001bd24263fc9ac1eef3d671fa747f746186131d8853b3a2b6012ad712 

   Message-Authenticator = 0x9139df60acb7037efc1fbd2e563f570a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [TEST\\test/<via Auth-Type = EAP>] (from client switch port 
50003 cli 00-13-D4-E7-B3-FB)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 236 to 192.168.1.1 port 1812
   User-Name = "TEST\test"
   MS-MPPE-Recv-Key = 
0xab1fd2c591043fac4eb5c0ea15494ea129152fcda9169b260ce76c97d1190310
   MS-MPPE-Send-Key = 
0x4509bdc4294e7fe6cf1ea584080c5a3710093b96e74b7880217272a1ce9ee17b
   EAP-Message = 0x030a0004
   Message-Authenticator = 0x00000000000000000000000000000000
Finished request 31.




More information about the Freeradius-Users mailing list