freeradius + ntlm_auth, broken?

Andres Septer andres.septer at navirec.com
Thu Mar 8 12:56:08 CET 2012


Hello

I try to set up AD as freeradius authentication oracle. My system:
ohv:/etc/raddb/modules # radiusd -v
radiusd: FreeRADIUS Version 2.1.12, for host x86_64-suse-linux-gnu, built on Oct 19 2011 at 13:55

I followed this guidelines 
http://deployingradius.com/documents/configuration/active_directory.html
and everything went great (user logons OK, all the tests decribed in howto went OK) until the last part MS-CHAP + ntlm_auth

OK, what happens when I try to authenticate via MS-CHAP

ohv:/etc/samba # radtest -t mschap freeradius.test passwordschmassword localhost 0 testing123
Sending Access-Request of id 11 to 127.0.0.1 port 1812
        User-Name = "freeradius.test"
        NAS-IP-Address = 10.128.160.4
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
        MS-CHAP-Challenge = 0x7c68b9721c3a0b46
        MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000013e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=38
        MS-CHAP-Error = "\000E=691 R=1"

Lets see freeradius log

Thu Mar  8 13:42:03 2012 : Info: Found Auth-Type = MSCHAP
Thu Mar  8 13:42:03 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Thu Mar  8 13:42:03 2012 : Info: +- entering group MS-CHAP {...}
Thu Mar  8 13:42:03 2012 : Info: [mschap] Told to do MS-CHAPv1 with NT-Password
Thu Mar  8 13:42:03 2012 : Info: [mschap]       expand: --username=%{mschap:User-Name:-None} -> --username=freeradius.test
Thu Mar  8 13:42:03 2012 : Info: [mschap] No NT-Domain was found in the User-Name.
Thu Mar  8 13:42:03 2012 : Info: [mschap]       expand: %{mschap:NT-Domain} ->
Thu Mar  8 13:42:03 2012 : Info: [mschap]       ... expanding second conditional
Thu Mar  8 13:42:03 2012 : Info: [mschap]       expand: --domain=%{%{mschap:NT-Domain}:-LOCAL} -> --domain=LOCAL
Thu Mar  8 13:42:03 2012 : Info: [mschap]  mschap1: 7c
Thu Mar  8 13:42:03 2012 : Info: [mschap]       expand: --challenge=%{mschap:Challenge:-00} -> --challenge=7c68b9721c3a0b46
Thu Mar  8 13:42:03 2012 : Info: [mschap]       expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a
Thu Mar  8 13:42:03 2012 : Debug: Exec-Program output: Reading winbind reply failed! (0xc0000001)
Thu Mar  8 13:42:03 2012 : Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Thu Mar  8 13:42:03 2012 : Debug: Exec-Program: returned: 1
Thu Mar  8 13:42:03 2012 : Info: [mschap] External script failed.
Thu Mar  8 13:42:03 2012 : Info: [mschap] MS-CHAP-Response is incorrect.
Thu Mar  8 13:42:03 2012 : Info: ++[mschap] returns reject

OK, lets strace this and find the actual command line sent to freeradius and try it out on command line (edited to follow correct syntax!) Command line looks like this:
 /usr/bin/ntlm_auth "--request-nt-key", "--username=freeradius.test", "--domain=LOCAL", "--challenge=0x7c68b9721c3a0b46", "--nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a"    
Logon failure (0xc000006d)

Wait, what? Let's re-check
 ntlm_auth --request-nt-key --domain=local --username=freeradius.test --password=passwordschmassword
NT_STATUS_OK: Success (0x0)

Seems that values for "challenge" and "response" are getting filled incorrectly. I also tried to turn with_ntdomain_hack aprameter on and off, but no avail.
Is freeradius at all responsible to fill those parameters or how can I fix this behaviour?

Andres Septer

Systems Administrator
Navirec Software OÜ
Tallinn, Estonia
http://navirec.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120308/0fcef534/attachment.html>


More information about the Freeradius-Users mailing list