Hi,
looks a little bit like the problem I have with authentication against an
Active Directory.
The Credentials are correct and I get back an NT-Key, but FreeRadius tells
me: MS-CHAP2-Response is incorrect
Can you try this?
chroot /chroot/CMetDomain ntlm_auth --username=testuser
--challenge=ddd77a598cbc5038
--nt-response=ad6d3d357eafbfaa11185d03da4a1771b1222c9f7a6c581f
--request-nt-key
2016-03-23 15:28 GMT+01:00 Morris, Andi <[email protected]>:
> Hi all,
>
> I’m looking to port our current working 5.0.1 packetfence system over to a
> newer version. We use it as a NAC system for our eduroam wireless
> infrastructure, and it has always worked well in previous versions.
>
>
>
> For this version I’ve gone down the route of using the built in domain and
> realm config of packetfence, I’m not sure whether this is where I’m going
> wrong. I’m getting access-rejects for known good users from the chrooted
> mschap module when doing this, as below:
>
>
>
> ++? if (PacketFence-Domain)
>
> ? Evaluating (PacketFence-Domain) -> TRUE
>
> ++? if (PacketFence-Domain) -> TRUE
>
> ++if (PacketFence-Domain) {
>
> [chrooted_mschap] Creating challenge hash with username:
> [email protected]
>
> [chrooted_mschap] Client is using MS-CHAPv2 for [email protected],
> we need NT-Password
>
> [chrooted_mschap] expand: /chroots/%{PacketFence-Domain} ->
> /chroots/CMetDomain
>
> [chrooted_mschap] expand: %{Stripped-User-Name} -> testuser
>
> [chrooted_mschap] expand:
> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} ->
> --username=testuser
>
> [chrooted_mschap] Creating challenge hash with username:
> [email protected]
>
> [chrooted_mschap] expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=ddd77a598cbc5038
>
> [chrooted_mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=ad6d3d357eafbfaa11185d03da4a1771b1222c9f7a6c581f
>
> Exec output: Access denied (0xc0000022)
>
> Exec plaintext: Access denied (0xc0000022)
>
> [chrooted_mschap] Exec: program returned: 1
>
> [chrooted_mschap] External script failed.
>
> [chrooted_mschap] FAILED: MS-CHAP2-Response is incorrect
>
> +++[chrooted_mschap] = reject
>
> ++} # if (PacketFence-Domain) = reject
>
> +} # group MS-CHAP = reject
>
> [eap] Freeing handler
>
> ++[eap] = reject
>
> +} # group authenticate = reject
>
> Failed to authenticate the user.
>
> Login incorrect (chrooted_mschap: External script says Access denied
> (0xc0000022)): [[email protected]] (from client 192.168.142.13
> port 13 cli 30:10:b3:13:be:37 via TLS tunnel)
>
>
>
> I’ve had to modify the chrooted mschap module so that the stripped user
> name is the one queried, but I’m still getting rejected. I think that the
> line below from the excerpt above maybe the key:
>
> [chrooted_mschap] Creating challenge hash with username:
> [email protected]
>
>
>
> My realm config is:
>
> [cardiffmet.ac.uk]
>
> domain=CMetDomain
>
> options=strip
>
> source=DCLL02
>
>
>
> I’ve attached the full obfuscated radius debug log in case there’s
> something there.
>
>
>
> As mentioned above, I’m not sure the built in realm & domain options are
> the best way to get this working for eduroam, as I will need to also add
> other servers to the proxy.conf etc.
>
>
>
> Cheers,
>
> Andi
>
>
>
> -------------------------------------
>
> Andi Morris
>
> IT Security Officer
> Cardiff Metropolitan University
>
> T: 02920 205720
> E: [email protected]
>
> --------------------------------------
>
>
> ------------------------------
>
> [image: Cardiff Metropolitan University - 150 years of nurturing talent]
> <http://www.cardiffmet.ac.uk/cardiffmet150>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
