Apologies for the delay.
This was resolved off list using the commercial support route (highly
recommended!).
Cheers,
Andi
From: [email protected] [mailto:[email protected]]
Sent: 23 March 2016 20:51
To: [email protected]; Tobias Friede <[email protected]>
Subject: Re: [PacketFence-users] mschap rejecting known good user
Are your domain controllers configured to allow NTLMv2?
It's a security policy setting, configured in the default domain controller
policy, usually.
Andrew
On 24 March 2016 3:31:22 AM AEDT, Tobias Friede
<[email protected]<mailto:[email protected]>> wrote:
Hi,
looks a little bit like the problem I have with authentication against an
Active Directory.
The Credentials are correct and I get back an NT-Key, but FreeRadius tells me:
MS-CHAP2-Response is incorrect
Can you try this?
chroot /chroot/CMetDomain ntlm_auth --username=testuser
--challenge=ddd77a598cbc5038
--nt-response=ad6d3d357eafbfaa11185d03da4a1771b1222c9f7a6c581f --request-nt-key
2016-03-23 15:28 GMT+01:00 Morris, Andi
<[email protected]<mailto:[email protected]>>:
Hi all,
I’m looking to port our current working 5.0.1 packetfence system over to a
newer version. We use it as a NAC system for our eduroam wireless
infrastructure, and it has always worked well in previous versions.
For this version I’ve gone down the route of using the built in domain and
realm config of packetfence, I’m not sure whether this is where I’m going
wrong. I’m getting access-rejects for known good users from the chrooted mschap
module when doing this, as below:
++? if (PacketFence-Domain)
? Evaluating (PacketFence-Domain) -> TRUE
++? if (PacketFence-Domain) -> TRUE
++if (PacketFence-Domain) {
[chrooted_mschap] Creating challenge hash with username:
[email protected]<mailto:[email protected]>
[chrooted_mschap] Client is using MS-CHAPv2 for
[email protected]<mailto:[email protected]>, we need NT-Password
[chrooted_mschap] expand: /chroots/%{PacketFence-Domain} ->
/chroots/CMetDomain
[chrooted_mschap] expand: %{Stripped-User-Name} -> testuser
[chrooted_mschap] expand:
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} ->
--username=testuser
[chrooted_mschap] Creating challenge hash with username:
[email protected]<mailto:[email protected]>
[chrooted_mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=ddd77a598cbc5038
[chrooted_mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=ad6d3d357eafbfaa11185d03da4a1771b1222c9f7a6c581f
Exec output: Access denied (0xc0000022)
Exec plaintext: Access denied (0xc0000022)
[chrooted_mschap] Exec: program returned: 1
[chrooted_mschap] External script failed.
[chrooted_mschap] FAILED: MS-CHAP2-Response is incorrect
+++[chrooted_mschap] = reject
++} # if (PacketFence-Domain) = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect (chrooted_mschap: External script says Access denied
(0xc0000022)): [[email protected]<mailto:[email protected]>]
(from client 192.168.142.13 port 13 cli 30:10:b3:13:be:37 via TLS tunnel)
I’ve had to modify the chrooted mschap module so that the stripped user name is
the one queried, but I’m still getting rejected. I think that the line below
from the excerpt above maybe the key:
[chrooted_mschap] Creating challenge hash with username:
[email protected]<mailto:[email protected]>
My realm config is:
[cardiffmet.ac.uk<http://cardiffmet.ac.uk>]
domain=CMetDomain
options=strip
source=DCLL02
I’ve attached the full obfuscated radius debug log in case there’s something
there.
As mentioned above, I’m not sure the built in realm & domain options are the
best way to get this working for eduroam, as I will need to also add other
servers to the proxy.conf etc.
Cheers,
Andi
-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720<tel:02920%20205720>
E: [email protected]<mailto:[email protected]>
--------------------------------------
________________________________
[Cardiff Metropolitan University - 150 years of nurturing
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
________________________________
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
