mschap configuration problem

L.P.H. van Belle belle at bazuin.nl
Tue Jul 7 15:18:25 CEST 2020 

Is your AD-DC also a samba server ? 

Try adding this to smb.conf (globel) 
        # Add for freeradius support
        ntlm auth = mschapv2-and-ntlmv2-only

Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users 
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Piviul
> Verzonden: dinsdag 7 juli 2020 15:05
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: mschap configuration problem
> 
> Hi there, I'm new to freeradius and I'm trying to configure it to 
> authenticate on a AD domain using mschap and ntlm_auth. From 
> a client I 
> have put domain, username and password in variables to be sure that 
> there are no typing errors, then I run:
> > # ntlm_auth --allow-mschapv2 --domain=$domain 
> --username=$username --password=$password && radtest -t 
> mschap "$domain\\$username" $password 127.0.0.1 0 testing123
> > NT_STATUS_OK: The operation completed successfully. (0x0)
> > Sent Access-Request Id 58 from 0.0.0.0:55359 to 
> 127.0.0.1:1812 length 139
> > 	User-Name = "CSATEST\\user1"
> > 	MS-CHAP-Password = "Alfa.2020"
> > 	NAS-IP-Address = 192.168.64.10
> > 	NAS-Port = 0
> > 	Message-Authenticator = 0x00
> > 	Cleartext-Password = "Alfa.2020"
> > 	MS-CHAP-Challenge = 0x6b4e461a0c35c8da
> > 	MS-CHAP-Response = 
> 0x0001000000000000000000000000000000000000000000000000fa5ab330
> 052688e78de5ccbba7d9d954abf1e1b85596b385
> > Received Access-Reject Id 58 from 127.0.0.1:1812 to 
> 127.0.0.1:55359 length 61
> > 	MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2"
> > (0) -: Expected Access-Accept got Access-Reject
> 
>  From server side freeradius said:
> > (5) Received Access-Request Id 58 from 127.0.0.1:55359 to 
> 127.0.0.1:1812 length 139
> > (5)   User-Name = "CSATEST\\user1"
> > (5)   NAS-IP-Address = 192.168.64.10
> > (5)   NAS-Port = 0
> > (5)   Message-Authenticator = 0x20d737038881440d2585fa1b63641a0f
> > (5)   MS-CHAP-Challenge = 0x6b4e461a0c35c8da
> > (5)   MS-CHAP-Response = 
> 0x0001000000000000000000000000000000000000000000000000fa5ab330
> 052688e78de5ccbba7d9d954abf1e1b85596b385
> > (5) # Executing section authorize from file 
> /etc/freeradius/3.0/sites-enabled/default
> > (5)   authorize {
> > (5)     policy filter_username {
> > (5)       if (&User-Name) {
> > (5)       if (&User-Name)  -> TRUE
> > (5)       if (&User-Name)  {
> > (5)         if (&User-Name =~ / /) {
> > (5)         if (&User-Name =~ / /)  -> FALSE
> > (5)         if (&User-Name =~ /@[^@]*@/ ) {
> > (5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> > (5)         if (&User-Name =~ /\.\./ ) {
> > (5)         if (&User-Name =~ /\.\./ )  -> FALSE
> > (5)         if ((&User-Name =~ /@/) && (&User-Name !~ 
> /@(.+)\.(.+)$/))  {
> > (5)         if ((&User-Name =~ /@/) && (&User-Name !~ 
> /@(.+)\.(.+)$/))   -> FALSE
> > (5)         if (&User-Name =~ /\.$/)  {
> > (5)         if (&User-Name =~ /\.$/)   -> FALSE
> > (5)         if (&User-Name =~ /@\./)  {
> > (5)         if (&User-Name =~ /@\./)   -> FALSE
> > (5)       } # if (&User-Name)  = notfound
> > (5)     } # policy filter_username = notfound
> > (5)     [preprocess] = ok
> > (5)     [chap] = noop
> > (5) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> > (5)     [mschap] = ok
> > (5)     [digest] = noop
> > (5) suffix: Checking for suffix after "@"
> > (5) suffix: No '@' in User-Name = "CSATEST\user1", looking 
> up realm NULL
> > (5) suffix: No such realm "NULL"
> > (5)     [suffix] = noop
> > (5) eap: No EAP-Message, not doing EAP
> > (5)     [eap] = noop
> > (5)     [files] = noop
> > (5)     [expiration] = noop
> > (5)     [logintime] = noop
> > (5) pap: WARNING: No "known good" password found for the 
> user.  Not setting Auth-Type
> > (5) pap: WARNING: Authentication will fail unless a "known 
> good" password is available
> > (5)     [pap] = noop
> > (5)   } # authorize = ok
> > (5) Found Auth-Type = mschap
> > (5) # Executing group from file 
> /etc/freeradius/3.0/sites-enabled/default
> > (5)   authenticate {
> > (5) mschap: Client is using MS-CHAPv1 with NT-Password
> > (5) mschap: Executing: /usr/bin/ntlm_auth  --request-nt-key 
> --allow-mschapv2 --domain=%{mschap:NT-Domain} 
> --username=%{mschap:User-Name}:
> > (5) mschap: EXPAND --domain=%{mschap:NT-Domain}
> > (5) mschap:    --> --domain=CSATEST
> > (5) mschap: EXPAND --username=%{mschap:User-Name}
> > (5) mschap:    --> --username=user1
> > (5) mschap: ERROR: Program returned code (1) and output 
> 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a 
> password, this return status indicates that the value 
> provided as the current password is not correct. (0xc000006a)'
> > (5) mschap: External script failed
> > (5) mschap: ERROR: External script says: Password: 
> NT_STATUS_WRONG_PASSWORD: When trying to update a password, 
> this return status indicates that the value provided as the 
> current password is not correct. (0xc000006a)
> > (5) mschap: ERROR: MS-CHAP2-Response is incorrect
> > (5)     [mschap] = reject
> > (5)   } # authenticate = reject
> > (5) Failed to authenticate the user
> > (5) Using Post-Auth-Type Reject
> > (5) # Executing group from file 
> /etc/freeradius/3.0/sites-enabled/default
> > (5)   Post-Auth-Type REJECT {
> > (5) attr_filter.access_reject: EXPAND %{User-Name}
> > (5) attr_filter.access_reject:    --> CSATEST\\user1
> > (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
> > (5)     [attr_filter.access_reject] = updated
> > (5)     [eap] = noop
> > (5)     policy remove_reply_message_if_eap {
> > (5)       if (&reply:EAP-Message && &reply:Reply-Message) {
> > (5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> > (5)       else {
> > (5)         [noop] = noop
> > (5)       } # else = noop
> > (5)     } # policy remove_reply_message_if_eap = noop
> > (5)   } # Post-Auth-Type REJECT = updated
> > (5) Login incorrect (mschap: Program returned code (1) and 
> output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to 
> update a password, this return status indicates that the 
> value provided as the current password is not correct. 
> (0xc000006a)'): [CSATEST\user1] (from client localhost port 0)
> > (5) Delaying response for 1.000000 seconds
> > Waking up in 0.2 seconds.
> > Waking up in 0.7 seconds.
> > (5) Sending delayed response
> > (5) Sent Access-Reject Id 58 from 127.0.0.1:1812 to 
> 127.0.0.1:55359 length 61
> > (5)   MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2"
> > Waking up in 3.9 seconds.
> > (5) Cleaning up request packet ID 58 with timestamp +927
> 
> Someone can help me to understand where I wrong?
> 
> Piviul
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list