freeradius auth in win AD

Alan DeKok aland at deployingradius.com
Thu Jun 16 15:58:11 CEST 2016


On Jun 16, 2016, at 8:19 AM, Zenon Matuszyk <zenon.matuszyk at networkers.pl> wrote:
> 
> Hello,
> 
> I have a little problem with auth in Windows AD by using userPrincipalName (using samAccountName works fine). In mschap file i have:
> 
>    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
> 
> and ldap file:
> 
> filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})"
> 
> In debug I see:
...
> [mschap] Creating challenge hash with username: aa.aa at stud.wcc.domain.pl
> [mschap] Told to do MS-CHAPv2 for aa.aa at stud.wcc.domain.pl with NT-Password
> [mschap]        expand: %{Stripped-User-Name} ->
> [mschap]        ... expanding second conditional
> [mschap]        expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
> [mschap]        expand: --username=%{%{Stripped-User-Name}:-%{User-Name}} -> --username=aa.aa at stud.wcc.domain.pl
> [mschap] Creating challenge hash with username: aa.aa at stud.wcc.domain.pl
> [mschap]        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=1282528812d8f6bb
> [mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=484795e959127ad898fd4230c3e3f52cbd19297d084e00d5
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)

  That seems definitive.

  The name / password is incorrect.

  Alan DeKok.




More information about the Freeradius-Users mailing list