MSCHAP / NTLM_AUTH failure on "expired" AD password; out of sync cached creds / AD password.
Gary Gatten
Ggatten at waddell.com
Fri May 13 01:04:17 CEST 2011
Hello,
We're struggling with Windows 7 and PEAP/MSCHAP auth.. There are several scenarios where ones AD password will expire. FR is configured to send the auth request to AD (MSCHAP only, Aruba terminates PEAP) using NTLM_AUTH. If the password is not expired everything works great. If it IS expired, MSCHAP (or NTLM_AUTH) "seems" to always return a reject. Now, users should NOT allow their password to expire - but we all know it happens. Also, with new users an account is created with a temp / one time password and their account is set to "user must change password at first logon". This results in a similar failure - the supplicant never pops a box prompting to CHANGE password, it just prompts to reenter because of the failure - which is obviously worthless.
I THOUGHT MSCHAPv2 can recognize a "password expired" state and actually allow a user to change it via MSCHAPv2 functions. Is this not correct, or are there settings in AD or the ntlm_auth/samba I need to tweak? Or should I be using LDAP? And will it work at all using a "basic" MS supplicant, or do I need a third party one that handles this better?
We have a similar failure when the laptops "cached credentials" are out of sync with AD. Ie, the user changed their AD password using their desktop on Friday. Monday AM they bring in their laptop and try to login. Well, it's not "connected" to the domain, so they enter their old password just to get access to their laptop. So far so good, until the supplicant (which is configured to "use my windows login info" ) grabs the old password and tries to auth - which of course fails because it's the old (now incorrect) password. There seems to be some bug with Windows 7, because it WILL pop a box to allow the user to manually enter a password, but even when the new / correct password is entered - MSCHAP/NTLM_AUTH STILL fails. It's as if even though Windows 7 pops the box and allows one to enter a different password, it ignores it and ALWAYS uses the windows login credentials - which are invalid. FWIW: if we REQUIRE the user to ALWAYS enter their credentials (don't try to use windows) I THINK everything works OK, BUT the powers that be say it's unacceptable for a user to have to login twice - once to "windows" and then again to the "network".
My colleague has been messing with this for many hours to no avail. I've spent several hours myself trying various configs, googling, etc. Tomorrow I intend to take a more controlled / methodical approach to the testing scenarios and see what that may reveal. In the mean time any advice would be greatly appreciated. SURELY we're not the only ones to encounter this - it's a pretty common environment. I don't THINK the problem, or at least the same problem exist on XP - but I'm not 100% sure at this point. FR is 2.1.10 and Samba is 3.0.33-3.7.el5. I THINK our DC's are running 2003.
Below are FR debugs for (3) auth attempts, (1) success and (2) failures... I expected the middle (2nd) request to fail, 'cause windows automatically tried using the old/wrong creds - but the last / 3rd attempt should have worked...
TIA - Gary
#Working
rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=50, length=241
NAS-IP-Address = 1.1.2.4
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "netengtest"
Calling-Station-Id = "58946BB9F738"
Called-Station-Id = "000B8661BF34"
MS-CHAP-Challenge = 0x65f0e3833007ea3603cb7a74a97d905a
MS-CHAP2-Response = 0x0600c3fb5dab7b3c82d77669020e64574a790000000000000000b656fe75b45fb03fcdb6cd0c1e7675da77b79296fb32e768
Service-Type = Login-User
Aruba-Essid-Name = "Bob"
Aruba-Location-Id = "00:24:6c:c3:43:d3"
NAS-Identifier = "Aruba-WLAN-1"
Message-Authenticator = 0x43ab558afb7057dd052430f8829bf0e1
# Executing section authorize from file /devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] expand: %{mschap:User-Name} -> netengtest
[mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=netengtest
[mschap] mschap2: 65
[mschap] Creating challenge hash with username: netengtest
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=80f102377e0b1914
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b656fe75b45fb03fcdb6cd0c1e7675da77b79296fb32e768
Exec-Program output: NT_KEY: B2E9713382580CAFC4C5EAE9B83F6461
Exec-Program-Wait: plaintext: NT_KEY: B2E9713382580CAFC4C5EAE9B83F6461
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /devel/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 50 to 1.1.2.4 port 33350
MS-CHAP2-Success = 0x06533d38383935363335453339443030353230304644393132383945323846323245424242423042453530
MS-MPPE-Recv-Key = 0xc5abbc0bad0bf488c01523801f46f494
MS-MPPE-Send-Key = 0x48e3498b39788d95b47add261796c57d
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 4.
#Not Working, windows auto retry
rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=51, length=249
NAS-IP-Address = 1.1.2.4
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "WADDELL\\netengtest"
Calling-Station-Id = "58946BB9F738"
Called-Station-Id = "000B8661BF34"
MS-CHAP-Challenge = 0x311d0b69fd0ee15bf605dda7b0c7da0e
MS-CHAP2-Response = 0x06008b488ab132a5a2ee7d3051bf0f75858700000000000000003bc8b876f0e5171fc2aef6667fbe2a038cb846368d395fa5
Service-Type = Login-User
Aruba-Essid-Name = "Bob"
Aruba-Location-Id = "00:24:6c:c3:43:d3"
NAS-Identifier = "Aruba-WLAN-1"
Message-Authenticator = 0x9f6bc9ad403b95afd3506155e9e44761
# Executing section authorize from file /devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "WADDELL\netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] expand: %{mschap:User-Name} -> netengtest
[mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=netengtest
[mschap] mschap2: 31
[mschap] Creating challenge hash with username: netengtest
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c118e8c6818033b1
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3bc8b876f0e5171fc2aef6667fbe2a038cb846368d395fa5
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /devel/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> WADDELL\netengtest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 51 to 1.1.2.4 port 33350
#Not Working, Manually entered password
rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=52, length=249
NAS-IP-Address = 1.1.2.4
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "WADDELL\\netengtest"
Calling-Station-Id = "58946BB9F738"
Called-Station-Id = "000B8661BF34"
MS-CHAP-Challenge = 0xda7118673bd18b3563feedff1107cc3f
MS-CHAP2-Response = 0x070026aa6bd893de1a79db494843ad54b22e0000000000000000844ffd37fcda8bb1053320572de943678762ac51805a9170
Service-Type = Login-User
Aruba-Essid-Name = "Bob"
Aruba-Location-Id = "00:24:6c:c3:43:d3"
NAS-Identifier = "Aruba-WLAN-1"
Message-Authenticator = 0xd61275e77c4c589d7dea376d07ed6a57
# Executing section authorize from file /devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "WADDELL\netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] expand: %{mschap:User-Name} -> netengtest
[mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=netengtest
[mschap] mschap2: da
[mschap] Creating challenge hash with username: netengtest
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=a2e2cf9f927f511c
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=844ffd37fcda8bb1053320572de943678762ac51805a9170
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /devel/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> WADDELL\netengtest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 52 to 1.1.2.4 port 33350
Waking up in 4.9 seconds.
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110512/d3aa2c2e/attachment.html>
More information about the Freeradius-Users
mailing list