ntlm_auth with ms-chap

Jürgen Obermeyer om at oegym.de
Fri Aug 31 19:36:34 CEST 2018 

Good evening from Germany,

I installed (for the very first time) freeradius on an Ubuntu 18.04 box.
The version is 3.0.16. I would like to use freeradius to authenticate my
users against Samba passwords using ntlm_auth. I followed EXACTLY the
instructions on the website deployingradius.com, beginning from the
initial setup to the last step, "Configuring FreeRADIUS to use ntlm_auth
for MS-CHAP". Only this last step fails, and I have no idea why. This is
an excerpt of the debug output:

***

(2) Found Auth-Type = mschap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) mschap: Client is using MS-CHAPv1 with NT-Password
(2) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-OEGNET}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(2) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(2) mschap:    --> --username=om
(2) mschap: ERROR: No NT-Domain was found in the User-Name
(2) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-OEGNET}
(2) mschap:    --> --domain=OEGNET
(2) mschap: mschap1: 12
(2) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(2) mschap:    --> --challenge=12473d849ab42a45
(2) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(2) mschap:    -->
--nt-response=7cba13f9a4b65406feb11d25441a189c18b2389b0fe6e922
(2) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(2) mschap: External script failed
(2) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(2) mschap: ERROR: MS-CHAP2-Response is incorrect
(2)     [mschap] = reject
(2)   } # authenticate = reject
(2) Failed to authenticate the user

***

I tried with 'radtest -t mschap ...' getting the following answer:

***

root at hermes:/etc/freeradius.old# radtest -t mschap om topsecret
localhost 0 testing123
Sent Access-Request Id 18 from 0.0.0.0:37196 to 127.0.0.1:1812 length 128
	User-Name = "om"
	MS-CHAP-Password = "topsecret"
	NAS-IP-Address = 192.168.6.1
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "topsecret"
	MS-CHAP-Challenge = 0x6d7f7ccb15612a8a
	MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000db860e0276efb23bc02d3a0f2f5d0977ae73f0b6ea6f3937
Received Access-Reject Id 18 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
	MS-CHAP-Error = "\000E=691 R=1 C=9c9615bf2537c293 V=2"
(0) -: Expected Access-Accept got Access-Reject

***

Any advices are highly welcome.

Kind regards,

Jürgen

More information about the Freeradius-Users mailing list