Re: Error: User-Name is not the same as MS-CHAP name
Hi, I seem to have the same issue as described in this thread, I also have XP/Novell legacy clients, and I want to move to AD from eDir. Re: Error: User-Name is not the same as MS-CHAP namehttps://lists.freeradius.org/pipermail/freeradius-users/2011-June/msg00070.html The last mention I can see of this was a few months ago, has anything changed since ? I was wondering if I can work around the issue by using realms to strip the username and then force the domain into the ntlm_auth line in the mschap module. I got some way with this approach but it still seems to wants to create the hash using the DOMAIN/USER which I'm guessing is wrong. Anyway, if there is a fix or workaround I'd be grateful if you could you let me know. Thanks, Bruce - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... I have a link to a torrent, just send me a email at pau...@mail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 03/06/11 13:10, Paul Harris wrote: On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... I have a link to a torrent, just send me a email at pau...@mail.com Or not. I'm not downloading a torrent of copyrighted software to fix someone else's problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 2011/06/03 02:15 PM, Phil Mayers wrote: I'm not downloading a torrent of copyrighted software to fix someone else's problem. As long as you dont get a key, it is legal. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Johan Meiring wrote: As long as you dont get a key, it is legal. No. This list is not the place to discuss non-FreeRADIUS software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 03/06/11 15:09, Johan Meiring wrote: On 2011/06/03 02:15 PM, Phil Mayers wrote: I'm not downloading a torrent of copyrighted software to fix someone else's problem. As long as you dont get a key, it is legal. This is getting farcical... Not picking on any one specific person here, but seriously - can anyone not contributing to the discussion at the level of the radius protocols just move along please? I will get to it when I get to it, and in a manner of my own choosing. If you think you can do it faster, then please - do so. I'll gladly defer. Installing a copy of Windows XP and trying to reproduce some crappy Novell client issue is very much not top of my TODO list. Grumbling, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. Aight. Keep us posted. Did you have a chance to look at it? Thanks! -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On Thu, Jun 2, 2011 at 9:01 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... This might help: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=21eabb90-958f-4b64-b5f1-73d0a413c8ef Last time I check Virtualbox can also use VHD, so it should work even on Linux/Mac hosts. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/29/2011 03:10 PM, Francois Gaudreault wrote: Hi Phil, On 11-05-29 6:16 AM, Phil Mayers wrote: Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. It is indeed a machine name. This is where we have problems, this does not happen using Windows 7. I tried to set a Realm for that machine name without success. The thing I don't understand is why MSCHAP complains about that. I mean, correct me if I am wrong, mschap:User-Name will *always* strip that part since it looks like a domain. Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. For example - suppose I have an environment with two separate domains: STAFF STUDENTS ...if the mschap module did *not* check this, I could rig my mschap client to send: EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? The machine is not member of the domain, and the user logs in Novell. So when the user logs in, it sends the username information to RADIUS just like if a local user logs in. Ah. I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed? What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use send username automatically We tried it, and the machine appears to be sending the machine name anyway. It will work only if we don't send the credentials automatically. Usually, people only use send username automatically with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. For example - suppose I have an environment with two separate domains: STAFF STUDENTS ...if the mschap module did *not* check this, I could rig my mschap client to send: EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. Is there a way we could work around this hard-coded check since in our case, we only have one john? Ah. I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed? Correct, the machines are not member of an AD domain. However, they have the Novell Client installed, and they are using a kind of AD tree in their eDirectory structure. So machine auth works the same as if it was an AD domain. The users are not member of that special tree. Usually, people only use send username automatically with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen. It is possible that in Windows XP, something is broken at the supplicant level. In windows 7, the OS is brilliant enough not to send the machine name. However, mainly 80% of his machines are Windows XP. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
