problem with radtest and freeradius 3.0.26

Dean Guenther deanrguenther at gmail.com
Sun Jan 28 01:32:26 UTC 2024 

I'm in the process of replacing my old radiusd 3.0.0 server with a newer
version of freeradius 3.0.26.

I'm having trouble getting radtest to work properly. My environment is:

I have an ubuntu 22.04 container running Samba 4.15.13-Ubuntu which is my DC
The domain is TESTDOMAIN.COM (TESTDOMAIN)

I have an ubuntu 22.04 client running freeradius 3.0.26
It has the Samba 4.15.13-Ubuntu client installed
winbind is running on the freeradius server:

# ps -ef|grep win
root         259       1  0 Jan25 ?        00:00:04 /usr/sbin/winbindd
--foreground --no-process-group
root         313     259  0 Jan25 ?        00:00:00 winbindd: domain child
[RADIUS3-TEST]
root         315     259  0 Jan25 ?        00:00:00 winbindd: domain child
[TESTDOMAIN]
root         327     259  0 Jan25 ?        00:00:00 winbindd: idmap child

In mods-available/mschap I have defined:

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --
challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
--domain=%{%{mschap:NT-Domain}:-TESTDO
MAIN.COM}"

I can successfully run an ntlm_auth authentication from the freeradius
server to the Samba domain:

# ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=deang
Password: mypassword
NT_STATUS_OK: The operation completed successfully. (0x0)

However, I'm unable to get radtest to authenticate successfully:

# radtest -t mschap deang "mypassword" localhost 0 localsecret
Sent Access-Request Id 20 from 0.0.0.0:59459 to 127.0.0.1:1812 length 131
    User-Name = "deang"
    MS-CHAP-Password = "mypassword"
    NAS-IP-Address = 192.168.5.160
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "mypassword"
    MS-CHAP-Challenge = 0xf550d266d7fbdad0
    MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000545a7cd05f7ad1c88fad7aaf36963c6480f007bd04421261
Received Access-Reject Id 20 from 127.0.0.1:1812 to 127.0.0.1:59459 length
61
    MS-CHAP-Error = "\000E=691 R=1 C=0ca03ab284c45180 V=2"
(0) -: Expected Access-Accept got Access-Reject

Part of the debug log from freeradius -X shows (full log attached):

(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-
TESTDOMAIN.COM}:
(0) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap:    --> --username=deang
(0) mschap: mschap1: 70
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap:    --> --challenge=705afc537b41679b
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap:    -->
--nt-response=1564af7eff18c01a21daaaf03a78f61de5802689cbb65a8b
(0) mschap: ERROR: No NT-Domain was found in the User-Name
(0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN.COM}
(0) mschap:    --> --domain=TESTDOMAIN.COM
(0) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject
(0)   } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> deang
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Login incorrect (mschap: No NT-Domain was found in the User-Name):
[deang/<via Auth-Type = mschap>] (from client localhost port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 191 from 127.0.0.1:1812 to 127.0.0.1:56941 length
61
(0)   MS-CHAP-Error = "\000E=691 R=1 C=970a944ede733eb6 V=2"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 191 with timestamp +4 due to
cleanup_delay was reached
Ready to process requests

I've searched for some explanation why the radtest isn't working but I
can't find anything related to this particular test.

I am attaching the full log if needed.

Any help appreciated.

thanks - Dean Guenther

More information about the Freeradius-Users mailing list