Change username for MSCHAPv2

Gabriele Verzeletti gabriele at verzeletti.org
Mon Jul 3 14:28:09 CEST 2017 

Using Stripped-User-Name was one of my first try.
I got this errorr

eap_mschapv2: # Executing group from file 
/etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2:   Auth-Type MS-CHAP {
(8) mschap: Creating challenge hash with username: /user/@/domain.com/
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key 
--username=%{%{mschap:Stripped-User-Name}:-None} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}:
(8) mschap: ERROR: Unknown expansion string 'Stripped-User-Name' 
<--------------------------- UNKNOWN !!!!!
(8) mschap: EXPAND --username=%{%{mschap:Stripped-User-Name}:-None}
(8) mschap:    --> --username=None
(8) mschap: Creating challenge hash with username: /user at domain.com/
(8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(8) mschap:    --> --challenge=ae371b1f11bb456a
(8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(8) mschap:    --> 
--nt-response=36fafc123be05aa58780eec7406d0a16a70423c7f4e1cf84
(8) mschap: ERROR: Program returned code (1) and output 'Logon failure 
(0xc000006d)'
(8) mschap: External script failed
(8) mschap: ERROR: External script says: Logon failure (0xc000006d)
(8) mschap: ERROR: MS-CHAP2-Response is incorrect

Also the challenge are created against user at domain.com, and not against 
Stripped-User-Name


On 06/30/2017 07:25 PM, Alan DeKok wrote:
> On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele at verzeletti.org> wrote:
>> Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap.
>> I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP and MSCHAPv2 against Active directory.
>> User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName.
>    ntlm_auth just passes data from FreeRADIUS to AD.  If the user is being rejected, it's not because of ntlm_auth.
>
>> With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
>>
>> authorize {
>>      update request {
>>         User-Name := `/path/to/my/script '%{User-Name}'`
>>     }
>    Don't edit the User-Name.  It's wrong.
>
>    You also don't need to run a script to do this.  FreeRADIUS can do LDAP queries natively.
>   
>> I have an error in the log
>>
>> (0) # Executing group from file /etc/raddb/sites-enabled/default
>> (0)   authenticate {
>> (0) eap: Identity does not match User-Name, setting from EAP Identity
>> (0) eap: Failed in handler
>> (0)     [eap] = invalid
>> (0)   } # authenticate = invalid
>    Yup
>
>    In the short term, you can do:
>
> authorize {
> 	update request {
> 		Stripped-User-Name :=  `/path/to/my/script '%{User-Name}'`
> 	}
> }
>
>    And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list