On 05/19/2011 08:04 PM, John Douglass wrote:
Now, the actual ntlm_auth command within the $RADIUS/modules/mschap does
read:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
So it's not doing necessarily the same kind of authentication command as
I was doing above but I have no idea how to simulate a challege request
on command line to verify :)
You can just run FreeRADIUS in debug mode and capture any ntlm_auth
command line - they're re-usable, the "response" value is the same every
time for a given challenge, username and password. Security revolves
around the challenge being random and not re-used.
(I have some utilities for generating the response that I keep meaning
to stick in an AppEngine page at some point)
Login incorrect (mschap: External script says Logon failure
(0xc000006d)): [asdf/<via Auth-Type = EAP>] (from client LAWN-WiSM port
29 cli 00-25-00-f5-a3-2b via TLS tunnel)
However, "Logon failure" is nebulous when it could be either "bad
password", "account disabled", or "no such user" that comes out of the
"ntlm_auth" command (at least when I run it by hand).
Is this the fault of the results of ntlm_auth being vague or is
something else at play?
The former. As you noted above, you were testing with username/password
auth as opposed to challenge/response auth. The latter gives a much
smaller, less interesting (but arguably more secure) set of error codes.
About all you get other than "Login failure" is "Password expired"
(which the recent MS-CHAP password change patch I wrote looks for and
acts on)
This is for boring reasons to do with the way Samba makes the RPC call
against the domain, and gradual changes in Windows about what error
codes it leaks (if you think about it, leaking the difference between
"invalid user" and "invalid password" makes user/pass dictionary attacks
easier)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html