[EXTERNAL] Computer/Machine Authentication almost working..

Tony Skalski ajs at stolaf.edu
Mon Apr 3 17:42:50 UTC 2023


I struggled with this for a while, mostly due to the multiple ways Windows
hostnames (e.g. COMPNAME$, host/compname, etc.) as well as Windows
usernames (DOMAIN\username, username at domain.com) are presented from the
client.

I solved it by creating an internal attribute "AD-sAMAccountName" and
configuring the LDAP module to look up the sAMAccountName of the
computer/user. This "normalizes" the format of usernames. I call ntlm_auth
with the AD-sAMAccountName attribute and specify our domain name.

On Mon, Apr 3, 2023 at 11:10 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Apr 3, 2023, at 11:43 AM, Tim ODriscoll <
> tim.odriscoll at lambrookschool.co.uk> wrote:
> > And with mschap:
> > radtest -t mschap tim.odriscoll MYPASSWD localhost 10 testing123
> > (1)   authenticate {
> > (1) mschap: Client is using MS-CHAPv1 with NT-Password
> > (1) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=MYDOMAIN
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> > (1) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
> > (1) mschap:    --> --username=tim.odriscoll
> > (1) mschap: mschap1: 84
> > (1) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> > (1) mschap:    --> --challenge=84b5ae5ac964eb2c
> > (1) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> > (1) mschap:    -->
> --nt-response=da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091
> > (1) mschap: ERROR: Program returned code (1) and output 'The attempted
> logon is invalid. This is either due to a bad username or authentication
> information. (0xc000006d)'
> > (1) mschap: External script failed
> > (1) mschap: ERROR: External script says: The attempted logon is invalid.
> This is either due to a bad username or authentication information.
> (0xc000006d)
> > (1) mschap: ERROR: MS-CHAP2-Response is incorrect
> > (1)     [mschap] = reject
> >
> > I will try and dig out the samba logs..
>
>   That's the best bet.
>
>   We know FR is doing the various NT hash calculations correctly.  And
> passing that to ntlm_auth.
>
>   My only remaining guess here is that Samba / AD isn't permitting ntlm /
> mschap authentication.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-- 
*Tony Skalski (he/him/his)*
System Administrator | IT
Office: 507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
stolaf.edu


More information about the Freeradius-Users mailing list