Freeradius with EAP/MSChap and Windows 2012

David Aldwinckle daldwinc at uwaterloo.ca
Tue Jan 21 19:11:41 CET 2014


The radiusd process can¹t read the response from winbind.

http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HO
WTO


"WARNING!!!

When called by radiusd (thus directly setting the challenge value) the
ntlm_auth program needs permission to access winbindd's
winbindd_privileged directory (somewhere under /var). Read access will
usually be sufficient.

The radiusd.conf file sets the uid and gid your radiusd process will run
as (by the user and group directives, respectively). The ntlm_auth process
will have the same identity. If your filesystem containing the
winbindd_privileged directory supports POSIX ACLs, you can safely grant
ntlm_auth the necessary permissions, in case your disribution's default
setting were insufficient. If radiusd runs as the user radiusd for
example, then you should use setfacl the following way

setfacl -m u:radiusd:rx winbindd_privileged

Or something similar. See
http://www.suse.de/~agruen/acl/linux-acls/online/ or man setfacl for more
information on POSIX ACLs!"


Dave Aldwinckle


On 1/21/2014, 9:47 AM, "Carsten Czerner" <carsten.czerner at leuphana.de>
wrote:

>Hi,
>
>I have some trouble with the implementation of a WLAN - PEAP
>Authentification with freeradius and ntlm-auth against a Windows2012
>Server.
>
>I used the freeradius howto:
>
>- The pc can authentificate against the domain:
>
>root at rad1-wlan:/etc/freeradius/sites-enabled# /usr/bin/ntlm_auth
>--request-nt-key --domain=ADINT.DIR --username=peterpan --password=1234567
>NT_STATUS_OK: Success (0x0)
>
>
>When I try to connect to the wlan, I was promped for a user/password and
>after accepting the cert the following log appears:
>
>ue Jan 21 15:22:20 2014 : Info: Found Auth-Type = EAP
>Tue Jan 21 15:22:20 2014 : Info: # Executing group from file
>/etc/freeradius/sites-enabled/wlan
>Tue Jan 21 15:22:20 2014 : Info: +- entering group eap {...}
>Tue Jan 21 15:22:20 2014 : Info: [eap] Request found, released from the
>list
>Tue Jan 21 15:22:20 2014 : Info: [eap] EAP/mschapv2
>Tue Jan 21 15:22:20 2014 : Info: [eap] processing type mschapv2
>Tue Jan 21 15:22:20 2014 : Info: [mschapv2] # Executing group from file
>/etc/freeradius/sites-enabled/wlan
>Tue Jan 21 15:22:20 2014 : Info: [mschapv2] +- entering group MS-CHAP
>{...}
>Tue Jan 21 15:22:20 2014 : Info: [mschap] Creating challenge hash with
>username: peterpan
>Tue Jan 21 15:22:20 2014 : Info: [mschap] Told to do MS-CHAPv2 for
>peterpan with NT-Password
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand:
>%{Stripped-User-Name} ->
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       ... expanding second
>conditional
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand: %{User-Name} ->
>peterpan
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand:
>%{%{User-Name}:-None} -> peterpan
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand:
>--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
>--username=peterpan
>Tue Jan 21 15:22:20 2014 : Info: [mschap] Creating challenge hash with
>username: peterpan
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand:
>%{mschap:Challenge} -> 961c5ef0871022f8
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand:
>--challenge=%{%{mschap:Challenge}:-00} -> --challenge=961c5ef0871022f8
>Tue Jan 21 15:22:20 2014 : Info: [mschap] No NT-Domain was found in the
>User-Name.
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand:
>%{mschap:NT-Domain} ->
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       ... expanding second
>conditional
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand:
>--domain=%{%{mschap:NT-Domain}:-ADINT.DIR} -> --domain=ADINT.DIR
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand:
>%{mschap:NT-Response} -> 500c5d66631f60e8c22cd8510406cb15c0868eee8d7a9fed
>Tue Jan 21 15:22:20 2014 : Info: [mschap]       expand:
>--nt-response=%{%{mschap:NT-Response}:-00} ->
>--nt-response=500c5d66631f60e8c22cd8510406cb15c0868eee8d7a9fed
>Tue Jan 21 15:22:20 2014 : Debug: Exec-Program output: Reading winbind
>reply failed! (0xc0000001)
>Tue Jan 21 15:22:20 2014 : Debug: Exec-Program-Wait: plaintext: Reading
>winbind reply failed! (0xc0000001)
>Tue Jan 21 15:22:20 2014 : Debug: Exec-Program: returned: 1
>Tue Jan 21 15:22:20 2014 : Info: [mschap] External script failed.
>Tue Jan 21 15:22:20 2014 : Info: [mschap] FAILED: MS-CHAP2-Response is
>incorrect
>Tue Jan 21 15:22:20 2014 : Info: ++[mschap] returns reject
>Tue Jan 21 15:22:20 2014 : Info: [eap] Freeing handler
>Tue Jan 21 15:22:20 2014 : Info: ++[eap] returns reject
>Tue Jan 21 15:22:20 2014 : Info: Failed to authenticate the user.
>Tue Jan 21 15:22:20 2014 : Auth: Login incorrect (mschap: External
>script says Reading winbind reply failed! (0xc0000001)): [peterpan/<via
>Auth-Type = EAP>] (from client WLAN port 29 cli 84-3a-4b-7a-6a-2c via
>TLS tunnel)
>
>Does anyone know why this happen?
>
>Regards
>Carsten
>
>



More information about the Freeradius-Users mailing list