Users randomly rejected when no connection with remote domain controllers
Rodrigo Abrantes Antunes
rodrigoantunes at ifsul.edu.br
Wed Sep 4 14:23:18 UTC 2024
Hi all,
My institution has multiple AD domain controllers, one for each campus, all
of them respond for the same domain and connect to each other through
internet using a vpn.
One of the servers is located in my campus and freeradius authenticates
directly against this server.
When the vpn is up, everything works as it should but when the vpn is down,
users sometimes can't authenticate.
This seems to be random, users authenticate normally then suddenly can't
and suddenly can again.
When they are rejected I see this in debug:
...
(2535) mschap: --> --username=gloriasantos
(2535) mschap: Creating challenge hash with username: gloriasantos
(2535) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(2535) mschap: --> --challenge=2aa82edbd744104d
(2535) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(2535) mschap: -->
--nt-response=7c9a6934a7363630b270dddeb82ad6f347a54a1ff9fc768c
Child PID 64739 is taking too much time: forcing failure and killing child.
(2535) mschap: ERROR: Failed to read from child output
(2535) mschap: External script failed
(2535) mschap: ERROR: External script says:
(2535) mschap: ERROR: MS-CHAP2-Response is incorrect
(2535) eap_mschapv2: [mschap] = reject
...
And at this moment, if I try the command "ntlm_auth --username=user
--password=pass" it takes more time than it should and then succeds.
The pid 64739 is ntlm_auth I think.
Everything in freeradius, samba, and dns configuration points to the local
active directory domain controller, but it seems that when vpn is down
something is still trying to contact the remote domain controllers (which
are unavailable).
Any ideas of what might be happening?
Feel free to ask for needed configuration.
Freeradius 3.2.1
Samba 4.17.9-Debian
More information about the Freeradius-Users
mailing list