problem with radtest and freeradius 3.0.26

Dean Guenther deanrguenther at gmail.com
Wed Jan 31 03:11:17 UTC 2024 

Hi Alan,
I've followed your suggestion on debugging. I still am unable to get a
successful authentication. I can see "what" is failing, (the
autentication). But I don't see the "why".

 So I went back to your mschap documentation to ensure I have things setup
properly. Let me review that first. I think it is setup correctly.

1) I am running freeradius 3.0.26 on an ubuntu 22.04 host. I have installed
Samba 4.15.13-Ubuntu client. My DC is another ubuntu 22.04 host with Samba
4.15.13-Ubuntu server installed. The config says
           server role = active directory domain controller
2) On the freeradius server, which is a Samba 4.15.13-Ubuntu client (not
server) in the smb.conf I added:

3) On the freeradius server I have run
           wbinfo -a deang
    and verified that the password for deang is good.
4) I also ran
          ntlm_auth --username=deang --password=******* --domain=TESTDOMAIN
    and that works. I also did
          ntlm_auth --username=deang --password=*******
    without the --domain and that also works.
    NOTE: per your explanation I now understand that this execution does
not actually call mschap
5) My endgame is I want to authenticate a wireless access point through
this freeradius server. But when I couldn't get that to initially work is
when I
    decided to try radtest. So now my most recent test is going through the
access point which uses WPA2 Enterprise.
6) It asks for the name and password.
7) In the freeradius log (attached) it shows that it successfully passes
the username "deang" to mschap.
8) But then it says it
          (7) mschap: ERROR: Program returned code (1) and output 'The
attempted logon is invalid.
         This is either due to a bad username or authentication
information. (0xc000006d)'
9) In your new mschap documentation it mentioned trying ntlm_auth from the
command line using the mschap:Challenge and mschap:NT-Response.
     I couldn't get that to work. Not sure what I entered wrong here:
            # ntlm_auth --request-nt-key --allow-mschapv2 --username=deang
--challenge=878e648b0127ef34

--nt-response=cea5231c4fe1a9d111433e9473010416e8ca426578904d35
--domain=TESTDOMAIN
             The attempted logon is invalid. This is either due to a bad
username or authentication information. (0xc000006d)
10) in the mschap documentation it says another option is to comment out
ntlm_auth and uncomment "winbind_username" and
      "winbind_domain" in mschap. I tried this but it still failed. I did
not include a log of that attempt.


One more question, so I can learn more about this process. The password is
never shown in the mschap debug log. Is the password when entered on the
wireless access point somehow hashed into a combination of the challenge
and nt-response? Just trying to understand how they fit together.

Thanks Alan - Dean Guenthr




On Mon, Jan 29, 2024 at 11:31 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Jan 29, 2024, at 1:33 PM, Dean Guenther <deanrguenther at gmail.com>
> wrote:
> > The "TESTDOMAIN" is the workgroup specification in the Samba smb.conf.
> And "
> > TESTDOMAIN.COM" is the realm in the smb.conf.
> >
> > If I use TESTDOMAIN in the mschap file's ntlm_auth specification then run
> > radtest it fails. And using TESTDOMAIN while running ntlm_auth from the
> > command line succeeds.
> >
> > And if I use TESTDOMAIN.COM in the mschap file's ntlm_auth
> > specification then  radtest still fails. And using TESTDOMAIN.COM while
> > running ntlm_auth from the command line succeeds.
>
>   It's good to test all options, but there is a lot more information there
> than "it succeeds" or "it fails".
>
>   The issue is also that "running ntlm_auth from the command line" is
> testing ntlm_auth with passwords, not with the MS-CHAP data.  So it's not
> really the same test.
>
> > What else should I be looking at?
>
>   The debug output.
>
>   You can't debug the server by looking at the raddest output.
>
>   The server debug output will tell you WHY it fails, and WHAT is failing.
>
>   The MS-CHAP calculations depend on both the password and the user name
> which is entered.  The client system (e.g. Windows) does the MS-CHAP
> calculations, and hands the result to FreeRADIUS.  FreeRADIUS then takes
> that, and hands it to Windows.
>
>   So if it fails, then the issue is almost always outside of FreeRADIUS.
>
>   I've put some updated documentation into the mschap module:
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap
>
>   Try the instructions there for debugging it.  That should help.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: free.log
Type: application/octet-stream
Size: 86152 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20240130/d953a703/attachment-0001.obj>

More information about the Freeradius-Users mailing list