Trouble running ntlm_auth with mschap

Dirk Bonenkamp - ProActive dirk at proactive.nl
Mon Aug 21 08:06:43 CEST 2017 

Thank you Alan,

After some testing, it turns out that:

use_mppe = yes

Is not the same as

#use_mppe = no

But it works again now.

Cheers,

Dirk

On 2017-08-19 18:38, Alan Buxey wrote:
> Use eg eapol_test for testing and ensure you have all the options eg 
> mppe
> etc set to yes in mschap module
> 
> alan
> 
> On 18 Aug 2017 2:36 pm, "Dirk Bonenkamp - ProActive" 
> <dirk at proactive.nl>
> wrote:
> 
>> Hi All,
>> 
>> I'm running Ubuntu 16.04 LTS, Samba 4.3.11 and Freeradius 3.0.15.
>> 
>> I'm having trouble using mschap when authenticating against my AD 
>> using
>> ntlm_auth. Testing with wbinfo or ntlm_auth from the command line 
>> works.
>> Running NTLM_AUTH trough freeradius (configured by myself, which just 
>> calls
>> ntlm_auth staight), works fine:
>> 
>> radtest dirk MyPaSsWord localhost 0 testing123
>> 
>> Ouput:
>> 
>> (2) Found Auth-Type = NTLM_AUTH
>> (2) # Executing group from file /etc/freeradius/sites-enabled/default
>> (2)   Auth-Type NTLM_AUTH {
>> (2) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
>> --domain=PROACTIVE --username=%{mschap:User-Name}
>> --password=%{User-Password}:
>> (2) ntlm_auth: EXPAND --username=%{mschap:User-Name}
>> (2) ntlm_auth:    --> --username=dirk
>> (2) ntlm_auth: EXPAND --password=%{User-Password}
>> (2) ntlm_auth:    --> --password=MyPaSsWord
>> (2) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: 
>> Success
>> (0x0)'
>> (2) ntlm_auth: Program executed successfully
>> (2)     [ntlm_auth] = ok
>> (2)   } # Auth-Type NTLM_AUTH = ok
>> 
>> But when running:
>> 
>> radtest -t mschap dirk MyPaSsWord localhost 0 testing123
>> 
>> I get:
>> 
>> (0) Found Auth-Type = mschap
>> (0) # Executing group from file /etc/freeradius/sites-enabled/default
>> (0)   authenticate {
>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
>> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
>> --domain=PROACTIVE --username=%{mschap:User-Name}
>> --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re
>> sponse}:-00}:
>> (0) mschap: EXPAND --username=%{mschap:User-Name}
>> (0) mschap:    --> --username=dirk
>> (0) mschap: mschap1: a2
>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
>> (0) mschap:    --> --challenge=a2ecd01e5bdf0ef6
>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
>> (0) mschap:    --> --nt-response=28c30e8ce6d1a2ec
>> d6877be94a654d6336afa03527aace03
>> (0) mschap: ERROR: Program returned code (1) and output 'Logon failure
>> (0xc000006d)'
>> (0) mschap: External script failed
>> (0) mschap: ERROR: External script says: Logon failure (0xc000006d)
>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>> (0)     [mschap] = reject
>> 
>> I'm really puzzled here... I had this working on an Ubuntu 12.04 /
>> freeradius 2.x setup, but I'm really stuck now.
>> 
>> Any help or hints are highly appreciated. Thank you in advance, kind
>> regards,
>> 
>> Dirk
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list