Problem with ntlm_auth between freeradius 3.0 and Samba 4 AD

Benjamin DUPALUT benjamin.dupalut at esiee.fr
Tue Jul 3 17:49:15 CEST 2018 

Hello,

First of all, sorry for my english if there is some mistakes.

I'm trying to set up an authentication between a freeradius 3.0 server and
a Samba 4 AD using ntlm_auth.

I apply the configuration from
deployingradius.com/documents/configuration/active_directory.html but i got
an error when testing with the "radtest -t mschap  user passwd  127.0.0.1 0
testing123" command.

Here is the issue of the freeradius -X debug :

(11) Received Access-Request Id 115 from 127.0.0.1:60705 to 127.0.0.1:1812
length 143
(11)   User-Name = "dupalutb at esiee.fr"
(11)   NAS-IP-Address = 127.0.1.1
(11)   NAS-Port = 0
(11)   Message-Authenticator = 0xe7c32a18a131310841e6f149e528647b
(11)   MS-CHAP-Challenge = 0x9aa1c8732f3e45a9
(11)   MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000c93d69617f9ccbf98d1b673b2d75a401034e14ac56100964
(11) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/eduroam
(11)   authorize {
(11)     if (!(User-Name =~ /@/)){
(11)     if (!(User-Name =~ /@/)) -> FALSE
(11)     if (User-Name =~ /@$/){
(11)     if (User-Name =~ /@$/) -> FALSE
(11)     if (User-Name =~ /@.+?@/){
(11)     if (User-Name =~ /@.+?@/) -> FALSE
(11)     if (User-Name =~ /@.+?[^[:alnum:]\\.-]/){
(11)     if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE
(11)     if (User-Name =~ /@[\\.-]/){
(11)     if (User-Name =~ /@[\\.-]/) -> FALSE
(11)     if (User-Name =~ /@.+?[\\.-]$/){
(11)     if (User-Name =~ /@.+?[\\.-]$/) -> FALSE
(11)     if (User-Name =~ /@[^\\.]+$/){
(11)     if (User-Name =~ /@[^\\.]+$/) -> FALSE
(11)     if (User-Name =~ /@.+?\\.\\./){
(11)     if (User-Name =~ /@.+?\\.\\./) -> FALSE
(11)     if (User-Name =~ /@myabc\\.com$/i){
(11)     if (User-Name =~ /@myabc\\.com$/i) -> FALSE
(11)     if (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i){
(11)     if (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE
(11)     if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(11)     if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
(11)     if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(11)     if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
(11)     if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(11)     if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)
-> FALSE
(11)     if (User-Name =~ /@\\.?ac\\.uk$/i){
(11)     if (User-Name =~ /@\\.?ac\\.uk$/i) -> FALSE
(11)     if (User-Name =~ /@.+?\\.ax\\.uk$/i){
(11)     if (User-Name =~ /@.+?\\.ax\\.uk$/i) -> FALSE
(11)     [preprocess] = ok
(11) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(11) auth_log:    --> /var/log/freeradius/radacct/
127.0.0.1/auth-detail-20180703
(11) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20180703
(11) auth_log: EXPAND %t
(11) auth_log:    --> Tue Jul  3 17:36:31 2018
(11)     [auth_log] = ok
(11)     policy operator-name.authorize {
(11)       if ("%{client:Operator-Name}") {
(11)       EXPAND %{client:Operator-Name}
(11)          -->
(11)       if ("%{client:Operator-Name}")  -> FALSE
(11)     } # policy operator-name.authorize = ok
(11)     policy cui.authorize {
(11)       if ("%{client:add_cui}" == 'yes') {
(11)       EXPAND %{client:add_cui}
(11)          -->
(11)       if ("%{client:add_cui}" == 'yes')  -> FALSE
(11)     } # policy cui.authorize = ok
(11)     [chap] = noop
(11) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(11)     [mschap] = ok
(11)     [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: Looking up realm "esiee.fr" for User-Name = "dupalutb at esiee.fr"
(11) suffix: Found realm "esiee.fr"
(11) suffix: Adding Stripped-User-Name = "dupalutb"
(11) suffix: Adding Realm = "esiee.fr"
(11) suffix: Authentication realm is LOCAL
(11)     [suffix] = ok
(11) eap: No EAP-Message, not doing EAP
(11)     [eap] = noop
(11) files: users: Matched entry DEFAULT at line 1
(11)     [files] = ok
(11)     [expiration] = noop
(11)     [logintime] = noop
(11) pap: WARNING: No "known good" password found for the user.  Not
setting Auth-Type
(11) pap: WARNING: Authentication will fail unless a "known good" password
is available
(11)     [pap] = noop
(11)   } # authorize = ok
(11) Found Auth-Type = mschap
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
(11)   authenticate {
(11) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password
(11) mschap: WARNING: No Cleartext-Password configured.  Cannot create
LM-Password
(11) mschap: Client is using MS-CHAPv1 with NT-Password
(11) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
authentication
(11) mschap: ERROR: MS-CHAP2-Response is incorrect
(11)     [mschap] = reject
(11)   } # authenticate = reject
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
(11)   Post-Auth-Type REJECT {
(11) attr_filter.access_reject: EXPAND %{User-Name}
(11) attr_filter.access_reject:    --> dupalutb at esiee.fr
(11) attr_filter.access_reject: Matched entry DEFAULT at line 11
(11)     [attr_filter.access_reject] = updated
(11)     [eap] = noop
(11)     policy remove_reply_message_if_eap {
(11)       if (&reply:EAP-Message && &reply:Reply-Message) {
(11)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(11)       else {
(11)         [noop] = noop
(11)       } # else = noop
(11)     } # policy remove_reply_message_if_eap = noop
(11)   } # Post-Auth-Type REJECT = updated
(11) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(11) Sending delayed response
(11) Sent Access-Reject Id 115 from 127.0.0.1:1812 to 127.0.0.1:60705
length 61
(11)   MS-CHAP-Error = "\000E=691 R=1 C=32c072eb4937c259 V=2"
Waking up in 3.9 seconds.
(11) Cleaning up request packet ID 115 with timestamp +545

It seems that radius try to use mschap authentication method instead of
ntlm_auth. Where did i make a mistake ?

Thanks in advance for your suggestions.

Regards​
,

*Benjamin Dupalut*
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr

More information about the Freeradius-Users mailing list