MSCHAPV2 for PP2P VPN

Matthew Newton mcn at freeradius.org
Wed Jan 10 10:18:24 UTC 2024 

On 10/01/2024 03:01, Leo Giusti wrote:
> I am able to authenticate against my domain with ntlm_auth with a username
> and password.

OK

> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "home.win" for User-Name =
> "joshua.sharpe at home.win"
> (0) suffix: No such realm "home.win"
> (0)     [suffix] = noop

Did not strip the realm.

You may need to add the realm to proxy.conf so that suffix can strip the 
realm, or use the split_username_nai policy to do it in unlang.

> (0) mschap: Creating challenge hash with username: joshua.sharpe at home.win
> (0) mschap: Client is using MS-CHAPv2
> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (0) mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (0) mschap:    --> --username=joshua.sharpe at home.win
> (0) mschap: Creating challenge hash with username: joshua.sharpe at home.win
> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (0) mschap:    --> --challenge=9c377afcf9835f65
> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (0) mschap:    -->
> --nt-response=c3b892042ad109ffc85d84f05a3322050c6f048fee25f823
> (0) mschap: ERROR: Program returned code (1) and output 'The attempted
> logon is invalid. This is either due to a bad username or authentication
> information. (0xc000006d)'
> (0) mschap: External script failed
> (0) mschap: ERROR: External script says: The attempted logon is invalid.
> This is either due to a bad username or authentication information.
> (0xc000006d)

So the command you used to test is not the same as the command 
FreeRADIUS is running, or the username or password is incorrect.

Does this authenticate successfully?

/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 
--username=joshua.sharpe at home.win --challenge=9c377afcf9835f65 
--nt-response=c3b892042ad109ffc85d84f05a3322050c6f048fee25f823

If not then you need to find out why. I suspect it's because the 
username isn't stripped, and that just using "joshua.sharpe" would work.

-- 
Matthew

More information about the Freeradius-Users mailing list