Stuck on ntlm_auth/mschap setup between FreeRADIUS & Samba DC
Stefan Paetow
Stefan.Paetow at jisc.ac.uk
Mon Sep 19 23:04:07 UTC 2022
Jesper,
The problem is your username
On command-line you have this:
root at radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo --password=xxx
NT_STATUS_OK: The operation completed successfully. (0x0)
In FreeRADIUS, it builds this:
/usr/bin/ntlm_auth --request-nt-key
--username=BAR\\foo
--domain=BAR --challenge=a822149a03011b15
--nt-response=3ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d
I suspect the fact that --username is 'BAR\foo', not 'foo', is the problem.
:-)
Stefan Paetow
Federated Roaming Technical Specialist
eduroam(UK), Jisc
email/teams: stefan.paetow at jisc.ac.uk
gpg: 0x3FCE5142
On Mondays and Wednesdays, I am not available after 15:00. For eduroam support, please contact us via help at jisc.ac.uk and mark it for the eduroam team’s attention.
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On 12/09/2022, 08:43, "Freeradius-Users on behalf of Jesper Nemholt" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on behalf of jfn at dataradical.com> wrote:
Hi
I'm trying to setup Ubiquiti UniFi to authenticate users in AD, and the
ntlm_auth portion is causing me some issues.
As UniFi doesn't support AD natively, I'm using RADIUS between UniFi and
AD. My AD is a Samba 4 server,
Samba is configured & working and the freeradius server has been joined to
the domain.
root at radius:~# wbinfo -u
administrator
foo
guest
krbtgt
ntlm_auth on the command line works OK :
root at radius:~# ntlm_auth --request-nt-key --domain=BAR --username=foo
--password=xxx
NT_STATUS_OK: The operation completed successfully. (0x0)
I've followed a couple of guidelines specific for this setup (with UniFi)
but none of them appear to work, neither with winbind nor ntlm_auth as
method within freeradius.
I'm currently using this in my mods-available/mschap file :
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
with_ntdomain_hack = yes
When I run radtest from CLI I get this :
*root at radius*:*~*$ radtest -t mschap "BAR\foo" xxx localhost 0 testing123
Sent Access-Request Id 245 from 0.0.0.0:43248 to 127.0.0.1:1812 length 136
User-Name = "BAR\\foo"
MS-CHAP-Password = "xxx"
NAS-IP-Address = 192.168.10.8
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "xxx"
MS-CHAP-Challenge = 0xa822149a03011b15
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d
Received Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length
61
MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2"
(0) -: Expected Access-Accept got Access-Reject
On the radius debug log I get this :
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=BAR\\foo
(0) mschap: EXPAND --domain=%{mschap:NT-Domain}
(0) mschap: --> --domain=BAR
(0) mschap: mschap1: a8
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=a822149a03011b15
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: -->
--nt-response=3ca8fa0c61ff26ce4d7aa85a43047ff78b4519f45d2c431d
(0) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0) [mschap] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> BAR\\foo
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Login incorrect (mschap: Program returned code (1) and output 'The
attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)'): [BAR\foo/<via Auth-Type =
mschap>] (from client localhost port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 245 from 127.0.0.1:1812 to 127.0.0.1:43248 length
61
(0) MS-CHAP-Error = "\000E=691 R=1 C=1acfee53ed2e2e7c V=2"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 245 with timestamp +25 due to
cleanup_delay was reached
Ready to process requests
So my guess is that my ntlm_auth line is not correct, or I missed some
other parameter somewhere, but I've tried quite a few options so far, and
they seem to all fail.
Any suggestions ?
I did see some recommending using winbind instead of ntlm_auth, but I
wanted to control access via group membership and it seems that is not an
option with winbind.
If anyone has a working example of what I'm trying to do
(UniFi-->FreeRADIUS-->Samba DC) I'm all ears as the examples I found so far
are not working.
/Jesper
-
List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7C58893dfb2cc443d4032708da9492792d%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637985654084797285%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cfGFSj%2Bc6cTTRWHVm0psNzCICGeYA9IX4pH1zoETgsI%3D&reserved=0
More information about the Freeradius-Users
mailing list