Machine auth fails but user auth works

Dennis Xu dxu at uoguelph.ca
Tue Dec 8 23:20:01 CET 2015 

I changed to "--domain=CFS.UOGUELPH.CA" and now it does not get any domains for machine authentication: 

(8) mschap : Creating challenge hash with username: host/CCS-252.cfs.uoguelph.ca 
(8) mschap : Client is using MS-CHAPv2 
Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=CFS.UOGUELPH.CA --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: 
(8) mschap : EXPAND --username=%{%{mschap:User-Name}:-00} 
(8) mschap : --> --username=CCS-252$ 
(8) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
(8) mschap : --> --username=host/CCS-252.cfs.uoguelph.ca 
(8) mschap : Creating challenge hash with username: host/CCS-252.cfs.uoguelph.ca 
(8) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00} 
(8) mschap : --> --challenge=683ac434c3c89a99 
(8) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00} 
(8) mschap : --> --nt-response=55082eea2ef4b8b9d7fb4985c654723659cdee6d13ebe2ef 
Program returned code (1) and output 'Logon failure (0xc000006d)' 
(8) mschap : External script failed 
(8) ERROR: mschap : External script says: Logon failure (0xc000006d) 
(8) ERROR: mschap : MS-CHAP2-Response is incorrect 
(8) [mschap] = reject 
(8) } # Auth-Type MS-CHAP = reject 

Dennis 


----- Original Message -----

From: "Matthew Newton" <mcn4 at leicester.ac.uk> 
To: "Dennis Xu" <dxu at uoguelph.ca> 
Cc: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org> 
Sent: Tuesday, December 8, 2015 4:54:13 PM 
Subject: Re: Machine auth fails but user auth works 

On Tue, Dec 08, 2015 at 04:42:21PM -0500, Dennis Xu wrote: 


ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{%{mschap:User-Name}:-00} 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA} 

That's not hardcoded. 




Hardcoded means setting 

--domain=CFS.UOGUELPH.CA 

i.e. no expansion so nothing else can change the setting. 


<blockquote>
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}" 

If I understand correctly from other posts, if client specify a 
domain name, it will use that domain name regardless of the 
ntlm_auth configuration? 

%{mschap:...} is magic as far as I am concerned. :) 
</blockquote>



If you want clients to change the domain name, sure set that up. 
But as I wrote before if you know that all clints are talking to 
the same domain, why allow them to fiddle with the settings? 

(My view here may not be consistent with others on this, but it's 
what I do.) 

Matthew 



-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk> 

Systems Specialist, Infrastructure Services, 
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom 

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list