freeradius windows machine authentication

Nick Porter nick at portercomputing.co.uk
Wed Aug 30 11:11:44 UTC 2023 

On 30/08/2023 11:57, Matthew Newton via Freeradius-Users wrote:
> On 30/08/2023 11:09, Härtl, Calvin wrote:
>> (6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key 
>> --allow-mschapv2 
>> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
>> --challenge=%{%{mschap:Challenge}:-00} 
>> --nt-response=%{%{mschap:NT-Response}:-00}:
>> (6) mschap: EXPAND 
>> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
>> (6) mschap:    --> --username=host/HOSTNAME.DOMAIN.COM
>> (6) mschap: Creating challenge hash with username: 
>> host/HOSTNAME.DOMAIN.COM
>> (6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
>> (6) mschap:    --> --challenge=ef98e59da6aea4aa
>> (6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
>> (6) mschap:    --> 
>> --nt-response=1e7106295666480efb781446f97f618e57e09017da042590
>> (6) mschap: ERROR: Program returned code (1) and output 'The 
>> attempted logon is invalid. This is either due to a bad username or 
>> authentication information. (0xc000006d)'
>> (6) mschap: External script failed
>> (6) mschap: ERROR: External script says: The attempted logon is 
>> invalid. This is either due to a bad username or authentication 
>> information. (0xc000006d)
>
> I think this used to work, but not 100% sure. You might need to mangle 
> the username into the format AD uses for computers, 
> "HOSTNAME.DOMAIN.COM$" or "HOSTNAME$" for example.

A Matthew said, EAP-TLS is likely a better option, however, if you have 
to use MSCHAPv2, I have done this by using the winbind authentication 
method instead of ntlml_auth.

In mods_enabled/mschap:

  - comment out ntlm_auth = ....

  - uncomment winbind_username = "%{mschap:User-Name}"

  - uncomment winbind_domain = "%{mschap:NT-Domain}"

The "%{winbind:...}" xlat goes hunting in the request attributes for 
data representing the requested MS CHAP attribute in commonly formats.  
The request for "User-Name" finds data that represents users and 
machines and does "the right thing" in most cases.


-- 
Nick Porter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230830/d5fc5590/attachment-0001.sig>

More information about the Freeradius-Users mailing list