freeradius windows machine authentication

Härtl, Calvin Calvin.Haertl at stud.hs-coburg.de
Wed Aug 30 10:09:36 UTC 2023 

Hi all,

first of all thanks for your great help in my past questions!

Sadly, I have yet another one, that I can not quite figure out. Maybe I missed something, I don’t know. I tried looking for past list-threads, to no avail.
When my Windows client connects to the WiFi and subsequently to the FreeRADIUS server, it first authenticates via machine authentication (host/HOSTNAME.MYDOMAIN.COM). This fails and the client cannot connect to the WiFi:

(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) eap_mschapv2:   authenticate {
(6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM
(6) mschap: Client is using MS-CHAPv2
(6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(6) mschap:    --> --username=host/HOSTNAME.DOMAIN.COM
(6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM
(6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(6) mschap:    --> --challenge=ef98e59da6aea4aa
(6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(6) mschap:    --> --nt-response=1e7106295666480efb781446f97f618e57e09017da042590
(6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(6) mschap: External script failed
(6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(6) mschap: ERROR: MS-CHAP2-Response is incorrect
(6) eap_mschapv2:     [mschap] = reject
(6) eap_mschapv2:   } # authenticate = reject

However, if I manually configure the WiFi on my Windows device to only use user authentication, it works flawlessly (as expected):

(14) eap_mschapv2:   authenticate {
(14) mschap: Creating challenge hash with username: calvin.haertl
(14) mschap: Client is using MS-CHAPv2
(14) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(14) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(14) mschap:    --> --username=MYUSERNAME
(14) mschap: Creating challenge hash with username: MYUSERNAME
(14) mschap: Program returned code (0)
(14) mschap: Adding MS-CHAPv2 MPPE keys
(14) eap_mschapv2:     [mschap] = ok
(14) eap_mschapv2:   } # authenticate = ok
(14) eap_mschapv2: MSCHAP Success
(14) eap: Sending EAP Request (code 1) ID 9 length 51

My FreeRADIUS server is connected to our Active Directory via SAMBA and winbind, and I checked that the users can authenticate via radtest.
Is FreeRADIUS natively capable of doing machine authentication via AD, do I have to configure some additional files or are there any modules that I can install to do this for me?

Kind regards,

Calvin

More information about the Freeradius-Users mailing list