In my shop I see a mix of domain and non domain machines. Each type will send machine or user\localmachine for user's name depending on the configuration of the windows suplicant. Avoid having users logon to domain machines with local user accounts unless you have configured the windows suplicant from the default. Do the same with non domain machines. Here I check for the form \full.windows.domain.name. If this is present, I use ntlm-auth. If it is not, I strip off the \host part in the inner tunnel and use that as a user in an ldap store which has mschap password hashes. In most cases this works for domain machines where users are logging in with local accounts or logging in locally with cached user credentials. The rest show up at the help desk. I am excited about the mschap patches talked about in recent posts. Sent from Verizon Wireless -Original Message- From: Phil Mayers p.may...@imperial.ac.uk Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Mon, 30 May 2011 14:55:03 To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Error: User-Name is not the same as MS-CHAP name On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi, On 11-05-30 9:55 AM, Phil Mayers wrote: On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. I completely agree with you on this. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. Aight. Keep us posted. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/28/2011 06:33 PM, Francois Gaudreault wrote: Sending tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc09a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = STIC08862\\TechRMC State = 0x510e2245510938eb25e1ac3222e20688 Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use send username automatically That is - does this work if the Novell client isn't in the picture? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, On 11-05-29 6:16 AM, Phil Mayers wrote: Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. It is indeed a machine name. This is where we have problems, this does not happen using Windows 7. I tried to set a Realm for that machine name without success. The thing I don't understand is why MSCHAP complains about that. I mean, correct me if I am wrong, mschap:User-Name will *always* strip that part since it looks like a domain. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? The machine is not member of the domain, and the user logs in Novell. So when the user logs in, it sends the username information to RADIUS just like if a local user logs in. What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use send username automatically We tried it, and the machine appears to be sending the machine name anyway. It will work only if we don't send the credentials automatically. Thanks! -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/27/2011 09:04 PM, Francois Gaudreault wrote: Hi, I had a look at this issue with him since he is one of our client. Machine authentications are working flawlessly, windows 7 authentication as well (no hostname is sent with the username). I honestly lost track of this issue; the guy had spread it over a couple of mailing list posts, and the debug output kept getting sent as either URLs I couldn't access, or heavily mangled text, so I'm afraid I drifted away. Can you summarise in brief the setup you have, and as per Alan's request, send the full debug output of radiusd -X for a failing authentication. Please don't trim or edit the output. By summarise your setup I mean: * what clients, and how they're setup * what NASes * what behaviour you're trying to achieve I'll repeat something I've had cause to say several times recently: Either: 1. The client is sending wrong/mismatching usernames 2. Something along the way is mangling the usernames 3. You have configured FreeRADIUS to mangle it There really aren't any other options. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, and Alan, I will get you the debug output for Windows XP SP3 boxes (likely Monday). I will summarise what we have. Basically, this is a setup where the client is using eDirectory to authorize the users using the rlm_ldap module. On the windows boxes, it is configured to do PEAP using MSCHAPv2. When we send a host credential (ie. host/mycomputer.domain.tld) it will pass the authorization and during the authentication phase, it will use ntlm_auth to ensure that the machine is member of the domain. That part is working fine, the mschap module does its job. For the users, they have windows 7s and windows XPs. Windows 7 appears to be working without problems since the username is sent without the computer name as the domain prefix. The problem comes with the windows XP boxes. If we let windows send the credentials automatically (when novell logs in), the LDAP authorization will work properly, but the authentication will fail even if the Cleartext-Password attribute is set by the LDAP module. It will throw that MS-CHAP error. We also ensure that everything that comes from something that is not matching host/something will use the MS-CHAP-NTLM-Auth = No. The only way to make Windows XP work is to disable the automatically send username thing and only send the username without the domain name. However, the user experience will definitely be terrible. The NAS Client is an Avaya Access Point. Thanks for your feedbacks guys, it is appreciated. I will get you the debug information and the sites configuration as soon as I can. Have a nice weekend. -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi,
Here is the complete debug log :
rad_recv: Access-Request packet from host 10.220.30.5 port 29010,
id=194, length=179
User-Name = STIC08862\\TechRMC
NAS-IP-Address = 10.220.30.5
NAS-Port = 0
Called-Station-Id = 58-16-26-AA-F7-A1:AVAYA-RESEAU
Calling-Station-Id = 00-16-EA-C5-78-9C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11a
EAP-Message = 0x0216015354494330383836325c54656368524d43
Message-Authenticator = 0xfa084ddf06908a03fe823772e3df038e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = STIC08862\TechRMC, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm STIC08862 for User-Name = STIC08862\TechRMC
[ntdomain] No such realm STIC08862
++[ntdomain] returns noop
++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/)
expand: %{User-Name} - STIC08862\TechRMC
? Evaluating (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE
