Hi List, I have quite a interesting problem. And I don't think it's freeRADIUS-related, but I hope somebody else already had the same issue and can give me a hint. Also a hint where to dig / ask would be very nice...
Okay, the setup: I'm using freeRADIUS aus 802.1x/PEAP authenticator for our WLAN-deployment and MS-AD als backend. It's the setup described in: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO And it's working quite well - for all machine accounts and most user accounts. So I assume my freeradius/samba/kerberos config is fine so far... The things I tracked: It seems all accounts migrated from the old NT or Windows2000 Domain are "Case Sensitive": For those accounts the Windows-User has to use exact the same upper/lower case for the user name used in AD's sAMAccountName - otherwise it won't work. For all new created accounts (after the migration) the case dosn't matter. Anybody heard of this or had the same issue? I already googled quite a lot, but I didn't come up with a solution. Just found some reports about similar problems. To the details: In my radius requests, I see following: For all new created accounts the windows login doesn't same to be case-sensitive. Regardless how the user name is written during login, in my radius requests I always see the username in exact the same way then it is stored in the AD. It seems the XP Client is doing some adjustments during auth. For the migrated accounts I see the user accounts in the same case then entered in the windows login - so it seems the client isn't doing these adjustments. And if the account is written in a different way, ntlm_auth is failing. Some parts of the trace for a successful request (sAMAccountName=testuser): rad_recv: Access-Request packet from host 10.1.1.5:32822, id=139, length=286 User-Name = "DOMAIN\\testuser" NAS-IP-Address = 10.1.1.254 NAS-Port = 2 NAS-Identifier = "10.1.1.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00XXXXXXXXX" Called-Station-Id = "000XXXXXXXXX" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = XXXXXXXXXXXXXX State = XXXXXXXXXXXXXX Aruba-Essid-Name = "mySSID" Aruba-Location-Id = "test-ap" Message-Authenticator = XXXXXXXXXXXXXX Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 modcall[authorize]: module "mschap" returns noop for request 16 rlm_eap: EAP packet type response id 18 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 16 modcall[authorize]: module "files" returns notfound for request 16 modcall: leaving group authorize (returns updated) for request 16 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = XXXXXXXXXXXXX PEAP: Setting User-Name to DOMAIN\testuser PEAP: Adding old state with 97 88 PEAP: Sending tunneled request EAP-Message = XXXXXXXXXXXXXX FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\testuser" State = XXXXXXXXXXXXXX Processing the authorize section of radiusd.conf modcall: leaving group authorize (returns updated) for request 16 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 16 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=bba9adXXXXXXXXXX --nt-response=565bc73aa70b1fXXXXXXXXXXXX07f081266171807c68d90 Exec-Program output: NT_KEY: 8066616C0E1F32C93158XXXXXXXXX Exec-Program-Wait: plaintext: NT_KEY: 8066616C0E1F32C9315866XXXXXXXXX Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 16 modcall: leaving group MS-CHAP (returns ok) for request 16 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 16 The same with different case (failed request): rad_recv: Access-Request packet from host 10.1.1.6:32822, id=110, length=286 User-Name = "DOMAIN\\TESTUSER" NAS-IP-Address = 10.1.1.254 NAS-Port = 1 NAS-Identifier = "10.1.1.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00XXXXXXXX" Called-Station-Id = "000XXXXXXXXX" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = XXXXXXXXXXXXXXX State = 0xXXXXXXXXXXXXXXXXXXX Aruba-Essid-Name = " mySSID" Aruba-Location-Id = "test-ap" Message-Authenticator = 0xXXXXXXXXXXXXXXXXXXX Processing the authorize section of radiusd.conf modcall: entering group authorize for request 329 modcall[authorize]: module "auth_log" returns ok for request 329 modcall[authorize]: module "mschap" returns noop for request 329 rlm_eap: EAP packet type response id 8 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 329 modcall[authorize]: module "files" returns notfound for request 329 modcall: leaving group authorize (returns updated) for request 329 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 329 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = XXXXXXXXXXXXXXXXXXXXXXXXX PEAP: Setting User-Name to DOMAIN\TESTUSER PEAP: Adding old state with 89 3f PEAP: Sending tunneled request EAP-Message = XXXXXXXXXXXXXXXXXXXXXXXXXXX FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\TESTUSER" State = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Processing the authorize section of radiusd.conf modcall: entering group authorize for request 329 modcall[authorize]: module "preprocess" returns ok for request 329 modcall[authorize]: module "mschap" returns noop for request 329 rlm_eap: EAP packet type response id 8 length 75 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 329 modcall[authorize]: module "files" returns notfound for request 329 modcall: leaving group authorize (returns updated) for request 329 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 329 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 329 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for TESTUSER with NT-Password Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=TESTUSER --challenge=52972ee6749XXXXXXXX --nt-response=13c2b8dd52e6591e0c568a02802fb9450cc91XXXXXXXXXXXXXX Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 329 modcall: leaving group MS-CHAP (returns reject) for request 329 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 329 modcall: leaving group authenticate (returns reject) for request 329 auth: Failed to validate the user. Login incorrect: [DOMAIN\\TESTUSER/<no User-Password attribute>] (from client localhost port 0) If you need more information just ask... I hope somebody can give me a hint where to look or what to do. I also asked my Windows-People (I'm a unix guy...) but all the idea's they had didn't help... Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
