MSCHAPV2 for PP2P VPN
Matthew Newton
mcn at freeradius.org
Wed Jan 10 10:18:24 UTC 2024
On 10/01/2024 03:01, Leo Giusti wrote:
> I am able to authenticate against my domain with ntlm_auth with a username
> and password.
OK
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "home.win" for User-Name =
> "joshua.sharpe at home.win"
> (0) suffix: No such realm "home.win"
> (0) [suffix] = noop
Did not strip the realm.
You may need to add the realm to proxy.conf so that suffix can strip the
realm, or use the split_username_nai policy to do it in unlang.
> (0) mschap: Creating challenge hash with username: joshua.sharpe at home.win
> (0) mschap: Client is using MS-CHAPv2
> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (0) mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (0) mschap: --> --username=joshua.sharpe at home.win
> (0) mschap: Creating challenge hash with username: joshua.sharpe at home.win
> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (0) mschap: --> --challenge=9c377afcf9835f65
> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (0) mschap: -->
> --nt-response=c3b892042ad109ffc85d84f05a3322050c6f048fee25f823
> (0) mschap: ERROR: Program returned code (1) and output 'The attempted
> logon is invalid. This is either due to a bad username or authentication
> information. (0xc000006d)'
> (0) mschap: External script failed
> (0) mschap: ERROR: External script says: The attempted logon is invalid.
> This is either due to a bad username or authentication information.
> (0xc000006d)
So the command you used to test is not the same as the command
FreeRADIUS is running, or the username or password is incorrect.
Does this authenticate successfully?
/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2
--username=joshua.sharpe at home.win --challenge=9c377afcf9835f65
--nt-response=c3b892042ad109ffc85d84f05a3322050c6f048fee25f823
If not then you need to find out why. I suspect it's because the
username isn't stripped, and that just using "joshua.sharpe" would work.
--
Matthew
More information about the Freeradius-Users
mailing list