Help with machine authentication

Phil Mayers p.mayers at imperial.ac.uk
Fri Apr 22 12:25:39 CEST 2011 

On 04/21/2011 08:08 PM, Eldred, Bob wrote:

> After configuring a Windows XP SP3 supplicant for machine authentication
> (which is stupidly complex, given the required registry hacks to make it
> work)

Once you've done it once, you can export it as a "netsh" XML profile, 
then re-import it on other machines. Or use group policy on domain members.

 > I get this in the debug output:
>
> ++[mschap] returns noop
> [ntdomain] No '\' in User-Name = "host/C776669.ppmenergy.us", looking up
> realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] returns noop
>
>
> Now, I can clearly see that there *is* no '\' in the hostname there, nor
> should there be.  But everything I've found on the web indicates that
> with the version of FreeRADIUS and Samba I have, %{mschap:User-Name}
> should be rewritten as C776669$.  Getting the domain of the thing will

Correct, it should be rewritten from host/name.... to name$

> be another challenge of its own, I imagine.

%{mschap:NT-Domain} will expand the above to "ppmenergy". So, if the 
short-form (NT4-style name) of your AD realm is "ppmenergy" that'll be fine.

If not you'll have to hard-code the domain or get it otherwise. This is 
one reason why microsoft were DUMB to pick host/dnsname.domain.com - the 
DNS name and authentication realm need not match. They should have just 
sent host$@AUTH.REALM as the EAP-Identity and made everyones life 
easier... :o(


> ++[mschap] returns noop

This is as-expected. The request is EAP, not mschap, so mschap returns 
noop. This is completely independent of using "%{mschap:User-Name}" 
anywhere.

> [ntdomain] No '\' in User-Name = "host/C776669.ppmenergy.us", looking up
> realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] returns noop

Again, as expected.

> Sending Access-Challenge of id 219 to 10.56.160.5 port 32768
>          EAP-Message = 0x010700061900
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0x1c7725f518703c6d6a5dce719626f316
> Finished request 14.
> Going to the next request
> Waking up in 4.9 seconds.

...and.... what happens next? This is just a single request. EAP 
authentication involves lots of pairs of request/challenge, with a final 
request/accept or request/reject.

I am going to take a wild guess - you are using "ntlm_auth" and you need 
to edit the command line in raddb/modules/mschap to read:

   ntlm_auth = ".... --username=%{mschap:User-Name} ..."

If not, please show the full authentication attempt so we can see where 
it fails.

Better yet, carefully read through the full debug output yourself. The 
failure code *will* be in there.

More information about the Freeradius-Users mailing list