Stuck on ntlm_auth/mschap setup between FreeRADIUS & Samba DC

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Mon Sep 19 23:04:07 UTC 2022


Jesper, 

The problem is your username

On command-line you have this:

root at radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo --password=xxx
NT_STATUS_OK: The operation completed successfully. (0x0)

In FreeRADIUS, it builds this:

/usr/bin/ntlm_auth --request-nt-key
--username=BAR\\foo
--domain=BAR --challenge=a822149a03011b15
--nt-response=3ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d

I suspect the fact that --username is 'BAR\foo', not 'foo', is the problem.

:-)

Stefan Paetow
Federated Roaming Technical Specialist
eduroam(UK), Jisc
 
email/teams: stefan.paetow at jisc.ac.uk
gpg: 0x3FCE5142
 
On Mondays and Wednesdays, I am not available after 15:00. For eduroam support, please contact us via help at jisc.ac.uk and mark it for the eduroam team’s attention.
 
jisc.ac.uk
 
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
 

On 12/09/2022, 08:43, "Freeradius-Users on behalf of Jesper Nemholt" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on behalf of jfn at dataradical.com> wrote:

    Hi

    I'm trying to setup Ubiquiti UniFi to authenticate users in AD, and the
    ntlm_auth portion is causing me some issues.

    As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and
    AD. My AD is a Samba 4 server,

    Samba is configured & working and the freeradius server has been joined to
    the domain.

    root at radius:~# wbinfo -u
    administrator
    foo
    guest
    krbtgt

    ntlm_auth on the command line works OK :

    root at radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo
    --password=xxx

    NT_STATUS_OK: The operation completed successfully. (0x0)


    I've followed a couple of guidelines specific for this setup (with UniFi)
    but none of them appear to work, neither with winbind nor ntlm_auth as
    method within freeradius.

    I'm currently using this in my mods-available/mschap file :

    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
    --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
    --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00}
    --nt-response=%{%{mschap:NT-Response}:-00}"
    with_ntdomain_hack = yes


    When I run radtest from CLI I get this :

    *root at radius*:*~*$ radtest -t mschap "BAR\foo" xxx localhost 0 testing123

    Sent Access-Request Id 245 from 0.0.0.0:43248 to 127.0.0.1:1812 length 136

    User-Name = "BAR\\foo"

    MS-CHAP-Password = "xxx"

    NAS-IP-Address = 192.168.10.8

    NAS-Port = 0

    Message-Authenticator = 0x00

    Cleartext-Password = "xxx"

    MS-CHAP-Challenge = 0xa822149a03011b15

    MS-CHAP-Response =
    0x00010000000000000000000000000000000000000000000000003ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d

    Received Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length
    61

    MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2"

    (0) -: Expected Access-Accept got Access-Reject





    On the radius debug log I get this :


    (0) Found Auth-Type = mschap
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0)   authenticate {
    (0) mschap: Client is using MS-CHAPv1 with NT-Password
    (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
    --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
    --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00}
    --nt-response=%{%{mschap:NT-Response}:-00}:
    (0) mschap: EXPAND
    --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
    (0) mschap:    --> --username=BAR\\foo
    (0) mschap: EXPAND --domain=%{mschap:NT-Domain}
    (0) mschap:    --> --domain=BAR
    (0) mschap: mschap1: a8
    (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
    (0) mschap:    --> --challenge=a822149a03011b15
    (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
    (0) mschap:    -->
    --nt-response=3ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d
    (0) mschap: ERROR: Program returned code (1) and output 'The attempted
    logon is invalid. This is either due to a bad username or authentication
    information. (0xc000006d)'
    (0) mschap: External script failed
    (0) mschap: ERROR: External script says: The attempted logon is invalid.
    This is either due to a bad username or authentication information.
    (0xc000006d)
    (0) mschap: ERROR: MS-CHAP2-Response is incorrect
    (0)     [mschap] = reject
    (0)   } # authenticate = reject
    (0) Failed to authenticate the user
    (0) Using Post-Auth-Type Reject
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0)   Post-Auth-Type REJECT {
    (0) attr_filter.access_reject: EXPAND %{User-Name}
    (0) attr_filter.access_reject:    --> BAR\\foo
    (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (0)     [attr_filter.access_reject] = updated
    (0)     [eap] = noop
    (0)     policy remove_reply_message_if_eap {
    (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
    (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    (0)       else {
    (0)         [noop] = noop
    (0)       } # else = noop
    (0)     } # policy remove_reply_message_if_eap = noop
    (0)   } # Post-Auth-Type REJECT = updated
    (0) Login incorrect (mschap: Program returned code (1) and output 'The
    attempted logon is invalid. This is either due to a bad username or
    authentication information. (0xc000006d)'): [BAR\foo/<via Auth-Type =
    mschap>] (from client localhost port 0)
    (0) Delaying response for 1.000000 seconds
    Waking up in 0.2 seconds.
    Waking up in 0.7 seconds.
    (0) Sending delayed response
    (0) Sent Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length
    61
    (0)   MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2"
    Waking up in 3.9 seconds.
    (0) Cleaning up request packet ID 245 with timestamp +25 due to
    cleanup_delay was reached
    Ready to process requests




    So my guess is that my ntlm_auth line is not correct, or I missed some
    other parameter somewhere, but I've tried quite a few options so far, and
    they seem to all fail.



    Any suggestions ?


    I did see some recommending using winbind instead of ntlm_auth, but I
    wanted to control access via group membership and it seems that is not an
    option with winbind.



    If anyone has a working example of what I'm trying to do
    (UniFi-->FreeRADIUS-->Samba DC) I'm all ears as the examples I found so far
    are not working.



    /Jesper
    -
    List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7C58893dfb2cc443d4032708da9492792d%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637985654084797285%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cfGFSj%2Bc6cTTRWHVm0psNzCICGeYA9IX4pH1zoETgsI%3D&reserved=0



More information about the Freeradius-Users mailing list