MSCHAP using multiple domains

Matthew Newton mcn at freeradius.org
Tue Jul 21 18:12:17 CEST 2020



On 21/07/2020 17:01, Klemen forneci wrote:

> When I use mschap_thor everything works. When I try mschap_loki, I get
> the following error:
> (2) mschap_loki: ERROR: Program returned code (1) and output 'Logon
> Failure: The machine you are logging onto is protected by an
> authentication firewall. The specified account is not allowed to
> authenticate to the machine. (0xc0000413)'
> (2) mschap_loki: External script failed
> (2) mschap_loki: ERROR: External script says: Logon Failure: The
> machine you are logging onto is protected by an authentication
> firewall. The specified account is not allowed to authenticate to the
> machine. (0xc0000413)
> (2) mschap_loki: ERROR: MS-CHAP2-Response is incorrect
> 
> I've tried adding the radiusd server to the LOKI domain (net ads
> join), but the error remains. Are there any more settings in
> freeradius that i've missed or anywhere else. The whole project is on
> a standstill because of this :/

As you realise already I think - it's nothing to do with FreeRADIUS, 
which just runs the ntlm_auth binary and uses the result.

You need to run ntlm_auth manually with the same args, reproduce it 
there, and then debug back up through Samba.

Once ntlm_auth works, FreeRADIUS should work, too.

 From what I recall, you would normally link the domains together and 
then just join the FreeRADIUS server to one domain, the DC it sends its 
request to should forward to the other domain based on the --domain arg.

If you want to join to two distinct domains simultaneously I believe 
you'll need to have two separate isolated instances of Samba running 
(this may have changed since I looked last though).

-- 
Matthew


More information about the Freeradius-Users mailing list