Users rejected when no connection with remote domain controllers
Rodrigo Abrantes Antunes
rodrigoantunes at pelotas.ifsul.edu.br
Tue Sep 3 13:23:25 UTC 2024
Hi all,
My institution has multiple AD domain controllers, one for each
campus, all of them respond for the same domain and connect to each
other through internet using a vpn.
One of the servers is located in my campus and freeradius
authenticates directly against this server.
When the vpn is up, everything works as it should but when the vpn is
down, users sometimes can't authenticate.
This seems to be random, users authenticate normally then suddenly
can't and suddenly can again.
When they are rejected I see this in debug:
...
(2535) mschap: --> --username=gloriasantos
(2535) mschap: Creating challenge hash with username: gloriasantos
(2535) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(2535) mschap: --> --challenge=2aa82edbd744104d
(2535) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(2535) mschap: -->
--nt-response=7c9a6934a7363630b270dddeb82ad6f347a54a1ff9fc768c
Child PID 64739 is taking too much time: forcing failure and killing child.
(2535) mschap: ERROR: Failed to read from child output
(2535) mschap: External script failed
(2535) mschap: ERROR: External script says:
(2535) mschap: ERROR: MS-CHAP2-Response is incorrect
(2535) eap_mschapv2: [mschap] = reject
...
And at this moment, if I try the command "ntlm_auth --username=user
--password=pass" it takes more time than it should and then succeds.
The pid 64739 is ntlm_auth I think.
Everything in freeradius, samba, and dns configuration points to the
local active directory domain controller, but it seems that when vpn
is down something is still trying to contact the remote domain
controllers (which are unavailable).
Any ideas of what might be happening?
Feel free to ask for needed configuration.
Freeradius 3.2.1
Samba 4.17.9-Debian
More information about the Freeradius-Users
mailing list