Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Martin Ubank
Martin.Ubank at uwe.ac.uk
Fri Oct 14 16:34:55 CEST 2011
I've been following the FreeRadius Deployment guide http://deployingradius.com/documents/configuration/active_directory.html
The following software is installed on a Centos 6 VM:
- Samba 3.5.4, Freeradius 2.1.9, wpa_supplicant-0.7.3, gcc v4.4.4-13, openssl, winbind.
I successfully performed basic configuration tests with the 'eapol_test' command for:
- PAP, EAP, EAP-TLS, EAP-TTLS, EAP-MD5 & EAP-MSCHAPv5.
I've created production certificates & successfully tested for the above protocols.
Installed Kerberos 1.8.2 & tested that successfully.
I started to configure FreeRadius with AD and successfully tested it to use ntlm_auth.
I've got to the final stage "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" in the deployment process.
This stage says:
1) "... delete the testing entry used above from the users file, ...", which I've done.
2) "... fine (sic) the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It ... should be uncommented, ...", which I've done.
3) "Start the server ..."
I ran 'radiusd -X'.
4) "... and use a test client to send an MS-CHAP authentication request."
I've used the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123'.
I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly:
<snip>
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
<snip>
The 'eapol_test' output reflects this:
<snip>
EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26
EAP-MSCHAPV2: RX identifier 8 mschapv2_id 8
EAP-MSCHAPV2: Received challenge
EAP-MSCHAPV2: Authentication Servername - hexdump_ascii(len=11):
65 64 75 72 6f 61 6d 74 65 73 74 USERNAME
EAP-MSCHAPV2: Generating Challenge Response
MSCHAPV2: Identity - hexdump_ascii(len=11):
65 64 75 72 6f 61 6d 74 65 73 74 USERNAME
MSCHAPV2: Username - hexdump_ascii(len=11):
65 64 75 72 6f 61 6d 74 65 73 74 USERNAME
MSCHAPV2: auth_challenge - hexdump(len=16): a5 e6 9e fa 6e 1f ec 2f 0b b6 a3 96 ef 45 15 32
MSCHAPV2: peer_challenge - hexdump(len=16): 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9
MSCHAPV2: username - hexdump_ascii(len=11):
65 64 75 72 6f 61 6d 74 65 73 74 USERNAME
MSCHAPV2: password - hexdump_ascii(len=20):
77 6f 72 6b 6d 61 6e 20 74 6f 64 61 79 20 61 72 PASSWORD
6e 69 63 61
MSCHAPV2: NT Response - hexdump(len=24): 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a
MSCHAPV2: Auth Response - hexdump(len=20): f0 95 4d 86 ee 82 8f c0 12 84 cc a7 d0 72 fb e6 95 b3 ef d1
MSCHAPV2: Master Key - hexdump(len=16): 31 8d ae c0 3d e1 42 0f ae 05 bc f0 72 da 98 72
EAP-MSCHAPV2: TX identifier 8 mschapv2_id 8 (response)
EAP-PEAP: Encrypting Phase 2 data - hexdump(len=70): 02 08 00 46 1a 02 08 00 41 31 44 31 43 ff 2f 12 5b 25 b5 eb fb 59 6f 8d 2a a9 00 00 00 00 00 00 00 00 66 67 95 3d 56 d6 ab b4 ab ba 64 bf 6c db 8b 51 77 ad 3e bc 96 26 7c 7a 00 65 64 75 72 6f 61 6d 74 65 73 74
<snip>
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=9 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAPOL: EAP key not available
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0 mismatch: 1
FAILURE
The peap-mschapv2-cert-ntlm_auth.conf file contains:
#
# eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123
#
eapol_version=1
fast_reauth=0
network={
key_mgmt=WPA-EAP
eap=PEAP
identity="USERNAME"
# anonymous_identity="anonymous"
password="PASSWORD"
phase2="auth=MSCHAPV2"
priority=10
#
# Uncomment the following to perform server certificate validation.
ca_cert="/etc/raddb/certs/ca.der"
}
The file /etc/raddb/modules/mschap contains:
# -*- text -*-
#
# $Id$
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CAMPUS} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
/etc/raddb/users contains (commented lines removed for clarity):
# DEFAULT Auth-Type = ntlm_auth
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
/etc/raddb/sites-enabled/default, a link to ../sites-available/default, contains (most commented lines removed):
authorize { preprocess
chap
mschap
# digest
# wimax
# IPASS
suffix
# ntdomain
eap {
ok = return
}
unix
files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
expiration
logintime
pap
# Autz-Type Status-Server {
#
# }
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
unix
# Auth-Type LDAP {
# ldap
# }
eap
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from attr_filter
# }
# }
ntlm_auth
}
preacct {
preprocess
# update request {
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }
acct_unique
#
# IPASS
suffix
# ntdomain
files
}
accounting {
detail
# daily
unix
radutmp
# sradutmp
# main_pool
# sql
# if (noop) {
# ok
# }
# sql_log
# pgsql-voip
attr_filter.accounting_response
# Acct-Type Status-Server {
#
# }
}
session {
radutmp
# sql
}
post-auth {
# main_pool
# reply_log
# sql
# sql_log
# ldap
exec
# wimax
Post-Auth-Type REJECT {
# sql
attr_filter.access_reject
}
}
pre-proxy {
# attr_rewrite
# files
# attr_filter.pre-proxy
# pre_proxy_log
}
post-proxy {
# post_proxy_log
# attr_rewrite
# attr_filter.post-proxy
eap
# Post-Proxy-Type Fail {
# detail
# }
}
/etc/raddb/sites-enabled/inner-tunnel, a link to ../sites-available/inner-tunnel, contains (commented lines removed):
server inner-tunnel {
#listen {
# ipaddr = 127.0.0.1
# port = 18120
# type = auth
#}
authorize {
chap
mschap
unix
# IPASS
suffix
# ntdomain
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# pam
unix
# Auth-Type LDAP {
# ldap
# }
eap
ntlm_auth
}
session {
radutmp
# sql
}
post-auth {
# reply_log
# sql
# sql_log
# ldap
Post-Auth-Type REJECT {
# sql
attr_filter.access_reject
}
}
pre-proxy {
# attr_rewrite
# files
# attr_filter.pre-proxy
# pre_proxy_log
}
post-proxy {
# post_proxy_log
# attr_rewrite
# attr_filter.post-proxy
eap
# Post-Proxy-Type Fail {
# detail
# }
}
} # inner-tunnel server block
However, it's not clear to me where the problem lies.
I've attached various files to illustrate the problem.
Can anyone point me in the direction of a solution?
I've not included full versions of the output due to the mailing list's message size limit.
Please let me know if I've not included sufficient information to diagnose the problem.
Cheers
Martin.
P.S. I've hidden the actual username & password used.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111014/790d2946/attachment.html>
More information about the Freeradius-Users
mailing list