Hello Matthies, can you provide the radius debug section where you can see the call to ntlm_auth ?
Regards Fabrice Le lun. 24 oct. 2022 à 11:29, Matthies, Heiko via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hello, > > > > I troubleshooted this issue a little further and discovered, that no there > is no authentication sent to the domain controllers when using machine > authentication. When switching to user auth, everything works fine and I > see packages in the tcpdump. > > Is there something I’m missing? According to the official guide, this > should work out of the box… > > > > Kind Regards > > > > Heiko Matthies > > > > > > <https://www.asap.de/newsroom/presse-detail/asap-gruppe-zaehlt-erneut-zu-bayerns-best-50> > > > *ASAP Engineering GmbH* Sachsstraße 1A | 85080 Gaimersheim > Tel. +49 8458 3389 252 <+49%208458%203389%20252> | Fax. +49 (8458) 3389 > 399 > heiko.matth...@asap.de | www.asap.de > > Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz > der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408 > > Datenschutz: Ausführliche Informationen zum Umgang mit Ihren > personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter > Datenschutz. <http://www.asap.de/datenschutz/> > > *Von:* Matthies, Heiko via PacketFence-users < > packetfence-users@lists.sourceforge.net> > *Gesendet:* Dienstag, 18. Oktober 2022 18:21 > *An:* packetfence-users@lists.sourceforge.net > *Cc:* Matthies, Heiko <heiko.matth...@asap.de> > *Betreff:* [PacketFence-users] Issues with machine authentication using > MS-CHAPv2 > > > > Hello Guys, > > > > i’m trying to implement machine- and user authentication on Windows 10 > Clients via MS-CHAPv2 using Packetfence v11.1. While the user > authentication works like a charm, I’m having trouble setting up the > machine authentication. I got the following log information from the radius > debug log: > > > > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: Auth-Type > MS-CHAP { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'host/ > IN19NB-1003.group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.23.16.10' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '45' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1500' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'State'} = &request:State -> '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> > '**************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> > '**************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> '**************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Oct 18 2022 > 18:52:46 CEST' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> > '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> > 'Tengigabitethernet1/0/45' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'EAP-Key-Name'} = &request:EAP-Key-Name -> '0x00' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = &request:FreeRADIUS-Proxied-To -> > '127.0.0.1' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'MS-CHAP-Challenge'} = &request:MS-CHAP-Challenge -> > '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'MS-CHAP2-Response'} = &request:MS-CHAP2-Response -> > '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'MSCHAPv2' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Realm'} = &request:Realm -> 'group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'MS-CHAP-User-Name'} = &request:MS-CHAP-User-Name -> 'host/ > IN19NB-1003.group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'PacketFence-Domain'} = &request:PacketFence-Domain -> 'group' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'PacketFence-KeyBalanced'} = &request:PacketFence-KeyBalanced > -> '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'PacketFence-Radius-Ip'} = &request:PacketFence-Radius-Ip -> > '10.20.10.55' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'PacketFence-NTLMv2-Only'} = &request:PacketFence-NTLMv2-Only > -> '--allow-mschapv2' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'PacketFence-Outer-User'} = &request:PacketFence-Outer-User -> > 'host/IN19NB-1003.group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'eap' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CHECK{'NT-Password'} = &control:NT-Password -> > '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CHECK{'MS-CHAP-Use-NTLM-Auth'} = &control:MS-CHAP-Use-NTLM-Auth -> 'No' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CHECK{'PacketFence-Tenant-Id'} = &control:PacketFence-Tenant-Id -> '1' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'eap' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CONFIG{'NT-Password'} = &control:NT-Password -> > '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CONFIG{'MS-CHAP-Use-NTLM-Auth'} = &control:MS-CHAP-Use-NTLM-Auth -> > 'No' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_CONFIG{'PacketFence-Tenant-Id'} = &control:PacketFence-Tenant-Id -> '1' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:MS-CHAP-User-Name = $RAD_REQUEST{'MS-CHAP-User-Name'} -> 'host/ > IN19NB-1003.group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Oct 18 2022 > 18:52:46 CEST' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ethernet' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: &request:State > = $RAD_REQUEST{'State'} -> '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:PacketFence-Domain = $RAD_REQUEST{'PacketFence-Domain'} -> 'group' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:EAP-Key-Name = $RAD_REQUEST{'EAP-Key-Name'} -> '0x00' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> > 'Tengigabitethernet1/0/45' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'MSCHAPv2' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:PacketFence-Radius-Ip = $RAD_REQUEST{'PacketFence-Radius-Ip'} -> > '10.20.10.55' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1500' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:FreeRADIUS-Proxied-To = $RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> > '127.0.0.1' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> > '**************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> '**************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: &request:Realm > = $RAD_REQUEST{'Realm'} -> 'group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> > '**************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '45' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:PacketFence-KeyBalanced = $RAD_REQUEST{'PacketFence-KeyBalanced'} > -> '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> > '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:PacketFence-NTLMv2-Only = $RAD_REQUEST{'PacketFence-NTLMv2-Only'} > -> '--allow-mschapv2' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:PacketFence-Outer-User = $RAD_REQUEST{'PacketFence-Outer-User'} -> > 'host/IN19NB-1003.group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:MS-CHAP2-Response = $RAD_REQUEST{'MS-CHAP2-Response'} -> > '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '10.23.16.10' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'host/ > IN19NB-1003.group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &request:MS-CHAP-Challenge = $RAD_REQUEST{'MS-CHAP-Challenge'} -> > '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &control:MS-CHAP-Use-NTLM-Auth = $RAD_CHECK{'MS-CHAP-Use-NTLM-Auth'} -> 'No' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} -> 'LOCAL' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'eap' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &control:NT-Password = $RAD_CHECK{'NT-Password'} -> > '************************' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > &control:PacketFence-Tenant-Id = $RAD_CHECK{'PacketFence-Tenant-Id'} -> '1' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: [packetfence] > = noop > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if > (&control:NT-Password && &control:NT-Password != "") { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if > (&control:NT-Password && &control:NT-Password != "") -> TRUE > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if > (&control:NT-Password && &control:NT-Password != "") { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: update { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: > &control:PacketFence-NTCacheHash := 1 > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # update = > noop > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) mschap_local: Found > NT-Password > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) mschap_local: Creating > challenge hash with username: host/IN19NB-1003.group.asap.de > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) mschap_local: Client is > using MS-CHAPv2 > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) mschap_local: ERROR: > MS-CHAP2-Response is incorrect > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: > [mschap_local] = reject > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if (reject || > fail) { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if (reject || > fail) -> TRUE > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if (reject || > fail) { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: policy > packetfence-mschap-authenticate { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if > (PacketFence-Domain) { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if > (PacketFence-Domain) -> TRUE > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if > (PacketFence-Domain) { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if ( > "%{User-Name}" =~ /^host\/.*/) { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: EXPAND > %{User-Name} > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: --> host/ > IN19NB-1003.group.asap.de > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if ( > "%{User-Name}" =~ /^host\/.*/) -> TRUE > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: if ( > "%{User-Name}" =~ /^host\/.*/) { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) chrooted_mschap_machine: > Found NT-Password > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) chrooted_mschap_machine: > Creating challenge hash with username: host/IN19NB-1003.group.asap.de > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) chrooted_mschap_machine: > Client is using MS-CHAPv2 > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) chrooted_mschap_machine: > ERROR: MS-CHAP2-Response is incorrect > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: > [chrooted_mschap_machine] = reject > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # if ( > "%{User-Name}" =~ /^host\/.*/) = reject > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # if > (PacketFence-Domain) = reject > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # policy > packetfence-mschap-authenticate = reject > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # if > (reject || fail) = reject > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # if > (&control:NT-Password && &control:NT-Password != "") = reject > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: } # Auth-Type > MS-CHAP = reject > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap: Sending EAP Failure > (code 4) ID 10 length 4 > > > > It seems like the client provides the password correctly, but something > messes up and fails the authentication. Packetfence also recognizes the > auth request as a machine authentication and extracts the realm correctly. > > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) policy > packetfence-set-realm-if-machine { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) if (User-Name =~ > /host\/([a-z0-9_-]*)[\.](.*)/i) { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) if (User-Name =~ > /host\/([a-z0-9_-]*)[\.](.*)/i) -> TRUE > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) if (User-Name =~ > /host\/([a-z0-9_-]*)[\.](.*)/i) { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) update { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) EXPAND %{2} > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) --> group.asap.de > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) &request:Realm := > group.asap.de > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) } # update = noop > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) } # if (User-Name =~ > /host\/([a-z0-9_-]*)[\.](.*)/i) = noop > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) } # policy > packetfence-set-realm-if-machine = noop > > > > I created the realm in packetfence and linked it with the corresponding > Active Directory domain. > > > > I searched google but didn’t find anything regarding my problem. If you > need any more information from me, I’m happy to provide it. > > > > Thank you in advance! > > > > Kind Regards, > > > > Heiko Matthies > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
