mschap configuration problem

Wed Jul 8 09:46:35 CEST 2020

Alan DeKok ha scritto il 07/07/20 alle 19:58:
> On Jul 7, 2020, at 10:40 AM, Piviul <piviul at riminilug.it> wrote:
>> Hi Alan, thank you very much. I have followed your guide and PAP and EAP now seems to work flawlessy; furthermore even AD authentication and ntlm_auth are successfully configured.
> 
>    That's good.
I think so ;)

>    Does ntlm_auth work when you run it from the command line?
of course:
> # ntlm_auth --request-nt-key --domain=$domain --username=$username --password=$password
> NT_STATUS_OK: The operation completed successfully. (0x0)

>> But when I go to the section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the server I can see these logs:
>   If ntlm_auth works from the command line, then it should work when run from FreeRADIUS.
but didn't! these are the authentication logs from freeradius server 
(forget the previous logs because there was an error in mschap config file):
> (0)   authenticate {
> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None}  --domain=%{%{mschap:NT-Domain}:-CSATEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
> (0) mschap: EXPAND --username=%{mschap:User-Name:-None}
> (0) mschap:    --> --username=user1
> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST}
> (0) mschap:    --> --domain=CSATEST
> (0) mschap: mschap1: 7f
> (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
> (0) mschap:    --> --challenge=7f51b8630dacf162
> (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
> (0) mschap:    --> --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313
> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
> (0) mschap: External script failed
> (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> (0)     [mschap] = reject
> (0)   } # authenticate = reject

I can observe that mschap contact the freeradius server using the old 
mschap v1 version (we can read "Client is using MS-CHAPv1") but at the 
end of the auth logs we can read "ERROR: MS-CHAP2-Response is 
incorrect". In your opinion that's OK?

Furthermore I have successfully completed the "Configuring FreeRADIUS to 
use ntlm_auth" section and the server correctly complete the authentication:
> (0) Found Auth-Type = ntlm_auth
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=CSATEST --username=%{mschap:User-Name} --password=%{User-Password}:
> [...]
> (0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: The operation completed successfully. (0x0)'
> (0) ntlm_auth: Program executed successfully
> (0)     [ntlm_auth] = ok
> (0)   } # authenticate = ok

But mschap use the same ntlm_auth command to authenticate the user! From 
the server logs we can affirm that domain and username are correctly 
expanded. Password is not used but --challenge and --nt-response are.
How mschap module expand challenge and nt-response? In effect I have 
tried but this command fails:
> # /usr/bin/ntlm_auth --request-nt-key --username=user1 --domain=CSATEST --challenge=7f51b8630dacf162 --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313
> The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

So challenge or nt-response are not correct.

I am very confused...

Any way thank you very much.

Piviul