mschap configuration problem
Alan DeKok
aland at deployingradius.com
Tue Jul 7 19:58:59 CEST 2020
On Jul 7, 2020, at 10:40 AM, Piviul <piviul at riminilug.it> wrote:
> Hi Alan, thank you very much. I have followed your guide and PAP and EAP now seems to work flawlessy; furthermore even AD authentication and ntlm_auth are successfully configured.
That's good.
Does ntlm_auth work when you run it from the command line?
> But when I go to the section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the server I can see these logs:
If ntlm_auth works from the command line, then it should work when run from FreeRADIUS.
>> (0) Found Auth-Type = mschap
>> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (0) authenticate {
>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
>> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
>> (0) mschap: EXPAND --username=%{mschap:User-Name:-None}
>> (0) mschap: --> --username=user1
>> (0) mschap: mschap1: 1a
>> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00}
>> (0) mschap: --> --domain=CSATEST--challenge=1a162d834a0ac705
That's a typo. You need a space between "CSATEST" and "--challenge".
>> (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
>> (0) mschap: --> --nt-response=f7539949c09457385f97329664296f699d915ccd6a0a58fa
>> (0) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)'
That seems pretty definitive
>> (0) mschap: External script failed
>> (0) mschap: ERROR: External script says: Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)
>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>> (0) [mschap] = reject
>> (0) } # authenticate = reject
>
> that seems that user1 doesn't exists but:
>> # getent passwd CSATEST\\user1
>> CSATEST\user1:*:11106:10513:user1:/home/user1:/bin/bash
>
> From the log above seems that the client send a MS-CHAPv1 request... I have tried to add --allow-mschapv2 to the ntlm_auth command in the mschap configuration file but nothing changed;
>
> Do you think I've found a bug in samba?
No. Carefully reading the debug output is _very_ useful.
Alan DeKok.
More information about the Freeradius-Users
mailing list