From: Louis Munro [mailto:[email protected]]
Sent: Tuesday, June 23, 2015 3:55 PM
To: [email protected]
Subject: Re: [PacketFence-users] RADIUS auth via AD issues
On Jun 23, 2015, at 15:41 , Rhoads, Robert W.
<[email protected]<mailto:[email protected]>> wrote:
[mschapv2] # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +group MS-CHAP {
[mschapv2] ++? if (PacketFence-Domain)
[mschapv2] ? Evaluating (PacketFence-Domain) -> FALSE
[mschapv2] ++? if (PacketFence-Domain) -> FALSE
[mschapv2] ++else else {
[mschap] Creating challenge hash with username: testuser
[mschap] Client is using MS-CHAPv2 for testuser, we need NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{User-Name} -> DOMAIN\\testuser
[mschap] expand: %{%{User-Name}:-None} -> DOMAIN\\testuser
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
-> --username=DOMAIN\\testuser
[mschap] Creating challenge hash with username: testuser
[mschap] expand: %{mschap:Challenge} -> 7ab7634b9bcb90f6
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} ->
--challenge=7ab7634b9bcb90f6
[mschap] expand: %{mschap:NT-Response} ->
a99a0a0cad4f55ceb7938ea9b2ee55a245b29063967c5ca7
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
--nt-response=a99a0a0cad4f55ceb7938ea9b2ee55a245b29063967c5ca7
Exec output: Logon failure (0xc000006d)
Exec plaintext: Logon failure (0xc000006d)
[mschap] Exec: program returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
Assuming DOMAIN\testuser is to replaced here by your actual domain and
username, you first need to make sure that the ntlm_auth works independently
from packetfence and freeradius.
All that freeradius really does is call that executable and pass is arguments
based on the username and domain received in the RADIUS request.
So, try to see if the join is valid first:
# net ads testjoin
If it is, then try to see if you can manually authenticate:
# ntlm_auth -username=DOMAIN\\testuser -password=yourpasswordhere
See what that says.
Regards,
--
Louis Munro
[email protected]<mailto:[email protected]> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
Your assumption is correct. The result for net ads testjoin: Join is OK
Result for ntlm_auth -username=DOMAIN\\testuser -password=password :
NT_STATUS_OK: Success (0x0)
Which file contents would you like to see? :)
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
