Tobias,
Are you still trying to authenticate using certificates (i.e. EAP-TLS)?
What you sent below is a PEAP authentication, not EAP-TLS.
There is no way to help you without seeing more though.
Post the full output of the authentication, that is the price to pay.
We don’t necessarily need the output for every packet in the PEAP exchange but
we do need the ones where the actual ntlm_authentication happens.
It’s better to post too much than too little.
Please post the contents of your raddb/proxy.conf and raddb/proxy.conf.inc.
Don’t mess with the NULL realm unless you know why you are doing that.
It’s not necessarily an error if it’s not found.
As far as the messages below indicate, you are using and incorrect username or
password.
That is all I can tell from what you sent.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Mar 22, 2016, at 8:56 , Tobias Friede <[email protected]> wrote:
>
> Hi,
>
> yesterday I successfully included our own CA Certificates on PacketFence
> (thank you very much for helping me so fast :) )
>
> Know I stuck at the Active Directory Auth (user and machine account)
>
>
> What I have done:
>
> 1) Added an AD Source (sAMAccountName as Username, I also tried
> ServicePrincipalName for machine accounts)
> 2) Added Radios Domain (join was Successfully)
> 3) Check Bind: "chroot /chroots/BS/ ntlm_auth --username=fritob" this works
> as expected
> 4) added to realm: BS.firma.de <http://bs.firma.de/> and BS and as Source my
> user source and when I tried to auth machine accounts my machine account
> source (configured like in the documentation)
> 5) Configured 802.1x PEAP on Windows 7
> 6) Try to authenticate against Packetfence
>
>
> As radius result I got the following error message (AD-User auth) :
> chrooted_mschap: External script says NT_KEY:
> B002F4642C1050FB999F6AF5B3502F9F
>
> For debugging I startet raddebug -f /usr/local/pf/var/run/radiusd.sock and
> got the following error:
> +group authenticate {
>
> Tue Mar 22 12:41:05 2016 : Debug: [eap] Request found, released from the list
>
> Tue Mar 22 12:41:05 2016 : Debug: [eap] EAP/mschapv2
>
> Tue Mar 22 12:41:05 2016 : Debug: [eap] processing type mschapv2
>
> Tue Mar 22 12:41:05 2016 : Debug: [mschapv2] # Executing group from file
> /usr/local/pf/raddb//sites-enabled/packetfence-tunnel
>
> Tue Mar 22 12:41:05 2016 : Debug: [mschapv2] +group MS-CHAP {
>
> Tue Mar 22 12:41:05 2016 : Debug: ++[packetfence] = noop
>
> Tue Mar 22 12:41:05 2016 : Debug: ++? if (PacketFence-Domain)
>
> Tue Mar 22 12:41:05 2016 : Debug: ? Evaluating (PacketFence-Domain) -> TRUE
>
> Tue Mar 22 12:41:05 2016 : Debug: ++? if (PacketFence-Domain) -> TRUE
>
> Tue Mar 22 12:41:05 2016 : Debug: ++if (PacketFence-Domain) {
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] Creating challenge hash
> with username: fritob
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] Client is using MS-CHAPv2
> for fritob, we need NT-Password
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] expand:
> /chroots/%{PacketFence-Domain} -> /chroots/BS
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] expand:
> --username=%{mschap:User-Name:-None} -> --username=fritob
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] Creating challenge hash
> with username: fritob
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] expand:
> --challenge=%{mschap:Challenge:-00} -> --challenge=14324b2eb43c63a4
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] expand:
> --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=3887c019f4e3f2e3c00262aa73060926bbff08f8bce2e2b1
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] Exec: program returned:
> 139
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] External script failed.
>
> Tue Mar 22 12:41:05 2016 : Debug: [chrooted_mschap] FAILED: MS-CHAP2-Response
> is incorrect
>
> Tue Mar 22 12:41:05 2016 : Debug: +++[chrooted_mschap] = reject
>
>
>
> When I tried to auth against the machine account, I got the error message
> that realm null is not found on the Server, so I created a third realm with
> identifier NULL and as source my AD and as Domain my Domain. After that i got
> the same error message like if i try to auth with an user account:
>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] Creating challenge hash
> with username: host/50-054.bs.firma.de <http://50-054.bs.firma.de/>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] Client is using MS-CHAPv2
> for host/50-054.bs.firma.de <http://50-054.bs.firma.de/>, we need NT-Password
>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] expand:
> /chroots/%{PacketFence-Domain} -> /chroots/BS
>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] expand:
> --username=%{mschap:User-Name:-None} -> --username=50-054$
>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] Creating challenge hash
> with username: host/50-054.bs.firma.de <http://50-054.bs.firma.de/>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] expand:
> --challenge=%{mschap:Challenge:-00} -> --challenge=bdc5c224cf471a88
>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] expand:
> --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=b40a7d6be6d0d05292de52356df5e5590238293b3acba4cc
>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] Exec: program returned:
> 139
>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] External script failed.
>
> Tue Mar 22 13:27:55 2016 : Debug: [chrooted_mschap] FAILED: MS-CHAP2-Response
> is incorrect
>
>
>
> What's going wrong there :/ I would be very thankful if someone can give me a
> hint :)
>
> If you need the full log, I can send it but it's very very long (1303 rows) :D
>
>
>
>
>
> Greeting,
>
> Tobias
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
