Radius and AD authentication

Matthew Newton mcn4 at leicester.ac.uk
Mon Oct 19 01:41:01 CEST 2015


On Sun, Oct 18, 2015 at 06:09:42AM -0400, Michael Price wrote:
>   	program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain.netN --username=%{mschap:User-Name} --password=%{User-Password}"
...
> (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain.netN --username=%{mschap:User-Name} --password=%{User-Password}:

--domain=domain.netN - typo

> (0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
> (0) ntlm_auth:    --> --username=chicken
> (0) ntlm_auth: EXPAND --password=%{User-Password}
> (0) ntlm_auth:    --> --password=2Number9!

[change your password]

> (0) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)'

fails.

>   	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-domain.net} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

domain.net - no typo

>   	program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain.netN --username=%{mschap:User-Name} --password=%{User-Password}"

> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-domain.net} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
> (0) mschap: EXPAND --username=%{mschap:User-Name:-None}
> (0) mschap:    --> --username=chicken
> (0) mschap: ERROR: No NT-Domain was found in the User-Name
> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-domain.net}
> (0) mschap:    --> --domain=domain.net
> (0) mschap: mschap1: 27
> (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
> (0) mschap:    --> --challenge=27572b879bc37cd5
> (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
> (0) mschap:    --> --nt-response=3446fe427512934fce4d2bed4172dfb37fa43ab483323a01
> (0) mschap: Program returned code (0) and output 'NT_KEY: B598B7914410495012BA70A8F02E4DA5'

works.

Fix up the domain in mods-enabled/ntlm_auth.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list