[EXTERNAL] Computer/Machine Authentication almost working..
Alan DeKok
aland at deployingradius.com
Mon Apr 3 16:10:02 UTC 2023
On Apr 3, 2023, at 11:43 AM, Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk> wrote:
> And with mschap:
> radtest -t mschap tim.odriscoll MYPASSWD localhost 10 testing123
> (1) authenticate {
> (1) mschap: Client is using MS-CHAPv1 with NT-Password
> (1) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=MYDOMAIN --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
> (1) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
> (1) mschap: --> --username=tim.odriscoll
> (1) mschap: mschap1: 84
> (1) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (1) mschap: --> --challenge=84b5ae5ac964eb2c
> (1) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (1) mschap: --> --nt-response=da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091
> (1) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
> (1) mschap: External script failed
> (1) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
> (1) mschap: ERROR: MS-CHAP2-Response is incorrect
> (1) [mschap] = reject
>
> I will try and dig out the samba logs..
That's the best bet.
We know FR is doing the various NT hash calculations correctly. And passing that to ntlm_auth.
My only remaining guess here is that Samba / AD isn't permitting ntlm / mschap authentication.
Alan DeKok.
More information about the Freeradius-Users
mailing list