Some help with etc_smbpasswd auth and eap ttls

Josh Hiner josh at remc1.org
Thu Jan 8 05:44:59 CET 2009 

Alan DeKok wrote:
> Josh Hiner wrote:
>   
>> Trying to configure eap ttls with mschapv2 using Freeradius version
>> Version 1.1.3 in Redhat enterprise Linux 5.
>>     
>
>   I suggest upgrading.  It's not hard to build an RPM of the latest
> version of the server.
>
>   Upgrading will get you a lot.
>   
Ok I did upgrade, please see my post below =D.
>   
>> I have configured everything and gotten free radius to authenticate off
>> /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have
>> run into is when I switch the securew2 windows xp eap-ttls client to use
>> the current logged on user credentials. Then, SecureW2 sends the
>> username in the format of DOMAIN/user (which in this case is HTN/josh).
>> Authentication then fails because of this extra domain part in the user.
>> Ok fine, I first enable the nt_domain_hack in the mschap module then I
>> configured realm ntdomain and simply set a default realm in proxy.conf
>> to strip off the domain part. Nope, that fails (output will be included
>> below). I also tried nostrip but that also fails obviously. Also tried
>> silently stripping the domain in pre-process in radiusd.conf. Auth is
>> successful but finally rejected because the user doesnt match the
>> original HTN/josh user sent.
>>     
>
>   This is fixed in 2.x.  You can have different policies for inside the
> TLS tunnel and outside of it.  This makes these configurations easier.
>   
Ok I do see this now but am still getting the same error. Please see below.
>   
>> Anyways, anyone know of how to get etc_smbpasswd module to work. I dont
>> want to use the users file (blech) even though it does work when I put
>> the user in there, and again, if I just supply the username and password
>> (and leave the domain part blank in SecureW2 ttls client) authentication
>> does work of /etc/samba/smbpasswd.
>>     
>
>   Honestly... there are 3-4 solutions which are trivial in 2.x.  Any
> solution is hard in 1.1.3.  I don't even recall what feature set it has
> (or is missing).
>
>   Alan DeKok.
>   
Ok, I have upgraded to Freeradius version 2.1.3 (following the 
suggestion above). I have configured and gotten everything to work 
except for the domain name stripping at the front of the username (eg: 
HTN/josh). If I dont supply the domain name, authentication succeeds 
perfectly. I am still getting the same error that I was with Freeradius 
version 1.3.1. Ive configured a HTN realm to strip off the HTN part and 
in the debug, it appears to work as stripped-user=josh gets proxied 
back. Then authentication failes in the same way as it did before? It is 
mentioned above that there are 3-4 solutions which are trivial in 2.x. 
Since I have Freeradius basically running, could someone spare some of 
their valuable time with a pointer on stripping off the HTN part of the 
user so authentication will succeed? Thanks =D. Below is the part of my 
debug output from Freeradius showing the authentication failure. Once 
again, it works perfectly if I dont supply the domain name (I can then 
connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I 
can supply more of my configs if needed.

Thanks -Josh

server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "HTN\josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "HTN" for User-Name = "HTN\josh"
[ntdomain] Found realm "HTN"
[ntdomain] Adding Stripped-User-Name = "josh"
[ntdomain] Adding Realm = "HTN"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 1 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[etc_smbpasswd] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for josh with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
    MS-CHAP-Error = "\001E=691 R=1"
    EAP-Message = 0x04010004
    Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user HTN\josh
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.

More information about the Freeradius-Users mailing list