++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 0 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for STIC08862\TechRMC
[ldap] expand: (uid=%{mschap:User-Name}) - (uid=TechRMC)
[ldap] expand: o=CSPI - o=CSPI
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=CSPI, with filter (uid=TechRMC)
[ldap] Added the eDirectory password 1234567 in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user STIC08862\TechRMC authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 194 to 10.220.30.5 port 29010
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x309c14c6309d0dd14b00d913c56dbe3f
Finished request 78.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010,
id=195, length=255
User-Name = STIC08862\\TechRMC
NAS-IP-Address = 10.220.30.5
NAS-Port = 0
Called-Station-Id = 58-16-26-AA-F7-A1:AVAYA-RESEAU
Calling-Station-Id = 00-16-EA-C5-78-9C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11a
EAP-Message =
0x02010050198000461603010041013d03014de118d0fb7ad90b86758750890c116038cb55d9c09e4f2b4228a03e019e3d421600040005000a000900640062000300060013001200630100
State = 0x309c14c6309d0dd14b00d913c56dbe3f
Message-Authenticator = 0xbb36f856b12e7151d07b7f62bb8ac4d1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = STIC08862\TechRMC, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm STIC08862 for User-Name = STIC08862\TechRMC
[ntdomain] No such realm STIC08862
++[ntdomain] returns noop
++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/)
expand: %{User-Name} - STIC08862\TechRMC
? Evaluating (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE
++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 1 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap]
Re: Error: User-Name is not the same as MS-CHAP name
Hi, I had a look at this issue with him since he is one of our client. Machine authentications are working flawlessly, windows 7 authentication as well (no hostname is sent with the username). The problem is when the HOSTNAME is sent along with the username under windows XP. I tried to set a realm specially for this HOSTNAME, but we got the same error. Well... re-writing the names in the inner-tunnel server is breaking authentication. We don't. The sites configuration are very straightforward (almost default), no fency rewrites in the default or the inner-tunnel. *Why* are you re-writing them? What do you expect to do with the names? Why isn't there another way to achieve the same goal? We do not rewrite anything. LDAP authorization passes properly, but when EAP authentication kicks in, we have this MS-CHAP error. We are using mschap:user-name in the LDAP filter and in the ntlm_auth line. Again, we are *NOT* rewriting the User-Name. We need other ideas here. -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Francois Gaudreault wrote: We are using mschap:user-name in the LDAP filter and in the ntlm_auth line. Again, we are *NOT* rewriting the User-Name. We need other ideas here. Post the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the
server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and
inner-tunnel and ran diff. I can see in the debug output of the server that
User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong.
http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm
freeradius:/etc # diff -qr raddb raddefault
Files raddb/clients.conf and raddefault/clients.conf differ
Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ
Files raddb/modules/ldap and raddefault/modules/ldap differ
Files raddb/modules/mschap and raddefault/modules/mschap differ
Files raddb/sites-available/inner-tunnel and
raddefault/sites-available/inner-tunnel differ
Files raddb/sites-enabled/inner-tunnel and
raddefault/sites-enabled/inner-tunnel differ
-
freeradius:/etc # diff raddb/clients.conf raddefault/clients.conf
206,209d205
client 10.0.0.0/8 {
secret = testing123
shortname = net1
}
freeradius:/etc # diff raddb/modules/attr_rewrite
raddefault/modules/attr_rewrite
32,65d31
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite remove-domain-name {
attribute = Stripped-User-Name
searchfor = (\.test\.local)
searchin = packet
new_attribute = no
replacewith =
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = ^(host/.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
attr_rewrite strip-realm-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = ^(.*[\\/]+)
replacewith =
max_matches = 1
}
--
freeradius:/etc # diff raddb/modules/ldap raddefault/modules/ldap
33,36c33,36
server = 10.220.7.7
identity = cn=tics,o=test
password = ldappass
basedn = o=test
---
server = ldap.your.domain
#identity = cn=admin,o=My Org,c=UA
#password = mypass
basedn = o=My Org,c=UA
77,79c77,78
#start_tls = no
start_tls = yes
port=636
---
start_tls = no
118c117
password_attribute = nspmPassword
---
124c123
edir_account_policy_check = yes
---
edir_account_policy_check = no
--
freeradius:/etc # diff raddb/modules/mschap raddefault/modules/mschap
37c37
with_ntdomain_hack = yes
---
65,66c65
#ntlm_auth = /path/to/nitlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
---
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
freeradius:/etc # diff raddb/sites-available/inner-tunnel
raddefault/sites-available/inner-tunnel
48,52d47
if (User-Name !~ /^host\//) {
update control {
MS-CHAP-Use-NTLM-Auth := no
}
}
97,101c92
copy.user-name
remove-domain-name
add-dollar-sign
strip-realm-name
ntdomain
---
# ntdomain
151c142
ldap
---
# ldap
239,241c230,232
Auth-Type LDAP {
ldap
}
---
# Auth-Type LDAP {
# ldap
# }
299c290
ldap
---
# ldap
311d301
ldap
Robert Mc Cready wrote:
I do not rewrite the User-name attribute I rewrite only the
Stripped-User-Name attribute with these:
No. Go READ the debug log you posted. The inner-tunnel virtual
server gets:
Sending tunneled request
EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ...
