[PacketFence-users] Issues with machine authentication using MS-CHAPv2

Matthies, Heiko via PacketFence-users Tue, 18 Oct 2022 11:27:15 -0700

Hello Guys,

i'm trying to implement machine- and user authentication on Windows 10 Clients 
via MS-CHAPv2 using Packetfence v11.1. While the user authentication works like 
a charm, I'm having trouble setting up the machine authentication. I got the 
following log information from the radius debug log:


Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: Auth-Type MS-CHAP {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'User-Name'} = &request:User-Name -> 
'host/IN19NB-1003.group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.23.16.10'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '45'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1500'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'State'} = &request:State -> '************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> 
'**************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 
'**************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> '**************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Oct 18 2022 
18:52:46 CEST'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'Tengigabitethernet1/0/45'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'EAP-Key-Name'} = &request:EAP-Key-Name -> '0x00'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} = &request:FreeRADIUS-Proxied-To -> 
'127.0.0.1'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'MS-CHAP-Challenge'} = &request:MS-CHAP-Challenge -> 
'************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'MS-CHAP2-Response'} = &request:MS-CHAP2-Response -> 
'************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'MSCHAPv2'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Realm'} = &request:Realm -> 'group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'MS-CHAP-User-Name'} = &request:MS-CHAP-User-Name -> 
'host/IN19NB-1003.group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-Domain'} = &request:PacketFence-Domain -> 'group'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-KeyBalanced'} = &request:PacketFence-KeyBalanced -> 
'************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-Radius-Ip'} = &request:PacketFence-Radius-Ip -> 
'10.20.10.55'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-NTLMv2-Only'} = &request:PacketFence-NTLMv2-Only -> 
'--allow-mschapv2'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-Outer-User'} = &request:PacketFence-Outer-User -> 
'host/IN19NB-1003.group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'eap'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'NT-Password'} = &control:NT-Password -> '************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'MS-CHAP-Use-NTLM-Auth'} = &control:MS-CHAP-Use-NTLM-Auth -> 'No'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'PacketFence-Tenant-Id'} = &control:PacketFence-Tenant-Id -> '1'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'eap'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'NT-Password'} = &control:NT-Password -> '************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'MS-CHAP-Use-NTLM-Auth'} = &control:MS-CHAP-Use-NTLM-Auth -> 'No'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'PacketFence-Tenant-Id'} = &control:PacketFence-Tenant-Id -> '1'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:MS-CHAP-User-Name = $RAD_REQUEST{'MS-CHAP-User-Name'} -> 
'host/IN19NB-1003.group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Oct 18 2022 
18:52:46 CEST'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ethernet'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: &request:State = 
$RAD_REQUEST{'State'} -> '************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:PacketFence-Domain = $RAD_REQUEST{'PacketFence-Domain'} -> 'group'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:EAP-Key-Name = $RAD_REQUEST{'EAP-Key-Name'} -> '0x00'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'Tengigabitethernet1/0/45'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: &request:EAP-Type = 
$RAD_REQUEST{'EAP-Type'} -> 'MSCHAPv2'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:PacketFence-Radius-Ip = $RAD_REQUEST{'PacketFence-Radius-Ip'} -> 
'10.20.10.55'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: &request:Framed-MTU 
= $RAD_REQUEST{'Framed-MTU'} -> '1500'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:FreeRADIUS-Proxied-To = $RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> 
'127.0.0.1'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> 
'**************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> '**************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: &request:Realm = 
$RAD_REQUEST{'Realm'} -> 'group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> 
'**************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: &request:NAS-Port = 
$RAD_REQUEST{'NAS-Port'} -> '45'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:PacketFence-KeyBalanced = $RAD_REQUEST{'PacketFence-KeyBalanced'} -> 
'************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:PacketFence-NTLMv2-Only = $RAD_REQUEST{'PacketFence-NTLMv2-Only'} -> 
'--allow-mschapv2'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:PacketFence-Outer-User = $RAD_REQUEST{'PacketFence-Outer-User'} -> 
'host/IN19NB-1003.group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:MS-CHAP2-Response = $RAD_REQUEST{'MS-CHAP2-Response'} -> 
'************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '10.23.16.10'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: &request:User-Name 
= $RAD_REQUEST{'User-Name'} -> 'host/IN19NB-1003.group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&request:MS-CHAP-Challenge = $RAD_REQUEST{'MS-CHAP-Challenge'} -> 
'************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&control:MS-CHAP-Use-NTLM-Auth = $RAD_CHECK{'MS-CHAP-Use-NTLM-Auth'} -> 'No'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} -> 'LOCAL'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: &control:Auth-Type 
= $RAD_CHECK{'Auth-Type'} -> 'eap'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&control:NT-Password = $RAD_CHECK{'NT-Password'} -> '************************'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
&control:PacketFence-Tenant-Id = $RAD_CHECK{'PacketFence-Tenant-Id'} -> '1'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: [packetfence] = 
noop
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if 
(&control:NT-Password && &control:NT-Password != "") {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if 
(&control:NT-Password && &control:NT-Password != "") -> TRUE
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if 
(&control:NT-Password && &control:NT-Password != "") {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: update {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: 
&control:PacketFence-NTCacheHash := 1
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # update = noop
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) mschap_local: Found NT-Password
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) mschap_local: Creating challenge 
hash with username: host/IN19NB-1003.group.asap.de
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) mschap_local: Client is using 
MS-CHAPv2
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) mschap_local: ERROR: 
MS-CHAP2-Response is incorrect
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: [mschap_local] = 
reject
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if (reject || 
fail) {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if (reject || 
fail) -> TRUE
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if (reject || 
fail) {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: policy 
packetfence-mschap-authenticate {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if 
(PacketFence-Domain) {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if 
(PacketFence-Domain) -> TRUE
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if 
(PacketFence-Domain) {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if ( 
"%{User-Name}" =~ /^host\/.*/) {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: EXPAND %{User-Name}
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: --> 
host/IN19NB-1003.group.asap.de
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if ( 
"%{User-Name}" =~ /^host\/.*/) -> TRUE
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if ( 
"%{User-Name}" =~ /^host\/.*/) {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) chrooted_mschap_machine: Found 
NT-Password
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) chrooted_mschap_machine: 
Creating challenge hash with username: host/IN19NB-1003.group.asap.de
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) chrooted_mschap_machine: Client 
is using MS-CHAPv2
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) chrooted_mschap_machine: ERROR: 
MS-CHAP2-Response is incorrect
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: 
[chrooted_mschap_machine] = reject
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # if ( 
"%{User-Name}" =~ /^host\/.*/) = reject
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # if 
(PacketFence-Domain) = reject
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # policy 
packetfence-mschap-authenticate = reject
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # if (reject || 
fail) = reject
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # if 
(&control:NT-Password && &control:NT-Password != "") = reject
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # Auth-Type 
MS-CHAP = reject
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap: Sending EAP Failure (code 
4) ID 10 length 4

