NTLM in MSCHAP

David Hláčik david at hlacik.eu
Tue Mar 4 21:18:12 CET 2008 

Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to
LDAP stored users. The think is ,that it accepts only plain text stored
passwords in ldap becouse of very well known NT-Password for MSCHAPv2

 

I figure out there is an option to make it work with ntlm_auth in mschap
configuration in radius.

But when I enable it :

 

                #with_ntdomain_hack = yes

 

                # The module can perform authentication itself, OR

                # use a Windows Domain Controller.  This configuration

                # directive tells the module to call the ntlm_auth

                # program, which will do the authentication, and return

                # the NT-Key.  Note that you MUST have "winbindd" and

                # "nmbd" running on the local machine for ntlm_auth

                # to work.  See the ntlm_auth program documentation

                # for details.

                #

                # Be VERY careful when editing the following line!

                #

                ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-Use

r-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-

Response:-00}"

        }

 

I am getting following error :

 

  rad_check_password:  Found Auth-Type MS-CHAP

auth: type "MS-CHAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group MS-CHAP for request 1

  rlm_mschap: Told to do MS-CHAPv2 for boss with NT-Password

radius_xlat: Running registered xlat function of module mschap for string
'Challenge'

 mschap2: 6b

radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'

radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=boss
--challenge=09c34801a6bafab3
--nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301'

Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boss
--challenge=09c34801a6bafab3
--nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301

Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) 

Exec-Program-Wait: plaintext: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)


Exec-Program: returned: 1

  rlm_mschap: External script failed.

  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  modcall[authenticate]: module "mschap" returns reject for request 1

 

But I am not sending a domain trought VPN connection (I have it clear). I
have also tried  #with_ntdomain_hack = yes

But without result.

 

Please help me,

 

David

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080304/fb2fcf26/attachment.html>

More information about the Freeradius-Users mailing list