Hello
I try to set up AD as freeradius authentication oracle. My system:
ohv:/etc/raddb/modules # radiusd -v
radiusd: FreeRADIUS Version 2.1.12, for host x86_64-suse-linux-gnu, built on
Oct 19 2011 at 13:55
I followed this guidelines
http://deployingradius.com/documents/configuration/active_directory.html
and everything went great (user logons OK, all the tests decribed in howto went
OK) until the last part MS-CHAP + ntlm_auth
OK, what happens when I try to authenticate via MS-CHAP
ohv:/etc/samba # radtest -t mschap freeradius.test passwordschmassword
localhost 0 testing123
Sending Access-Request of id 11 to 127.0.0.1 port 1812
User-Name = "freeradius.test"
NAS-IP-Address = 10.128.160.4
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0x7c68b9721c3a0b46
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000013e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=38
MS-CHAP-Error = "\000E=691 R=1"
Lets see freeradius log
Thu Mar 8 13:42:03 2012 : Info: Found Auth-Type = MSCHAP
Thu Mar 8 13:42:03 2012 : Info: # Executing group from file
/etc/raddb/sites-enabled/default
Thu Mar 8 13:42:03 2012 : Info: +- entering group MS-CHAP {...}
Thu Mar 8 13:42:03 2012 : Info: [mschap] Told to do MS-CHAPv1 with NT-Password
Thu Mar 8 13:42:03 2012 : Info: [mschap] expand:
--username=%{mschap:User-Name:-None} -> --username=freeradius.test
Thu Mar 8 13:42:03 2012 : Info: [mschap] No NT-Domain was found in the
User-Name.
Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: %{mschap:NT-Domain} ->
Thu Mar 8 13:42:03 2012 : Info: [mschap] ... expanding second conditional
Thu Mar 8 13:42:03 2012 : Info: [mschap] expand:
--domain=%{%{mschap:NT-Domain}:-LOCAL} -> --domain=LOCAL
Thu Mar 8 13:42:03 2012 : Info: [mschap] mschap1: 7c
Thu Mar 8 13:42:03 2012 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=7c68b9721c3a0b46
Thu Mar 8 13:42:03 2012 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a
Thu Mar 8 13:42:03 2012 : Debug: Exec-Program output: Reading winbind reply
failed! (0xc0000001)
Thu Mar 8 13:42:03 2012 : Debug: Exec-Program-Wait: plaintext: Reading winbind
reply failed! (0xc0000001)
Thu Mar 8 13:42:03 2012 : Debug: Exec-Program: returned: 1
Thu Mar 8 13:42:03 2012 : Info: [mschap] External script failed.
Thu Mar 8 13:42:03 2012 : Info: [mschap] MS-CHAP-Response is incorrect.
Thu Mar 8 13:42:03 2012 : Info: ++[mschap] returns reject
OK, lets strace this and find the actual command line sent to freeradius and
try it out on command line (edited to follow correct syntax!) Command line
looks like this:
/usr/bin/ntlm_auth "--request-nt-key", "--username=freeradius.test",
"--domain=LOCAL", "--challenge=0x7c68b9721c3a0b46",
"--nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a"
Logon failure (0xc000006d)
Wait, what? Let's re-check
ntlm_auth --request-nt-key --domain=local --username=freeradius.test
--password=passwordschmassword
NT_STATUS_OK: Success (0x0)
Seems that values for "challenge" and "response" are getting filled
incorrectly. I also tried to turn with_ntdomain_hack aprameter on and off, but
no avail.
Is freeradius at all responsible to fill those parameters or how can I fix this
behaviour?
Andres Septer
Systems Administrator
Navirec Software OÜ
Tallinn, Estonia
http://navirec.com-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
