Trouble running ntlm_auth with mschap
Alan Buxey
alan.buxey at gmail.com
Mon Aug 21 14:22:47 CEST 2017
Correct. Commented out values are the defaults. The default is no.
Actually it's 2017 now so the default for that config should all be yes and
strong etc. That probably won't happen due to it maybe being a breaking
change for legacy sites but it should certainly be the defaults in v4 :)
alan
On 21 Aug 2017 7:08 am, "Dirk Bonenkamp - ProActive" <dirk at proactive.nl>
wrote:
> Thank you Alan,
>
> After some testing, it turns out that:
>
> use_mppe = yes
>
> Is not the same as
>
> #use_mppe = no
>
> But it works again now.
>
> Cheers,
>
> Dirk
>
> On 2017-08-19 18:38, Alan Buxey wrote:
>
>> Use eg eapol_test for testing and ensure you have all the options eg mppe
>> etc set to yes in mschap module
>>
>> alan
>>
>> On 18 Aug 2017 2:36 pm, "Dirk Bonenkamp - ProActive" <dirk at proactive.nl>
>> wrote:
>>
>> Hi All,
>>>
>>> I'm running Ubuntu 16.04 LTS, Samba 4.3.11 and Freeradius 3.0.15.
>>>
>>> I'm having trouble using mschap when authenticating against my AD using
>>> ntlm_auth. Testing with wbinfo or ntlm_auth from the command line works.
>>> Running NTLM_AUTH trough freeradius (configured by myself, which just
>>> calls
>>> ntlm_auth staight), works fine:
>>>
>>> radtest dirk MyPaSsWord localhost 0 testing123
>>>
>>> Ouput:
>>>
>>> (2) Found Auth-Type = NTLM_AUTH
>>> (2) # Executing group from file /etc/freeradius/sites-enabled/default
>>> (2) Auth-Type NTLM_AUTH {
>>> (2) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
>>> --domain=PROACTIVE --username=%{mschap:User-Name}
>>> --password=%{User-Password}:
>>> (2) ntlm_auth: EXPAND --username=%{mschap:User-Name}
>>> (2) ntlm_auth: --> --username=dirk
>>> (2) ntlm_auth: EXPAND --password=%{User-Password}
>>> (2) ntlm_auth: --> --password=MyPaSsWord
>>> (2) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK:
>>> Success
>>> (0x0)'
>>> (2) ntlm_auth: Program executed successfully
>>> (2) [ntlm_auth] = ok
>>> (2) } # Auth-Type NTLM_AUTH = ok
>>>
>>> But when running:
>>>
>>> radtest -t mschap dirk MyPaSsWord localhost 0 testing123
>>>
>>> I get:
>>>
>>> (0) Found Auth-Type = mschap
>>> (0) # Executing group from file /etc/freeradius/sites-enabled/default
>>> (0) authenticate {
>>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
>>> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
>>> --domain=PROACTIVE --username=%{mschap:User-Name}
>>> --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re
>>> sponse}:-00}:
>>> (0) mschap: EXPAND --username=%{mschap:User-Name}
>>> (0) mschap: --> --username=dirk
>>> (0) mschap: mschap1: a2
>>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
>>> (0) mschap: --> --challenge=a2ecd01e5bdf0ef6
>>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
>>> (0) mschap: --> --nt-response=28c30e8ce6d1a2ec
>>> d6877be94a654d6336afa03527aace03
>>> (0) mschap: ERROR: Program returned code (1) and output 'Logon failure
>>> (0xc000006d)'
>>> (0) mschap: External script failed
>>> (0) mschap: ERROR: External script says: Logon failure (0xc000006d)
>>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>>> (0) [mschap] = reject
>>>
>>> I'm really puzzled here... I had this working on an Ubuntu 12.04 /
>>> freeradius 2.x setup, but I'm really stuck now.
>>>
>>> Any help or hints are highly appreciated. Thank you in advance, kind
>>> regards,
>>>
>>> Dirk
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html
More information about the Freeradius-Users
mailing list