MSChap via ntlm_auth problem

Anton Brinyov anton.brinyov at gmail.com
Wed Aug 19 13:12:20 CEST 2009


Hi,

I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:

Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[mschap]        expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=BAS
[mschap]  mschap2: bb
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=205180e1818e1214
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok

ntlm_auth comands is the same on both hosts.

The difference is "Exec-Program output:"

Why?

Thanks,
Anton.




2009/8/18 Anton Brinyov <anton.brinyov at gmail.com>:
> 2009/8/18 Alan Buxey <A.L.M.Buxey at lboro.ac.uk>:
>> Hi,
>>
>>> The problem appears in any case - with or without require-membership option.
>>>
>>> > which version of SAMBA are you running? Latest version is known to have
>>> > issues - they've changed things with its output.
>>>
>>> I use samba 3.0.35 on FreeBSD 7.2 box.
>>>
>>> > also, recommend you change the command to have this instead
>>> >
>>> > --username=%{Stripped-User-Name:-%{User-Name:-None}}
>>> >
>>> > that'll get rid of that annoying output error
>>>
>>> I have the following command:
>>>
>>> ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key
>>> --require-membership-of=CENTAURA+InternetUsers
>>> --username=%{Stripped-User-Name:-%{User-Name:-None}}
>>> --challenge=%{mschap:Challenge:-00}
>>> --nt-response=%{mschap:NT-Response:-00}"
>>>
>>> If I call it from shell with options from radius request - I get result:
>>>
>>> # /usr/local/bin/ntlm_auth --request-nt-key
>>> --require-membership-of=CENTAURA+InternetUsers --username=BAS
>>> --challenge=6b6f49357dccee7c
>>> --nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec
>>>
>>> NT_KEY: A9B342EC3E218E54A330556C468415CD
>>>
>>> What can I do for getting some details about error?
>>
>> <clutching at straws>
>> maybe escape the + in your command (ie \+ ?
>> </clutching>
>>
>
> *The problem appears in any case - with or without require-membership option.*
> The command can be looked like
>
> ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key
>  --username=%{Stripped-User-Name:-%{User-Name:-None}}
>  --challenge=%{mschap:Challenge:-00}
>  --nt-response=%{mschap:NT-Response:-00}"
>
> And output is the same as in previous case.
>
> Thanks,
> Anton
>




More information about the Freeradius-Users mailing list