ntlm_auth not respected

Chris Parker cparkervt at me.com
Thu Aug 22 16:14:17 CEST 2013


Thank you for setting me on the right track; I have followed the directions on http://deployingradius.com/documents/configuration/active_directory.html (the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per those directions.
When I run the ntlm_auth command manually, it works find / as does running wbinfo -a

root at leopard:/etc/freeradius# wbinfo -a wyse1%K503D
plaintext password authentication succeeded
challenge/response password authentication succeeded


Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111, length=113
	User-Name = "wyse1"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 1812
	MS-CHAP-Challenge = 0xe07a375bed09f1f7
	MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000065b157b183b4d29d455414b184c57af4912b1d74f4ed726
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "wyse1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] 	expand: %{Stripped-User-Name} -> 
[mschap] 	... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap] 	expand: %{User-Name:-None} -> wyse1
[mschap] 	expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=wyse1
[mschap]  mschap1: e0
[mschap] 	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e07a375bed09f1f7
[mschap] 	expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726
Exec-Program output: Reading winbind reply failed! (0xc0000001) 
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) 
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Reading winbind reply failed! (0xc0000001)): [wyse1/<via Auth-Type = mschap>] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> wyse1
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 111 to 127.0.0.1 port 60046
Waking up in 4.9 seconds.
Cleaning up request 0 ID 111 with timestamp +15
Ready to process requests.

On Aug 22, 2013, at 5:50 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 21/08/13 23:44, Chris Parker wrote:
>> Okay, pardon my confusion then. I had been following a howto online
>> and it reported that the command when run manually will produce the
>> key.
>> 
>> Either way, I'm still having a failure in MSCHAP with radtest that
>> I'm not quite grasping.
> 
> Well, as I explained in my other email, mschap == challenge/response, "modules/ntlm_auth" != challenge/response.
> 
> To reiterate, "modules/ntlm_auth" is almost certainly not what you want, and is not intended to be used as-is. I would unconfigure it and concentrate on getting "modules/mschap" working.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list