Stuck on ntlm_auth/mschap setup between FreeRADIUS & Samba DC

Jesper Nemholt jfn at dataradical.com
Mon Sep 12 07:42:38 UTC 2022 

Hi

I'm trying to setup Ubiquiti UniFi to authenticate users in AD, and the
ntlm_auth portion is causing me some issues.

As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and
AD. My AD is a Samba 4 server,

Samba is configured & working and the freeradius server has been joined to
the domain.

root at radius:~# wbinfo -u
administrator
foo
guest
krbtgt

ntlm_auth on the command line works OK :

root at radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo
--password=xxx

NT_STATUS_OK: The operation completed successfully. (0x0)


I've followed a couple of guidelines specific for this setup (with UniFi)
but none of them appear to work, neither with winbind nor ntlm_auth as
method within freeradius.

I'm currently using this in my mods-available/mschap file :

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
with_ntdomain_hack = yes


When I run radtest from CLI I get this :

*root at radius*:*~*$ radtest -t mschap "BAR\foo" xxx localhost 0 testing123

Sent Access-Request Id 245 from 0.0.0.0:43248 to 127.0.0.1:1812 length 136

User-Name = "BAR\\foo"

MS-CHAP-Password = "xxx"

NAS-IP-Address = 192.168.10.8

NAS-Port = 0

Message-Authenticator = 0x00

Cleartext-Password = "xxx"

MS-CHAP-Challenge = 0xa822149a03011b15

MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d

Received Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length
61

MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2"

(0) -: Expected Access-Accept got Access-Reject





On the radius debug log I get this :


(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap:    --> --username=BAR\\foo
(0) mschap: EXPAND --domain=%{mschap:NT-Domain}
(0) mschap:    --> --domain=BAR
(0) mschap: mschap1: a8
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap:    --> --challenge=a822149a03011b15
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap:    -->
--nt-response=3ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d
(0) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject
(0)   } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> BAR\\foo
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Login incorrect (mschap: Program returned code (1) and output 'The
attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)'): [BAR\foo/<via Auth-Type =
mschap>] (from client localhost port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length
61
(0)   MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 245 with timestamp +25 due to
cleanup_delay was reached
Ready to process requests




So my guess is that my ntlm_auth line is not correct, or I missed some
other parameter somewhere, but I've tried quite a few options so far, and
they seem to all fail.



Any suggestions ?


I did see some recommending using winbind instead of ntlm_auth, but I
wanted to control access via group membership and it seems that is not an
option with winbind.



If anyone has a working example of what I'm trying to do
(UniFi-->FreeRADIUS-->Samba DC) I'm all ears as the examples I found so far
are not working.



/Jesper

More information about the Freeradius-Users mailing list