[EXTERNAL] Re: Computer/Machine Authentication almost working..

Tim ODriscoll tim.odriscoll at lambrookschool.co.uk
Mon Apr 3 15:43:44 UTC 2023 

> *  Also read the top of sites-available/inner-tunnel and test it via radclient, using MS-CHAP.

Thank you, Alan - I hadn't tried that yet:

It seems my ldap authentication is working, but not the mschap:
# radtest tim.odriscoll MYPASSWD localhost 10 testing123
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
rlm_ldap (ldap): Reserved connection (2)
(0) ldap: Login attempt by "tim.odriscoll"
(0) ldap: Using user DN from request "CN=tim.odriscoll,CN=Users,DC=MYDOMAIN,DC=co,DC=uk"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "CN=tim.odriscoll,CN=Users,DC=MYDOMAIN,DC=co,DC=uk" was successful
rlm_ldap (ldap): Released connection (2)
(0)     [ldap] = ok
(0)   } # authenticate = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 138 from 127.0.0.1:1812 to 127.0.0.1:41829 length 36
(0)   Tunnel-Type = VLAN
(0)   Tunnel-Medium-Type = IEEE-802
(0)   Tunnel-Private-Group-Id = "30"
(0) Finished request

And with mschap:
radtest -t mschap tim.odriscoll MYPASSWD localhost 10 testing123
(1)   authenticate {
(1) mschap: Client is using MS-CHAPv1 with NT-Password
(1) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=MYDOMAIN --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(1) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
(1) mschap:    --> --username=tim.odriscoll
(1) mschap: mschap1: 84
(1) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(1) mschap:    --> --challenge=84b5ae5ac964eb2c
(1) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(1) mschap:    --> --nt-response=da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091
(1) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(1) mschap: External script failed
(1) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(1) mschap: ERROR: MS-CHAP2-Response is incorrect
(1)     [mschap] = reject

I will try and dig out the samba logs..

Many thanks,
Tim

More information about the Freeradius-Users mailing list