radtest passes test, phone connects to WiFi, but laptop does not
Daniel Wruck
daniel.wruck at fbchammond.com
Wed Nov 2 19:48:39 CET 2016
I am a FreeRADIUS newbie but have read a lot (maybe too much - One gripe is that much of the forums on the internet does not clearly list a FreeRADIUS version). I set FreeRADIUS 3 times (test network - FR 2.1 on Ubuntu 14.04, test network - FR 3.0.12 on upgraded Ubuntu 16.04, and prod network - FR 3.0.12 on Ubuntu 16.04) but still could have missed some little important step.
I have FreeRADIUS 3.0.12 set up on an Ubuntu 16.04 box. I believe that I have most everything working (except maybe sql). I have an AD forest with 1 domain (fbcexample.com) and 3 child domains (hac.fbcexample.com, cbs.fbcexample.com, and hac.fbcexample.com). I created 4 named mschap modules so that I could hard code the --domain property in each one. I can successfully rad test from each of my 4 domains against it including group membership. Then I setup a test SSID on my aruba controller. I can connect via my android phone (with just username & pass), but connecting a laptop to is not working (it appears that it is sending domain as a part of username). It seems that there is more security stuff going on when the laptop connects; maybe I don't have MSCHAPv2 configured right? Something broken in realms?
When the Win 10 x64 laptop connects, radius -X first shows that it is trying to connect via computer name. Then a box pops up asking for username and password with a checkmark for 'Use my Windows user account", I choose and continue. Radius -X shows that several more requests are made and then windows sows 'Can't connect to this network'. Any suggestions on where my problem is?
I created the CA and server certs and have believe them to be correctly installed. But not sure that this has anything to do with the problem descripted above.
Examples of the code that I am running. I included a pastebin for the 3000 lines of radius -X output.
WORKING RADTEST LINE
radtest -t mschap daniel.radius passw0rd 127.0.0.1 0 testing123
ABBREVIATED MSCHAP MODULE
mschap mschap_fbc {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=fbcexample --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_fbc:Challenge}:-00} --nt-response=%{%{mschap_fbc:NT-Response}:-00} --require-membership-of='fbcexample\\LDAP_WiFi'"
. . .
}
DEFAULT SITE AUTHENICATE SECTION
authenticate {
. . .
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap_fbc {
reject = 2
}
if (reject){
mschap_hac
reject = 2
}
if (reject){
mschap_hbs
reject = 2
}
if (reject){
mschap_cbs
reject = 2
}
}
. . .
}
Small part of the Radius -X WHEN CONNECTING WITH LAPTOP, all 3000+ lines are in pastebin below
(16) mschap_fbc: Creating challenge hash with username: daniel.radius
(16) mschap_fbc: Client is using MS-CHAPv2
(16) mschap_fbc: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=fbcexample --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_fbc:Challenge}:-00} --nt-response=%{%{mschap_fbc:NT-Response}:-00} --require-membership-of='fbcexample\\LDAP_WiFi':
(16) mschap_fbc: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(16) mschap_fbc: --> --username=FBCEXAMPLE\\daniel.radius
(16) mschap_fbc: Creating challenge hash with username: daniel.radius
(16) mschap_fbc: EXPAND --challenge=%{%{mschap_fbc:Challenge}:-00}
(16) mschap_fbc: --> --challenge=63abafd041820bf2
(16) mschap_fbc: EXPAND --nt-response=%{%{mschap_fbc:NT-Response}:-00}
(16) mschap_fbc: --> --nt-response=6bdebf5ac39680b7070c457fefacbdc1596103429c14eb64
(16) mschap_fbc: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
(16) mschap_fbc: External script failed
(16) mschap_fbc: ERROR: External script says: Logon failure (0xc000006d)
(16) mschap_fbc: ERROR: MS-CHAP2-Response is incorrect
Full output of Radius -X output when laptop trys to connect
http://pastebin.com/TJpYVYnK
Daniel W
More information about the Freeradius-Users
mailing list