802.1x ->Radius ->Ldap

Kyle Plimack kplimack at videoegg.com
Sat Jun 19 01:23:26 CEST 2010


So I gave in and connected radius to my active directory (which we wish we could get rid of).

I'm getting the following error now
Any thoughts on correcting this winbind error?

[mschapv2] +- entering group MS-CHAP {...}
[mschap]   NT Domain delimeter found, should we have enabled with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for VIDEOEGG\kplimack with NT-Password
[mschap]     expand: %{Stripped-User-Name} ->
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap]     expand: %{User-Name:-None} -> VIDEOEGG\kplimack
[mschap]     expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=VIDEOEGG\kplimack
[mschap]     expand: %{mschap:NT-Domain} -> VIDEOEGG
[mschap]     expand: --domain=%{%{mschap:NT-Domain}:-VIDEOEGG} -> --domain=VIDEOEGG
[mschap]  mschap2: a0
[mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
[mschap]     expand: --challenge=%{mschap:Challenge:-00} -> --challenge=f83a0b16419a7f71
[mschap]     expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=fa180186e7d362c5ee57c6c776619d4d72173918ebc17b93
Exec-Program output: Reading winbind reply failed! (0xc0000001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect



On 6/18/10 1:54 PM, "Arran Cudbard-Bell" <a.cudbardb at googlemail.com> wrote:

That has to go in the wiki somewhere. That's possibly the best explanation of how FreeRADIUS processes requests I've ever heard... :)

-Arran
On Jun 18, 2010, at 1:50 PM, John Dennis wrote:

> On 06/18/2010 04:03 PM, Kyle Plimack wrote:
>> So how do I get pap to do it?
>
> If you're asking how to you get pap to do mschap then that's a nonsensical question.
>
> Here is how things work:
>
> The client sends you a radius auth request, you don't get to decide what's in it, the client does.
>
> The radius server looks the request and says
>
> "hmmm... lets see what do we have here? What can I do with this?"
>
> The answer to that is what auth types you have enabled, what the server can lookup, and what's in the request.
>
> The server will do something like this:
>
> "Yo unix module, can you handle this one?"
>
> "Hey pap module, can you handle this one?"
>
> "Yo mschap module, can you handle this one?"
>
> At some point hopefully one of the modules will say:
>
> "No problem I got it"
>
> The decision as to whether a module can handle the request is made by the module by looking at the data available to it.
>
> So lets say the client sends a request with a password and you've got pap enabled. The pap module looks at the request and says
>
> "hmmm ... do I have a password for this user"
>
> if so then compare my copy of the password to what's in the request.
>
> How does radius find a user's password? By consulting it's backend data store which can be the users file, a SQL database, or ldap.
>
> So before the pap module runs ldap will run. ldap says
>
> "hmm... Can I find passwords for this user?" If so I'll add them to the request as a check item so my dear friend the pap module can use them, you know that pap guy, he's always looking for passwords.
>
> But WAIT! What if the client sends a MSCHAP request? What does the radius server say then?
>
> "Well that's a fine kettle of fish! That client has really really tied my hands on this one" The only thing the server can do is run the mschap logic.
>
> The mshap module looks the request to see if there is a check item with either a clear text password or nt-hash (why? look at the protocol table). If those haven't been added by one of the datastores the mschap module says:
>
> "Sorry boss, no can do"
>
> But now the server has run out of options, it's only choice was mschap because that's what the client sent it and the mscap module can't handle it. So the server replies:
>
> "Loser! You ain't getting in here with those credentials" (Well really Auth-Reject)
>
>
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100618/7ad4c4df/attachment.html>


More information about the Freeradius-Users mailing list