problem with radtest and freeradius 3.0.26
Dean Guenther
deanrguenther at gmail.com
Sun Jan 28 01:32:26 UTC 2024
I'm in the process of replacing my old radiusd 3.0.0 server with a newer
version of freeradius 3.0.26.
I'm having trouble getting radtest to work properly. My environment is:
I have an ubuntu 22.04 container running Samba 4.15.13-Ubuntu which is my DC
The domain is TESTDOMAIN.COM (TESTDOMAIN)
I have an ubuntu 22.04 client running freeradius 3.0.26
It has the Samba 4.15.13-Ubuntu client installed
winbind is running on the freeradius server:
# ps -ef|grep win
root 259 1 0 Jan25 ? 00:00:04 /usr/sbin/winbindd
--foreground --no-process-group
root 313 259 0 Jan25 ? 00:00:00 winbindd: domain child
[RADIUS3-TEST]
root 315 259 0 Jan25 ? 00:00:00 winbindd: domain child
[TESTDOMAIN]
root 327 259 0 Jan25 ? 00:00:00 winbindd: idmap child
In mods-available/mschap I have defined:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --
challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
--domain=%{%{mschap:NT-Domain}:-TESTDO
MAIN.COM}"
I can successfully run an ntlm_auth authentication from the freeradius
server to the Samba domain:
# ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=deang
Password: mypassword
NT_STATUS_OK: The operation completed successfully. (0x0)
However, I'm unable to get radtest to authenticate successfully:
# radtest -t mschap deang "mypassword" localhost 0 localsecret
Sent Access-Request Id 20 from 0.0.0.0:59459 to 127.0.0.1:1812 length 131
User-Name = "deang"
MS-CHAP-Password = "mypassword"
NAS-IP-Address = 192.168.5.160
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "mypassword"
MS-CHAP-Challenge = 0xf550d266d7fbdad0
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000545a7cd05f7ad1c88fad7aaf36963c6480f007bd04421261
Received Access-Reject Id 20 from 127.0.0.1:1812 to 127.0.0.1:59459 length
61
MS-CHAP-Error = "\000E=691 R=1 C=0ca03ab284c45180 V=2"
(0) -: Expected Access-Accept got Access-Reject
Part of the debug log from freeradius -X shows (full log attached):
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-
TESTDOMAIN.COM}:
(0) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=deang
(0) mschap: mschap1: 70
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=705afc537b41679b
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: -->
--nt-response=1564af7eff18c01a21daaaf03a78f61de5802689cbb65a8b
(0) mschap: ERROR: No NT-Domain was found in the User-Name
(0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN.COM}
(0) mschap: --> --domain=TESTDOMAIN.COM
(0) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0) [mschap] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> deang
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Login incorrect (mschap: No NT-Domain was found in the User-Name):
[deang/<via Auth-Type = mschap>] (from client localhost port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 191 from 127.0.0.1:1812 to 127.0.0.1:56941 length
61
(0) MS-CHAP-Error = "\000E=691 R=1 C=970a944ede733eb6 V=2"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 191 with timestamp +4 due to
cleanup_delay was reached
Ready to process requests
I've searched for some explanation why the radtest isn't working but I
can't find anything related to this particular test.
I am attaching the full log if needed.
Any help appreciated.
thanks - Dean Guenther
More information about the Freeradius-Users
mailing list