mschap with ntlm_auth and Active Directory
robert22
robert at ardvuela.co.uk
Thu Mar 3 07:04:51 CET 2011
I am trying to setup freeRadius to process requests from our Wireless
Controller. The controller uses the wireless devices MAC address as the
username, and a predefined password. These MAC addresses all excist in
Active Directory as user accounts, with the same password set. This works
fine with our current Windows 2003 Server but Im trying to get it going with
FreeRadius.
the mschap module line in MSCHAP for ntlm_auth is as such:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
the ntlm_auth module itself contains:
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MY.ACTUAL.DOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
I havent changed anything to the users file except adding in a test local
user as part of the initial FreeRadius install guide, and uncommenting the
DEFAULT Auth-Type = ntlm_auth line for using the following to test:
root at FREERADIUS:/etc/freeradius# radtest localhost 0 sharedsecret
which seems to work:
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=217,
length=20
but when I set the Wireless controller to point to the FreeRadius server,
this is the debug log:
----start----
rad_recv: Access-Request packet from host 10.0.9.101 port 32987, id=83,
length=163
User-Name = "001E52805980"
MS-CHAP-Challenge = 0x86acd2fc97136970
MS-CHAP-Response =
0x33013cd70c5db14d0ff0ba01097baeee613883c7711e96028461bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
NAS-Port-Type = Wireless-Other
NAS-Identifier = "redlan1"
Calling-Station-Id = "001E52805980"
Called-Station-Id = "001F457E67A8"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "001E52805980", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} ->
--username=001E52805980
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN} ->
--domain=MY.ACTUAL.DOMAIN
[mschap] mschap1: 86
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=86acd2fc97136970
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 001E52805980
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
----END----
Hoping somone can point me in the right direction of where I might have
messed up, or what further readiing I might need to do?
Many Thanks
Robert
--
View this message in context: http://freeradius.1045715.n5.nabble.com/mschap-with-ntlm-auth-and-Active-Directory-tp3407522p3407522.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list