mschap configuration problem
Piviul
piviul at riminilug.it
Tue Jul 7 15:05:00 CEST 2020
Hi there, I'm new to freeradius and I'm trying to configure it to
authenticate on a AD domain using mschap and ntlm_auth. From a client I
have put domain, username and password in variables to be sure that
there are no typing errors, then I run:
> # ntlm_auth --allow-mschapv2 --domain=$domain --username=$username --password=$password && radtest -t mschap "$domain\\$username" $password 127.0.0.1 0 testing123
> NT_STATUS_OK: The operation completed successfully. (0x0)
> Sent Access-Request Id 58 from 0.0.0.0:55359 to 127.0.0.1:1812 length 139
> User-Name = "CSATEST\\user1"
> MS-CHAP-Password = "Alfa.2020"
> NAS-IP-Address = 192.168.64.10
> NAS-Port = 0
> Message-Authenticator = 0x00
> Cleartext-Password = "Alfa.2020"
> MS-CHAP-Challenge = 0x6b4e461a0c35c8da
> MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330052688e78de5ccbba7d9d954abf1e1b85596b385
> Received Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61
> MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2"
> (0) -: Expected Access-Accept got Access-Reject
From server side freeradius said:
> (5) Received Access-Request Id 58 from 127.0.0.1:55359 to 127.0.0.1:1812 length 139
> (5) User-Name = "CSATEST\\user1"
> (5) NAS-IP-Address = 192.168.64.10
> (5) NAS-Port = 0
> (5) Message-Authenticator = 0x20d737038881440d2585fa1b63641a0f
> (5) MS-CHAP-Challenge = 0x6b4e461a0c35c8da
> (5) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fa5ab330052688e78de5ccbba7d9d954abf1e1b85596b385
> (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> (5) [mschap] = ok
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "CSATEST\user1", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: No EAP-Message, not doing EAP
> (5) [eap] = noop
> (5) [files] = noop
> (5) [expiration] = noop
> (5) [logintime] = noop
> (5) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
> (5) pap: WARNING: Authentication will fail unless a "known good" password is available
> (5) [pap] = noop
> (5) } # authorize = ok
> (5) Found Auth-Type = mschap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) authenticate {
> (5) mschap: Client is using MS-CHAPv1 with NT-Password
> (5) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}:
> (5) mschap: EXPAND --domain=%{mschap:NT-Domain}
> (5) mschap: --> --domain=CSATEST
> (5) mschap: EXPAND --username=%{mschap:User-Name}
> (5) mschap: --> --username=user1
> (5) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)'
> (5) mschap: External script failed
> (5) mschap: ERROR: External script says: Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)
> (5) mschap: ERROR: MS-CHAP2-Response is incorrect
> (5) [mschap] = reject
> (5) } # authenticate = reject
> (5) Failed to authenticate the user
> (5) Using Post-Auth-Type Reject
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) Post-Auth-Type REJECT {
> (5) attr_filter.access_reject: EXPAND %{User-Name}
> (5) attr_filter.access_reject: --> CSATEST\\user1
> (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (5) [attr_filter.access_reject] = updated
> (5) [eap] = noop
> (5) policy remove_reply_message_if_eap {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (5) else {
> (5) [noop] = noop
> (5) } # else = noop
> (5) } # policy remove_reply_message_if_eap = noop
> (5) } # Post-Auth-Type REJECT = updated
> (5) Login incorrect (mschap: Program returned code (1) and output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a password, this return status indicates that the value provided as the current password is not correct. (0xc000006a)'): [CSATEST\user1] (from client localhost port 0)
> (5) Delaying response for 1.000000 seconds
> Waking up in 0.2 seconds.
> Waking up in 0.7 seconds.
> (5) Sending delayed response
> (5) Sent Access-Reject Id 58 from 127.0.0.1:1812 to 127.0.0.1:55359 length 61
> (5) MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2"
> Waking up in 3.9 seconds.
> (5) Cleaning up request packet ID 58 with timestamp +927
Someone can help me to understand where I wrong?
Piviul
More information about the Freeradius-Users
mailing list