Are your domain controllers configured to allow NTLMv2?
It's a security policy setting, configured in the default domain controller
policy, usually.
Andrew
On 24 March 2016 3:31:22 AM AEDT, Tobias Friede <[email protected]> wrote:
>Hi,
>
>looks a little bit like the problem I have with authentication against
>an
>Active Directory.
>
>The Credentials are correct and I get back an NT-Key, but FreeRadius
>tells
>me: MS-CHAP2-Response is incorrect
>Can you try this?
>
>chroot /chroot/CMetDomain ntlm_auth --username=testuser
>--challenge=ddd77a598cbc5038
>--nt-response=ad6d3d357eafbfaa11185d03da4a1771b1222c9f7a6c581f
>--request-nt-key
>
>2016-03-23 15:28 GMT+01:00 Morris, Andi <[email protected]>:
>
>> Hi all,
>>
>> I’m looking to port our current working 5.0.1 packetfence system over
>to a
>> newer version. We use it as a NAC system for our eduroam wireless
>> infrastructure, and it has always worked well in previous versions.
>>
>>
>>
>> For this version I’ve gone down the route of using the built in
>domain and
>> realm config of packetfence, I’m not sure whether this is where I’m
>going
>> wrong. I’m getting access-rejects for known good users from the
>chrooted
>> mschap module when doing this, as below:
>>
>>
>>
>> ++? if (PacketFence-Domain)
>>
>> ? Evaluating (PacketFence-Domain) -> TRUE
>>
>> ++? if (PacketFence-Domain) -> TRUE
>>
>> ++if (PacketFence-Domain) {
>>
>> [chrooted_mschap] Creating challenge hash with username:
>> [email protected]
>>
>> [chrooted_mschap] Client is using MS-CHAPv2 for
>[email protected],
>> we need NT-Password
>>
>> [chrooted_mschap] expand: /chroots/%{PacketFence-Domain} ->
>> /chroots/CMetDomain
>>
>> [chrooted_mschap] expand: %{Stripped-User-Name} -> testuser
>>
>> [chrooted_mschap] expand:
>> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} ->
>> --username=testuser
>>
>> [chrooted_mschap] Creating challenge hash with username:
>> [email protected]
>>
>> [chrooted_mschap] expand: --challenge=%{mschap:Challenge:-00}
>->
>> --challenge=ddd77a598cbc5038
>>
>> [chrooted_mschap] expand:
>--nt-response=%{mschap:NT-Response:-00} ->
>> --nt-response=ad6d3d357eafbfaa11185d03da4a1771b1222c9f7a6c581f
>>
>> Exec output: Access denied (0xc0000022)
>>
>> Exec plaintext: Access denied (0xc0000022)
>>
>> [chrooted_mschap] Exec: program returned: 1
>>
>> [chrooted_mschap] External script failed.
>>
>> [chrooted_mschap] FAILED: MS-CHAP2-Response is incorrect
>>
>> +++[chrooted_mschap] = reject
>>
>> ++} # if (PacketFence-Domain) = reject
>>
>> +} # group MS-CHAP = reject
>>
>> [eap] Freeing handler
>>
>> ++[eap] = reject
>>
>> +} # group authenticate = reject
>>
>> Failed to authenticate the user.
>>
>> Login incorrect (chrooted_mschap: External script says Access denied
>> (0xc0000022)): [[email protected]] (from client
>192.168.142.13
>> port 13 cli 30:10:b3:13:be:37 via TLS tunnel)
>>
>>
>>
>> I’ve had to modify the chrooted mschap module so that the stripped
>user
>> name is the one queried, but I’m still getting rejected. I think that
>the
>> line below from the excerpt above maybe the key:
>>
>> [chrooted_mschap] Creating challenge hash with username:
>> [email protected]
>>
>>
>>
>> My realm config is:
>>
>> [cardiffmet.ac.uk]
>>
>> domain=CMetDomain
>>
>> options=strip
>>
>> source=DCLL02
>>
>>
>>
>> I’ve attached the full obfuscated radius debug log in case there’s
>> something there.
>>
>>
>>
>> As mentioned above, I’m not sure the built in realm & domain options
>are
>> the best way to get this working for eduroam, as I will need to also
>add
>> other servers to the proxy.conf etc.
>>
>>
>>
>> Cheers,
>>
>> Andi
>>
>>
>>
>> -------------------------------------
>>
>> Andi Morris
>>
>> IT Security Officer
>> Cardiff Metropolitan University
>>
>> T: 02920 205720
>> E: [email protected]
>>
>> --------------------------------------
>>
>>
>> ------------------------------
>>
>> [image: Cardiff Metropolitan University - 150 years of nurturing
>talent]
>> <http://www.cardiffmet.ac.uk/cardiffmet150>
>>
>>
>>
>------------------------------------------------------------------------------
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------------
>Transform Data into Opportunity.
>Accelerate data analysis in your applications with
>Intel Data Analytics Acceleration Library.
>Click to learn more.
>http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>
>------------------------------------------------------------------------
>
>_______________________________________________
>PacketFence-users mailing list
>[email protected]
>https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
