Machine auth fails but user auth works
Dennis Xu
dxu at uoguelph.ca
Tue Dec 8 18:39:33 CET 2015
I see one difference between my machine auth and user auth cases:
User auth:
(18) mschap : Creating challenge hash with username: dxu
(18) mschap : Client is using MS-CHAPv2
Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(18) mschap : EXPAND --username=%{%{mschap:User-Name}:-00}
(18) mschap : --> --username=dxu
(18) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(18) mschap : --> --username=dxu
(18) ERROR: mschap : No NT-Domain was found in the User-Name
(18) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA}
(18) mschap : --> --domain=CFS.UOGUELPH.CA
(18) mschap : Creating challenge hash with username: dxu
(18) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(18) mschap : --> --challenge=5cf265648d2f7da7
(18) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(18) mschap : --> --nt-response=5f4067f8278986cb3b524f75e1af8eef82e7753376f06191
Program returned code (0) and output 'NT_KEY: 0DB0BDD00DBF8F89BB011EB4035FE849'
(18) mschap : Adding MS-CHAPv2 MPPE keys
(18) [mschap] = ok
(18) } # Auth-Type MS-CHAP = ok
MSCHAP Success
Machine auth:
(19) mschap : Creating challenge hash with username: host/CCS-252.cfs.uoguelph.ca
(19) mschap : Client is using MS-CHAPv2
Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(19) mschap : EXPAND --username=%{%{mschap:User-Name}:-00}
(19) mschap : --> --username=CCS-252$
(19) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(19) mschap : --> --username=host/CCS-252.cfs.uoguelph.ca
(19) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA}
(19) mschap : --> --domain=cfs
(19) mschap : Creating challenge hash with username: host/CCS-252.cfs.uoguelph.ca
(19) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(19) mschap : --> --challenge=9845f8f1049eec1c
(19) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(19) mschap : --> --nt-response=c1ee140e5d85a62db9d4dd943a841a0f317a77521e0c26e0
Program returned code (1) and output 'Logon failure (0xc000006d)'
(19) mschap : External script failed
(19) ERROR: mschap : External script says: Logon failure (0xc000006d)
(19) ERROR: mschap : MS-CHAP2-Response is incorrect
(19) [mschap] = reject
(19) } # Auth-Type MS-CHAP = reject
The EXPAND domain value from user auth is "domain=CFS.UOGUELPH.CA" which is correct, but it got "domain=cfs" in the machine auth case. I am not sure if that is important.
----- Original Message -----
From: "Dennis Xu" <dxu at uoguelph.ca>
To: "Alan DeKok" <aland at deployingradius.com>
Cc: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, December 8, 2015 12:23:51 PM
Subject: Re: Machine auth fails but user auth works
Sorry attached the wrong debug file in previous email. Please see this one.
Dennis
----- Original Message -----
From: "Dennis Xu" <dxu at uoguelph.ca>
To: "Alan DeKok" <aland at deployingradius.com>
Cc: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, December 8, 2015 12:22:36 PM
Subject: Re: Machine auth fails but user auth works
Here I have the complete eap file and debug outputs.
Thanks.
----- Original Message -----
From: "Alan DeKok" <aland at deployingradius.com>
To: dxu at uoguelph.ca, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, December 8, 2015 11:39:55 AM
Subject: Re: Machine auth fails but user auth works
On Dec 8, 2015, at 11:35 AM, Dennis Xu <dxu at uoguelph.ca> wrote:
> Just started to work on this again today. I put the server cert and all intermediate CAs into the same file and changed the /mods-available/eap file as below:
> certificate_file = ${certdir}/all_certs.pem
> ca_file = ${cadir}/all_certs.pem
>
> Machine auth still failed but with different outputs. I don't see the "tlsv1 alert unknown ca" errors anymore.
>
> Would you please check the debug outputs again and advise?
You've deleted the useful portions, which is unhelpful.
Post ALL of the debug output. And don't waste our time with edited portions of it. Since you can't solve the problem, you don't know which pieces are useful, and which aren't. So don't edit the debug output.
Alan DeKok.
More information about the Freeradius-Users
mailing list