Re: Error: User-Name is not the same as MS-CHAP name
On 05/10/2011 03:35 PM, Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm I presume there's a debug at this URL, but I have no reachability to it from where I am (tried from a couple of different source networks): 17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms 90.770 ms 90.740 ms 18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms 90.918 ms 91.056 ms 19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598 ms 90.634 ms 20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms 79.282 ms 79.230 ms 21 * * * 22 * * * 23 * * * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Well... it's obviously someone you've changed, because it doesn't happen in the default configuration. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. -Message d'origine- De : freeradius-users-bounces+robert-mccready=cspi.qc...@lists.freeradius.org [mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius .org] De la part de Alan DeKok Envoyé : 10 mai 2011 10:49 À : FreeRadius users mailing list Objet : Re: Error: User-Name is not the same as MS-CHAP name Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Well... it's obviously someone you've changed, because it doesn't happen in the default configuration. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
Here it is:
FreeRADIUS Debugging Output
This colorized output was produced by an automated tool from Network RADIUS
Packet 0
rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=171,
length=177
User-Name = CAD08862\\ldapuser
NAS-IP-Address = 10.220.30.5
NAS-Port = 0
Called-Station-Id = 58-16-26-AA-F7-B1:WIRELESS
Calling-Station-Id = 00-16-EA-C5-78-9C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11g
EAP-Message = 0x020b00150143414430383836325c54656368524d43
Message-Authenticator = 0x0a731b00ed8632709fd7a0cd73425aac
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = CAD08862\ldapuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 11 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 171 to 10.220.30.5 port 29002
EAP-Message = 0x010c00160410b6e7676fb05991e0012286fb7d646c1e
Message-Authenticator = 0x
State = 0xa5fe4130a5f2453a08d7b8b3e893ab3f
Finished request 229.
Going to the next request
Waking up in 4.9 seconds.
Packet 1
rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=172,
length=180
User-Name = CAD08862\\ldapuser
NAS-IP-Address = 10.220.30.5
NAS-Port = 0
Called-Station-Id = 58-16-26-AA-F7-B1:WIRELESS
Calling-Station-Id = 00-16-EA-C5-78-9C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11g
EAP-Message = 0x020c00060319
State = 0xa5fe4130a5f2453a08d7b8b3e893ab3f
Message-Authenticator = 0xa70f38635c3dc90b94a63ba069f76ebb
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = CAD08862\ldapuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 12 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 172 to 10.220.30.5 port 29002
EAP-Message = 0x010d00061920
Message-Authenticator = 0x
State = 0xa5fe4130a4f3583a08d7b8b3e893ab3f
Finished request 230.
Going to the next request
Waking up in 4.9 seconds.
Packet 2
rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=173,
length=254
User-Name = CAD08862\\ldapuser
NAS-IP-Address = 10.220.30.5
NAS-Port = 0
Called-Station-Id = 58-16-26-AA-F7-B1:WIRELESS
Calling-Station-Id = 00-16-EA-C5-78-9C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11g
EAP-Message = 0x020d0050198000461603010041013d03014dc932cb ...
State = 0xa5fe4130a4f3583a08d7b8b3e893ab3f
Message-Authenticator = 0x2e2e0708c73b34e905daee695ee8032a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = CAD08862\ldapuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 13 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap]
Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote: The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. Well... re-writing the names in the inner-tunnel server is breaking authentication. *Why* are you re-writing them? What do you expect to do with the names? Why isn't there another way to achieve the same goal? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
I do not rewrite the User-name attribute I rewrite only the
Stripped-User-Name attribute with these:
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite remove-domain-name {
attribute = Stripped-User-Name
searchfor = (\.nw2\.test\.local)
searchin = packet
new_attribute = no
replacewith =
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = ^(host/.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
attr_rewrite strip-realm-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = ^(.*[\\/]+)
replacewith =
max_matches = 1
}
This is where I use Stripped-User-Name:
freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \#
modules/attr_rewrite:attribute = Stripped-User-Name
modules/attr_rewrite:attribute = Stripped-User-Name
modules/attr_rewrite:attribute = Stripped-User-Name
modules/attr_rewrite:attribute = Stripped-User-Name
modules/ldap: filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
The User-Name attribute is untouch.
[mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP
Name (ldapuser) from EAP-MSCHAPv2
As I mentionned before the host name (CAD08862) is not a domain name it's a
computer account name.
I tried with_ntdomain_hack, no luck.
freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \#
modules/preprocess: with_ntdomain_hack = no
modules/mschap: with_ntdomain_hack = yes
Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm
Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm
On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one
problem with Windows XP clients, I get a [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2. Users log on locally, the host name is not a domain name.
Windows 7 clients work fine because they send only the username. I do
some rewrites so I can get the username for the LDAP authentication and
the computers name for computer account authentication (I'm not familiar
with unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
You CANNOT rewrite the User-Name attribute, or you will have this problem.
If you want to manipulate the username, you must do so in a separate
attribute, like so:
if (User-Name =~ /^(.+)\\(.+)/) {
update request {
Stripped-User-Name := %{2}
}
}
An easier alternative is to not mangle the username at all, and instead
update any string expansions to use:
%{mschap:User-Name}
...including your LDAP filters. This will just work
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6106 (20110509) __
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6107 (20110509) __
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6107 (20110509) __
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote: I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: No. Go READ the debug log you posted. The inner-tunnel virtual server gets: Sending tunneled request EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = CAD08862\\ldapuser You then RE-WRITE the User-Name. Don't do that. As you were told, re-writing the User-Name for EAP is wrong. Don't do it. The User-Name attribute is untouch. You can believe what you *think* happens. Or you can believe the debug output of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one
problem with Windows XP clients, I get a [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2. Users log on locally, the host name is not a domain name.
Windows 7 clients work fine because they send only the username. I do
some rewrites so I can get the username for the LDAP authentication and
the computers name for computer account authentication (I'm not familiar
with unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
You CANNOT rewrite the User-Name attribute, or you will have this problem.
If you want to manipulate the username, you must do so in a separate
attribute, like so:
if (User-Name =~ /^(.+)\\(.+)/) {
update request {
Stripped-User-Name := %{2}
}
}
An easier alternative is to not mangle the username at all, and instead
update any string expansions to use:
%{mschap:User-Name}
...including your LDAP filters. This will just work
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: User-Name is not the same as MS-CHAP name
The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem
with Windows XP clients, I get a [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2. Users log on locally, the host name is not a domain name.
Windows 7 clients work fine because they send only the username. I do some
rewrites so I can get the username for the LDAP authentication and the
computers name for computer account authentication (I'm not familiar with
unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm
Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm
On 05/05/11 15:17, Robert Mc Cready wrote:
We use Novell eDirectory and DSFW (Directory Services for Windows)
which is kind of a Windows domain inside an OU in eDirectory. I want
to authenticate users using LDAP and Windows computers account using
ntlm_auth. There is only computers accounts in the Windows domain.
The computer authentication is working fine but the users
authentication with LDAP fails if ntlm_auth is configured. If I don't
use ntlm_auth the users authentication works. Is there a way to have
both of them working together?
Yes. Something like this:
authorize {
...
if (User-Name !~ /^host\//) {
update control {
MS-CHAP-Use-NTLM-Auth := no
}
}
...
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
We use Novell eDirectory and DSFW (Directory Services for Windows) which is
kind of a Windows domain inside an OU in eDirectory. I want to authenticate
users using LDAP and Windows computers account using ntlm_auth. There is
only computers accounts in the Windows domain.
The computer authentication is working fine but the users authentication
with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the
users authentication works. Is there a way to have both of them working
together?
We use PEAP.
Working user authentication with LDAP debug (ntlm_auth not configured):
http://www.cspi.qc.ca/sinfrmc/ldap_only.htm
Working Windows computer account authentication:
http://www.cspi.qc.ca/sinfrmc/mschap_only.htm
User account getting rejected debug (with ntlm_auth configured):
http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm
Thanks,
Robert.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
W dniu 2011-05-07 20:50, Robert Mc Cready pisze: The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem with Windows XP clients, I get a [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2. Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? Try to uncomment the ntdomain line in the authorize section of site configuration. This will split the realm (computer name) and login. Maybe you'll also need to set the with_ntdomain_hack = yes in mschap module configuration. Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
