For some reason this is not working. AD always thinks that the credentials are wrong. Debug shows:
Tue Mar 8 11:09:51 2022: DEBUG: Handling request with Handler 'ConvertedFromEAPMSCHAPV2=1, User-Name=/^[^@]+(@uic\.edu)?(@uic\.wireless)?\z/i', Identifier '' Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to NETID ... Tue Mar 8 11:09:51 2022: DEBUG: Handling with Radius::AuthNTLM: Tue Mar 8 11:09:51 2022: DEBUG: Radius::AuthNTLM looks for match with NETID [[email protected]] ... Tue Mar 8 11:09:51 2022: DEBUG: Received attribute: Authenticated: No Tue Mar 8 11:09:51 2022: DEBUG: Received attribute: Authentication-Error: When trying to update a password, this return status indicates that the value provided as the current password is not correct. Tue Mar 8 11:09:51 2022: DEBUG: Received attribute: . Tue Mar 8 11:09:51 2022: WARNING: NTLM Could not authenticate user 'NETID': When trying to update a password, this return status indicates that the value provided as the current password is not correct. Tue Mar 8 11:09:51 2022: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password check failed: NETID [[email protected]] Tue Mar 8 11:09:51 2022: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM Password check failed Tue Mar 8 11:09:51 2022: INFO: Access rejected for NETID: AuthBy NTLM Password check failed Tue Mar 8 11:09:51 2022: DEBUG: Converted EAP-MSCHAPV2 response Packet dump: I need to get on-site to do some more debugging but does anyone have any ideas? Is ntlm_auth messing up somewhere? Is the problem related to a PEAP tunnel? AD confirms incorrect credentials but that's not the case. If we just do a simple thing like this: <Handler ConvertedFromEAPMSCHAPV2=1> ... <AuthBy NTLM> UsernameMatchesWithoutRealm DefaultDomain AD </AuthBy> Everything works just fine. One thing I don't understand is that just before that section in the debug log we have: Tue Mar 8 11:09:51 2022: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier '' Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to [email protected]@uic.wireless Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to [email protected]@uic.wireless Tue Mar 8 11:09:51 2022: DEBUG: Rewrote user name to [email protected]@uic.wireless I don't understand this PEAP tunnel section and maybe that's part of the problem. --- Roberto Ullfig - [email protected] Systems Administrator Enterprise Applications & Services | Technology Solutions University of Illinois - Chicago ________________________________ From: radiator <[email protected]> on behalf of Heikki Vatiainen <[email protected]> Sent: Thursday, February 24, 2022 3:44 PM To: [email protected] <[email protected]> Subject: Re: [RADIATOR] Simple Question Regarding Realm Handling On 23.2.2022 23.27, Ullfig, Roberto Alfredo wrote: > Wed Feb 23 15:03:55 2022: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM > Password check failed: user [[email protected]] > Wed Feb 23 15:03:55 2022: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM > Password check failed > > To AD it looks like a wrong password was entered. Why do the NTLM lines > have "user [[email protected]]" - why not just user? The format is 'value used for authenticating [original username]'. For example, if username is rewritten, or something else, such as Calling-Station-Id attribute value, is used to lookup user record, that value gets logged first. What follows between [] is the original User-Name as it was received. The idea is to log information about what's currently used and what was originally received as User-Name. In your example, 'user' is passed to NTLM subsystem as authentication username instead of '[email protected]' that was the value in the incoming request. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C4ef1ec34e13c470f64ed08d9f7df063e%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637813359530383653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=s6i5L10CBaCCZDiLZQwlYvCH2ukDM0chu8E%2BGapD8ok%3D&reserved=0
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
