The last piece of the puzzle - XP host authentication
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 19 17:14:55 CEST 2011
On 19/04/11 14:59, East, Bill wrote:
>> Have you made sure that your root cert is present in the right stores - remember windows
>> clients have both machine and per-user cert stores.
>> Machine auth requires it be in the machine store.
>
> Bah, I should have known that. It's fixed, now.
Cool
> This looks highly promising.
>
> I've got the syntax right in mschap now, I think, but the challenge is still being created strangely (or is it supposed to look like that?)
>
> [mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org
> [mschap] Told to do MS-CHAPv2 for host/LP-0010.pffcu.org with NT-Password
> [mschap] expand: %{mschap:User-Name} -> LP-0010$
> [mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=LP-0010$
> [mschap] mschap2: ac
> [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org
> [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=cc01b9d88b911c44
> [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8
This all looks right (I have spent a distressing amount of time looking
at MS-CHAP blobs this last week)
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
...but obviously this didn't work.
What version of Samba do you have? Some (much) older versions didn't
permit machine account login via ntlm_auth.
More information about the Freeradius-Users
mailing list