ntlm_auth and MSCHAP issues

Adam McPartlan adam.mcpartlan at nynet.co.uk
Wed Feb 19 17:56:54 CET 2020


Howdy,

I am experiencing problems with an existing working install of
FreeRADIUS to get it to use AD to part authenticate users.

Following the instructions found here:
http://deployingradius.com/documents/configuration/active_directory.html


I can sucessfully get FreeRADUS to authenticate using ntlm_auth.

# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --
username=mcpartlana
[ntlm_auth] expand: --password=%{User-Password} -> --
password=redactedpassword
Exec output: NT_STATUS_OK: Success (0x0)
Exec plaintext: NT_STATUS_OK: Success (0x0)

However, making the switch to MSCHAP as per the instructions i get the
following outcome:

radtest -t mschap mcpartlana redactedpassword localhost 0
redactedsecret

Sending Access-Request of id 8 to 127.0.0.1 port 1812
User-Name = "mcpartlana"
NAS-IP-Address = 192.168.172.45
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0x58b0f84e08b68e46
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003c312cfc3724df41c
5adb769615849f47a081cbb22c73c45
rad_recv: Access-Request packet from host 127.0.0.1 port 48263, id=8,
length=136
User-Name = "mcpartlana"
NAS-IP-Address = 192.168.172.45
NAS-Port = 0
Message-Authenticator = 0x0651b559ed7f1e615e14b10e56fed797
MS-CHAP-Challenge = 0x58b0f84e08b68e46
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003c312cfc3724df41c
5adb769615849f47a081cbb22c73c45

# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --
username=mcpartlana
[ntlm_auth] expand: --password=%{User-Password} -> --password=
Exec output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
[ntlm_auth] Exec: program returned: 1
++[ntlm_auth] = reject


Sending Access-Reject of id 8 to 127.0.0.1 port 48263
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=8,
length=20



To me this looks like the password is not being sent to the AD server -
hence the "WRONG_PASSWORD" message - It could just be hidden which is
ok. I can only pressume I have messed something up in my configuration.

Many thanks

Adam













CONFIDENTIALITY WARNING: This email has been sent from NYnet Ltd, a UK limited company controlled by North Yorkshire County Council. The information in this email (and any document(s) attached to it) is confidential or legally privileged, and is intended solely for the use of the person named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this E-mail is strictly prohibited. An individual with the title of director does not necessarily mean they are a statutory director. A full list of statutory directors is available for inspection at our registered office.



More information about the Freeradius-Users mailing list