ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server

Clement Ogedengbe c.ogedengbe at worc.ac.uk
Fri Jul 3 13:02:13 CEST 2009 

Can someone please help provide a clue into the problems with using ntlm_auth
in a Freeradius config running on Debian.

 

The user/password information are held in the LDAP server.  I have been able
to authenticate successfully with packets coming from non-EAP clients.  But
for EAP authentication clients, I have been receiving the following error
lines.  (I am using ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.

 

 

 

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/mschapv2

[eap] processing type mschapv2

[mschapv2] +- entering group MS-CHAP {...}

[mschap] No Cleartext-Password configured.  Cannot create LM-Password.

[mschap] No Cleartext-Password configured.  Cannot create NT-Password.

[mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password

[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details

[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details

[mschap]        expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
-> --username=otha1_00

[mschap]  mschap2: 18

[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=b06bae6a129ec4e7

[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=c0bec1a04bdd9fb489ef30a2bc22e5806405493ac2038167

Exec-Program output: Invalid handle (0xc0000008)

Exec-Program-Wait: plaintext: Invalid handle (0xc0000008)

Exec-Program: returned: 1

[mschap] External script failed.

[mschap] FAILED: MS-CHAP2-Response is incorrect

++[mschap] returns reject

[eap] Freeing handler

++[eap] returns reject

Failed to authenticate the user.

} # server inner-tunnel

[peap] Got tunneled reply code 3

        MS-CHAP-Error = "\026E=691 R=1"

        EAP-Message = 0x04160004

        Message-Authenticator = 0x00000000000000000000000000000000

[peap] Got tunneled reply RADIUS code 3

        MS-CHAP-Error = "\026E=691 R=1"

        EAP-Message = 0x04160004

        Message-Authenticator = 0x00000000000000000000000000000000

[peap] Tunneled authentication was rejected.  

 

 

Clement

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090703/8d020c34/attachment.html>

More information about the Freeradius-Users mailing list