Logging ntlm authentication

Alan DeKok aland at deployingradius.com
Wed Sep 8 08:12:22 CEST 2010


Garber, Neal wrote:
> I just cloned and built the latest 2.1.10 to do some testing.  I did a PEAP-MSCHAPv2 authentication, with bad credentials, using eapol_test.  What I found seems to indicate the problem I was referring to still exists in 2.1.10 (probably because I wasn't clear enough in describing the issue).  

  OK.

> It seems that after ntlm_auth fails, it sends the EAP failure via an Access-Challenge.  Then, after it receives the response in the next Access-Request, it sends Access-Reject.  This is how it behaved prior to 2.1.9 also (this is what I meant by "extra round trip" in a previous post).  The problem is that any information stored in an attribute, after the ntlm_auth failure, will not survive the subsequent Access-Challenge, Access-Request.  I can post the debug output if you'd like to see it.

  Hmm... OK.  The issue appears to be that the tunneled reply is saved
for Access-Accept, but not Access-Reject.

> When I originally discovered this, I suggested storing the ntlm_auth output in the eap handler so it could be saved in Module-Failure-Message when the response to the EAP failure is received.  Is there a better approach?  If you tell me your preference, I'd be willing to create a patch..

  See "accept_vps" in rlm_eap_peap/*.  Something similar needs to be
done for reject, and for TTLS.

  Alan DeKok.



More information about the Freeradius-Users mailing list