It seems like the client provides the password correctly, but something messes 
up and fails the authentication. Packetfence also recognizes the auth request 
as a machine authentication and extracts the realm correctly.
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) policy 
packetfence-set-realm-if-machine {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i) {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i) -> TRUE
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i) {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) update {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) EXPAND %{2}
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) --> group.asap.de
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) &request:Realm := group.asap.de
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) } # update = noop
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) } # if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i) = noop
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) } # policy 
packetfence-set-realm-if-machine = noop

I created the realm in packetfence and linked it with the corresponding Active 
Directory domain.

I searched google but didn't find anything regarding my problem. If you need 
any more information from me, I'm happy to provide it.

Thank you in advance!

Kind Regards,

Heiko Matthies

[cid:2018_Signatur_ASAP_Engineering_607ba42f-d9c6-4abe-af16-b2b0953d2657.png]

[cid:MK_FB_Bayerns_Best_50_Mailsignatur_20220808_5e0395c7-1b32-4dd9-96cf-94c702a6ef87.jpg]<https://www.asap.de/newsroom/presse-detail/asap-gruppe-zaehlt-erneut-zu-bayerns-best-50>

ASAP Engineering GmbH Sachsstra?e 1A | 85080 Gaimersheim
Tel. +49 8458 3389 252<tel:+49%208458%203389%20252> | Fax. +49 (8458) 3389 
399<fax:+49%20(8458)%203389%20399>
heiko.matth...@asap.de<mailto:heiko.matth...@asap.de> | 
www.asap.de<http://www.asap.de>

Gesch?ftsf?hrer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der 
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408

Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren personenbezogenen 
Daten bei ASAP erhalten Sie auf unserer Website unter 
Datenschutz.<http://www.asap.de/datenschutz/>

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Issues with machine authentication using MS-CHAPv2

Reply via email to