mschap configuration problem

Alan DeKok aland at deployingradius.com
Tue Jul 7 19:58:59 CEST 2020 

On Jul 7, 2020, at 10:40 AM, Piviul <piviul at riminilug.it> wrote:
> Hi Alan, thank you very much. I have followed your guide and PAP and EAP now seems to work flawlessy; furthermore even AD authentication and ntlm_auth are successfully configured.

  That's good.

  Does ntlm_auth work when you run it from the command line?

> But when I go to the section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the server I can see these logs:

 If ntlm_auth works from the command line, then it should work when run from FreeRADIUS.

>> (0) Found Auth-Type = mschap
>> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (0)   authenticate {
>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
>> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None}  --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
>> (0) mschap: EXPAND --username=%{mschap:User-Name:-None}
>> (0) mschap:    --> --username=user1
>> (0) mschap: mschap1: 1a
>> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST}--challenge=%{mschap:Challenge:-00}
>> (0) mschap:    --> --domain=CSATEST--challenge=1a162d834a0ac705

  That's a typo.  You need a space between "CSATEST" and "--challenge".

>> (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
>> (0) mschap:    --> --nt-response=f7539949c09457385f97329664296f699d915ccd6a0a58fa
>> (0) mschap: ERROR: Program returned code (1) and output 'Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)'

  That seems pretty definitive

>> (0) mschap: External script failed
>> (0) mschap: ERROR: External script says: Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)
>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>> (0)     [mschap] = reject
>> (0)   } # authenticate = reject
> 
> that seems that user1 doesn't exists but:
>> # getent passwd CSATEST\\user1
>> CSATEST\user1:*:11106:10513:user1:/home/user1:/bin/bash
> 
> From the log above seems that the client send a MS-CHAPv1 request... I have tried to add --allow-mschapv2 to the ntlm_auth command in the mschap configuration file but nothing changed;
> 
> Do you think I've found a bug in samba?

  No.  Carefully reading the debug output is _very_ useful.

  Alan DeKok.

More information about the Freeradius-Users mailing list