PEAP and Automatically use my Windows logon name

Michal Bruncko michal.bruncko at zssos.sk
Thu Jan 30 19:36:12 CET 2014 

Of course, I forgot to provide FR version: 
freeradius-2.1.12-4.el6_3.x86_64 (on Centos 6.5)

sorry

On 30. 1. 2014 19:27, Michal Bruncko wrote:
> Hello
>
> I am trying to authenticate end VPN users using PEAP method toward 
> freeradius server. On client side there is built-in VPN client (PPTP) 
> on windows 7 machines. In general everything is working - users are 
> able to autenticate once they manually use their credentials. Also the 
> scenario with including (manually filled) domain name is also 
> available and users are able to authenticate as well.
> The problems starting if I try to use "Automatically use my Windows 
> logon name and password (and domain if any)" checkbox within PEAP 
> method - the user is not able to autenticate even if the logged-in 
> windows account (login/pass) is same than on server side.
>
> From the radius debug logs the problems started with beginning of 
> mschapv2 module:
>
> Working part (with manually filled domain):
> [mschapv2] # Executing group from file 
> /etc/raddb/sites-enabled/inner-tunnel-vpn
> [mschapv2] +- entering group MS-CHAP {...}
> [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user")
> [mschapv2] expand: %{My-Local-Client-Type} -> user
> [mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE
> [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE
> [mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...}
> [mschap_vpn] Creating challenge hash with username: bob
> [mschap_vpn] Told to do MS-CHAPv2 for timeos with NT-Password
> [mschap_vpn] expand: --username=%{mschap:User-Name} -> --username=bob
> [mschap_vpn] Creating challenge hash with username: bob
> [mschap_vpn] expand: --challenge=%{mschap:Challenge:-00} -> 
> --challenge=63b158798144225d
> [mschap_vpn] expand: --nt-response=%{mschap:NT-Response:-00} -> 
> --nt-response=44a58798471dc8e98dc3854e7c285246596fafb0c116cd14
> Exec-Program output: NT_KEY: ABF2579A08227E23F0984101C44B8D12
> Exec-Program-Wait: plaintext: NT_KEY: ABF2579A08227E23F0984101C44B8D12
> Exec-Program: returned: 0
> [mschap_vpn] adding MS-CHAPv2 MPPE keys
> +++[mschap_vpn] returns ok
> ++- if ("%{My-Local-Client-Type}" == "user") returns ok
> MSCHAP Success
>
>
> Not working case (using "Automatically use my Windows logon name..."):
> [mschapv2] # Executing group from file 
> /etc/raddb/sites-enabled/inner-tunnel-vpn
> [mschapv2] +- entering group MS-CHAP {...}
> [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user")
> [mschapv2] expand: %{My-Local-Client-Type} -> user
> [mschapv2] ? Evaluating ("%{My-Local-Client-Type}" == "user") -> TRUE
> [mschapv2] ++? if ("%{My-Local-Client-Type}" == "user") -> TRUE
> [mschapv2] ++- entering if ("%{My-Local-Client-Type}" == "user") {...}
> [mschap_vpn] ERROR: User-Name (abrakadabra\bob) is not the same as 
> MS-CHAP Name (bob) from EAP-MSCHAPv2
> +++[mschap_vpn] returns reject
> ++- if ("%{My-Local-Client-Type}" == "user") returns reject
> [eap] Freeing handler
> ++[eap] returns reject
> Failed to authenticate the user.
> Login incorrect: [abrakadabra\\bob] (from client vpn.exmaple.com port 
> 0 via TLS tunnel)
>
>
> mschap module:
> mschap mschap_vpn {
> with_ntdomain_hack = yes
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
> --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} 
> --nt-response=%{mschap:NT-Response:-00} 
> --require-membership-of=S-1-5-21-248145504-287154277-2125575804-1588"
> }
>
> notes:
> - If I write the domain in login box manually, it is typed in 
> uppercase (without ability to change) - "ABRAKADABRA\bob". If I check 
> "Automatically use my Windows logon name...", the domain (only 
> local-computer) name is pushed in lower case: "abrakadabra\bob". 
> that's the main difference what I can see from comparing both debug logs.
> - if I write the domain manually inside the login name using 
> "abrakadabra\bob" and keep the "Domain" field empty - the name will be 
> pushed "abrakadabra\bob" - but in this case, I will be authenticated 
> _successfully_. it sounds to me that this issue have nothing to do 
> with uppercase/lowercase of domain name, but it must be something else 
> which breaks all authentication using windows login credentials.
> - the client computer domain is not real domain - it's just the 
> computer name but this does not matter as the domain name is not 
> pushed to ntlm_auth at all. If I try to log in directly using 
> "ntlm_auth" without providing "--domain" parameter - I will be 
> authenticated correctly.
>
> please has anyone working PEAP authentication with ability to use 
> "Automatically use my Windows logon name..."? What I am doing wrong.
>
> thank you
>
> michal

-- 
Ing. Michal Bruncko, PhD., CCNP, RHCSA™
IT systems and network administrator
Coupled school of business and services Ruzomberok
Slovak Republic

More information about the Freeradius-Users mailing list