mschap configuration problem

Alan DeKok aland at deployingradius.com
Wed Jul 8 16:13:45 CEST 2020 

On Jul 8, 2020, at 3:46 AM, Piviul <piviul at riminilug.it> wrote:
>>   Does ntlm_auth work when you run it from the command line?
> of course:
>> # ntlm_auth --request-nt-key --domain=$domain --username=$username --password=$password
>> NT_STATUS_OK: The operation completed successfully. (0x0)

  Ok, but that doesn't test the MS-CHAP side.

>>> But when I go to the section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the server I can see these logs:
>>  If ntlm_auth works from the command line, then it should work when run from FreeRADIUS.
> but didn't! these are the authentication logs from freeradius server (forget the previous logs because there was an error in mschap config file):
>> (0)   authenticate {
>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
>> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None}  --domain=%{%{mschap:NT-Domain}:-CSATEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
>> (0) mschap: EXPAND --username=%{mschap:User-Name:-None}
>> (0) mschap:    --> --username=user1
>> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST}
>> (0) mschap:    --> --domain=CSATEST
>> (0) mschap: mschap1: 7f
>> (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
>> (0) mschap:    --> --challenge=7f51b8630dacf162
>> (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
>> (0) mschap:    --> --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313
>> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'

  That's pretty definitive.

> I can observe that mschap contact the freeradius server using the old mschap v1 version (we can read "Client is using MS-CHAPv1") but at the end of the auth logs we can read "ERROR: MS-CHAP2-Response is incorrect". In your opinion that's OK?

  Yes, that's how it works.

> Furthermore I have successfully completed the "Configuring FreeRADIUS to use ntlm_auth" section and the server correctly complete the authentication:

  That's good.

> But mschap use the same ntlm_auth command to authenticate the user!

  With different parameters.

  If the client was given the wrong password, then it will do the MS-CHAP calculations, and get a different answer than what Samba has.  Samba will then reject the user.

> From the server logs we can affirm that domain and username are correctly expanded. Password is not used but --challenge and --nt-response are.
> How mschap module expand challenge and nt-response? In effect I have tried but this command fails:
>> # /usr/bin/ntlm_auth --request-nt-key --username=user1 --domain=CSATEST --challenge=7f51b8630dacf162 --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313
>> The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
> 
> So challenge or nt-response are not correct.

  Yes.

  There isn't much you can do on the FreeRADIUS side to fix this.  Either the user is entering the wrong password, or something between ntlm_auth and Samba is causing an issue.  FreeRADIUS does the MS-CHAP calculations correctly.  There are tests run on every code change to ensure that it is correct.  Plus, everyone *else* has a working MS-CHAP with FreeRADIUS.

  So something in your local system is broken.  It's hard to say exactly what.

  Alan DeKok.

More information about the Freeradius-Users mailing list