problem with radtest and freeradius 3.0.26

Alan Buxey alan.buxey at gmail.com
Sun Jan 28 13:43:03 UTC 2024 

Hi

Your workung command line was TESTDOMAIN but your FreeRADIUS configuration
has TESTDOMAIN.COM

On Sun, 28 Jan 2024, 01:32 Dean Guenther, <deanrguenther at gmail.com> wrote:

> I'm in the process of replacing my old radiusd 3.0.0 server with a newer
> version of freeradius 3.0.26.
>
> I'm having trouble getting radtest to work properly. My environment is:
>
> I have an ubuntu 22.04 container running Samba 4.15.13-Ubuntu which is my
> DC
> The domain is TESTDOMAIN.COM (TESTDOMAIN)
>
> I have an ubuntu 22.04 client running freeradius 3.0.26
> It has the Samba 4.15.13-Ubuntu client installed
> winbind is running on the freeradius server:
>
> # ps -ef|grep win
> root         259       1  0 Jan25 ?        00:00:04 /usr/sbin/winbindd
> --foreground --no-process-group
> root         313     259  0 Jan25 ?        00:00:00 winbindd: domain child
> [RADIUS3-TEST]
> root         315     259  0 Jan25 ?        00:00:00 winbindd: domain child
> [TESTDOMAIN]
> root         327     259  0 Jan25 ?        00:00:00 winbindd: idmap child
>
> In mods-available/mschap I have defined:
>
>         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --
> challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}
> --domain=%{%{mschap:NT-Domain}:-TESTDO
> MAIN.COM}"
>
> I can successfully run an ntlm_auth authentication from the freeradius
> server to the Samba domain:
>
> # ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=deang
> Password: mypassword
> NT_STATUS_OK: The operation completed successfully. (0x0)
>
> However, I'm unable to get radtest to authenticate successfully:
>
> # radtest -t mschap deang "mypassword" localhost 0 localsecret
> Sent Access-Request Id 20 from 0.0.0.0:59459 to 127.0.0.1:1812 length 131
>     User-Name = "deang"
>     MS-CHAP-Password = "mypassword"
>     NAS-IP-Address = 192.168.5.160
>     NAS-Port = 0
>     Message-Authenticator = 0x00
>     Cleartext-Password = "mypassword"
>     MS-CHAP-Challenge = 0xf550d266d7fbdad0
>     MS-CHAP-Response =
>
> 0x0001000000000000000000000000000000000000000000000000545a7cd05f7ad1c88fad7aaf36963c6480f007bd04421261
> Received Access-Reject Id 20 from 127.0.0.1:1812 to 127.0.0.1:59459 length
> 61
>     MS-CHAP-Error = "\000E=691 R=1 C=0ca03ab284c45180 V=2"
> (0) -: Expected Access-Accept got Access-Reject
>
> Part of the debug log from freeradius -X shows (full log attached):
>
> (0) Found Auth-Type = mschap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) mschap: Client is using MS-CHAPv1 with NT-Password
> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-
> TESTDOMAIN.COM}:
> (0) mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (0) mschap:    --> --username=deang
> (0) mschap: mschap1: 70
> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (0) mschap:    --> --challenge=705afc537b41679b
> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (0) mschap:    -->
> --nt-response=1564af7eff18c01a21daaaf03a78f61de5802689cbb65a8b
> (0) mschap: ERROR: No NT-Domain was found in the User-Name
> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN.COM}
> (0) mschap:    --> --domain=TESTDOMAIN.COM
> (0) mschap: ERROR: Program returned code (1) and output 'The attempted
> logon is invalid. This is either due to a bad username or authentication
> information. (0xc000006d)'
> (0) mschap: External script failed
> (0) mschap: ERROR: External script says: The attempted logon is invalid.
> This is either due to a bad username or authentication information.
> (0xc000006d)
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> (0)     [mschap] = reject
> (0)   } # authenticate = reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject:    --> deang
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0)     [attr_filter.access_reject] = updated
> (0)     [eap] = noop
> (0)     policy remove_reply_message_if_eap {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (0)       else {
> (0)         [noop] = noop
> (0)       } # else = noop
> (0)     } # policy remove_reply_message_if_eap = noop
> (0)   } # Post-Auth-Type REJECT = updated
> (0) Login incorrect (mschap: No NT-Domain was found in the User-Name):
> [deang/<via Auth-Type = mschap>] (from client localhost port 0)
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 191 from 127.0.0.1:1812 to 127.0.0.1:56941
> length
> 61
> (0)   MS-CHAP-Error = "\000E=691 R=1 C=970a944ede733eb6 V=2"
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 191 with timestamp +4 due to
> cleanup_delay was reached
> Ready to process requests
>
> I've searched for some explanation why the radtest isn't working but I
> can't find anything related to this particular test.
>
> I am attaching the full log if needed.
>
> Any help appreciated.
>
> thanks - Dean Guenther
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list