Trouble running ntlm_auth with mschap

Alan Buxey alan.buxey at gmail.com
Sat Aug 19 18:38:59 CEST 2017


Use eg eapol_test for testing and ensure you have all the options eg mppe
etc set to yes in mschap module

alan

On 18 Aug 2017 2:36 pm, "Dirk Bonenkamp - ProActive" <dirk at proactive.nl>
wrote:

> Hi All,
>
> I'm running Ubuntu 16.04 LTS, Samba 4.3.11 and Freeradius 3.0.15.
>
> I'm having trouble using mschap when authenticating against my AD using
> ntlm_auth. Testing with wbinfo or ntlm_auth from the command line works.
> Running NTLM_AUTH trough freeradius (configured by myself, which just calls
> ntlm_auth staight), works fine:
>
> radtest dirk MyPaSsWord localhost 0 testing123
>
> Ouput:
>
> (2) Found Auth-Type = NTLM_AUTH
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2)   Auth-Type NTLM_AUTH {
> (2) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
> --domain=PROACTIVE --username=%{mschap:User-Name}
> --password=%{User-Password}:
> (2) ntlm_auth: EXPAND --username=%{mschap:User-Name}
> (2) ntlm_auth:    --> --username=dirk
> (2) ntlm_auth: EXPAND --password=%{User-Password}
> (2) ntlm_auth:    --> --password=MyPaSsWord
> (2) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success
> (0x0)'
> (2) ntlm_auth: Program executed successfully
> (2)     [ntlm_auth] = ok
> (2)   } # Auth-Type NTLM_AUTH = ok
>
> But when running:
>
> radtest -t mschap dirk MyPaSsWord localhost 0 testing123
>
> I get:
>
> (0) Found Auth-Type = mschap
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0)   authenticate {
> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --domain=PROACTIVE --username=%{mschap:User-Name}
> --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re
> sponse}:-00}:
> (0) mschap: EXPAND --username=%{mschap:User-Name}
> (0) mschap:    --> --username=dirk
> (0) mschap: mschap1: a2
> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (0) mschap:    --> --challenge=a2ecd01e5bdf0ef6
> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (0) mschap:    --> --nt-response=28c30e8ce6d1a2ec
> d6877be94a654d6336afa03527aace03
> (0) mschap: ERROR: Program returned code (1) and output 'Logon failure
> (0xc000006d)'
> (0) mschap: External script failed
> (0) mschap: ERROR: External script says: Logon failure (0xc000006d)
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> (0)     [mschap] = reject
>
> I'm really puzzled here... I had this working on an Ubuntu 12.04 /
> freeradius 2.x setup, but I'm really stuck now.
>
> Any help or hints are highly appreciated. Thank you in advance, kind
> regards,
>
> Dirk
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html


More information about the Freeradius-Users mailing list