mschap configuration problem
L.P.H. van Belle
belle at bazuin.nl
Tue Jul 7 15:18:25 CEST 2020
Is your AD-DC also a samba server ?
Try adding this to smb.conf (globel)
# Add for freeradius support
ntlm auth = mschapv2-and-ntlmv2-only
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Piviul
> Verzonden: dinsdag 7 juli 2020 15:05
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: mschap configuration problem
>
> Hi there, I'm new to freeradius and I'm trying to configure it to
> authenticate on a AD domain using mschap and ntlm_auth. From
> a client I
> have put domain, username and password in variables to be sure that
> there are no typing errors, then I run:
> > # ntlm_auth --allow-mschapv2 --domain=$domain
> --username=$username --password=$password && radtest -t
> mschap "$domain\\$username" $password 127.0.0.1 0 testing123
> > NT_STATUS_OK: The operation completed successfully. (0x0)
> > Sent Access-Request Id 58 from 0.0.0.0:55359 to
> 127.0.0.1:1812 length 139
> > User-Name = "CSATEST\\user1"
> > MS-CHAP-Password = "Alfa.2020"
> > NAS-IP-Address = 192.168.64.10
> > NAS-Port = 0
> > Message-Authenticator = 0x00
> > Cleartext-Password = "Alfa.2020"
> > MS-CHAP-Challenge = 0x6b4e461a0c35c8da
> > MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000fa5ab330
> 052688e78de5ccbba7d9d954abf1e1b85596b385
> > Received Access-Reject Id 58 from 127.0.0.1:1812 to
> 127.0.0.1:55359 length 61
> > MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2"
> > (0) -: Expected Access-Accept got Access-Reject
>
> From server side freeradius said:
> > (5) Received Access-Request Id 58 from 127.0.0.1:55359 to
> 127.0.0.1:1812 length 139
> > (5) User-Name = "CSATEST\\user1"
> > (5) NAS-IP-Address = 192.168.64.10
> > (5) NAS-Port = 0
> > (5) Message-Authenticator = 0x20d737038881440d2585fa1b63641a0f
> > (5) MS-CHAP-Challenge = 0x6b4e461a0c35c8da
> > (5) MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000fa5ab330
> 052688e78de5ccbba7d9d954abf1e1b85596b385
> > (5) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> > (5) authorize {
> > (5) policy filter_username {
> > (5) if (&User-Name) {
> > (5) if (&User-Name) -> TRUE
> > (5) if (&User-Name) {
> > (5) if (&User-Name =~ / /) {
> > (5) if (&User-Name =~ / /) -> FALSE
> > (5) if (&User-Name =~ /@[^@]*@/ ) {
> > (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (5) if (&User-Name =~ /\.\./ ) {
> > (5) if (&User-Name =~ /\.\./ ) -> FALSE
> > (5) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> > (5) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) -> FALSE
> > (5) if (&User-Name =~ /\.$/) {
> > (5) if (&User-Name =~ /\.$/) -> FALSE
> > (5) if (&User-Name =~ /@\./) {
> > (5) if (&User-Name =~ /@\./) -> FALSE
> > (5) } # if (&User-Name) = notfound
> > (5) } # policy filter_username = notfound
> > (5) [preprocess] = ok
> > (5) [chap] = noop
> > (5) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> > (5) [mschap] = ok
> > (5) [digest] = noop
> > (5) suffix: Checking for suffix after "@"
> > (5) suffix: No '@' in User-Name = "CSATEST\user1", looking
> up realm NULL
> > (5) suffix: No such realm "NULL"
> > (5) [suffix] = noop
> > (5) eap: No EAP-Message, not doing EAP
> > (5) [eap] = noop
> > (5) [files] = noop
> > (5) [expiration] = noop
> > (5) [logintime] = noop
> > (5) pap: WARNING: No "known good" password found for the
> user. Not setting Auth-Type
> > (5) pap: WARNING: Authentication will fail unless a "known
> good" password is available
> > (5) [pap] = noop
> > (5) } # authorize = ok
> > (5) Found Auth-Type = mschap
> > (5) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> > (5) authenticate {
> > (5) mschap: Client is using MS-CHAPv1 with NT-Password
> > (5) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --allow-mschapv2 --domain=%{mschap:NT-Domain}
> --username=%{mschap:User-Name}:
> > (5) mschap: EXPAND --domain=%{mschap:NT-Domain}
> > (5) mschap: --> --domain=CSATEST
> > (5) mschap: EXPAND --username=%{mschap:User-Name}
> > (5) mschap: --> --username=user1
> > (5) mschap: ERROR: Program returned code (1) and output
> 'Password: NT_STATUS_WRONG_PASSWORD: When trying to update a
> password, this return status indicates that the value
> provided as the current password is not correct. (0xc000006a)'
> > (5) mschap: External script failed
> > (5) mschap: ERROR: External script says: Password:
> NT_STATUS_WRONG_PASSWORD: When trying to update a password,
> this return status indicates that the value provided as the
> current password is not correct. (0xc000006a)
> > (5) mschap: ERROR: MS-CHAP2-Response is incorrect
> > (5) [mschap] = reject
> > (5) } # authenticate = reject
> > (5) Failed to authenticate the user
> > (5) Using Post-Auth-Type Reject
> > (5) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> > (5) Post-Auth-Type REJECT {
> > (5) attr_filter.access_reject: EXPAND %{User-Name}
> > (5) attr_filter.access_reject: --> CSATEST\\user1
> > (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
> > (5) [attr_filter.access_reject] = updated
> > (5) [eap] = noop
> > (5) policy remove_reply_message_if_eap {
> > (5) if (&reply:EAP-Message && &reply:Reply-Message) {
> > (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> > (5) else {
> > (5) [noop] = noop
> > (5) } # else = noop
> > (5) } # policy remove_reply_message_if_eap = noop
> > (5) } # Post-Auth-Type REJECT = updated
> > (5) Login incorrect (mschap: Program returned code (1) and
> output 'Password: NT_STATUS_WRONG_PASSWORD: When trying to
> update a password, this return status indicates that the
> value provided as the current password is not correct.
> (0xc000006a)'): [CSATEST\user1] (from client localhost port 0)
> > (5) Delaying response for 1.000000 seconds
> > Waking up in 0.2 seconds.
> > Waking up in 0.7 seconds.
> > (5) Sending delayed response
> > (5) Sent Access-Reject Id 58 from 127.0.0.1:1812 to
> 127.0.0.1:55359 length 61
> > (5) MS-CHAP-Error = "\000E=691 R=1 C=373db952a357b248 V=2"
> > Waking up in 3.9 seconds.
> > (5) Cleaning up request packet ID 58 with timestamp +927
>
> Someone can help me to understand where I wrong?
>
> Piviul
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list