RE: PEAP-MSCHAPv2 against AD

2006-09-25 Thread Jonathan De Graeve 
Never mind, found the solutions as:

ntlm_auth --username=%{mschap:User-Name} --foobar

J.

-- 
Jonathan De Graeve
Network/System Engineer
Imelda vzw
Informatica Dienst
+32 15/50.52.98
[EMAIL PROTECTED]

-
Always read the manual for the correct way to do things because the
number of incorrect ways to do things is almost infinite
-

 -Oorspronkelijk bericht-
 Van: freeradius-users-
 [EMAIL PROTECTED]
 [mailto:freeradius-users-
 [EMAIL PROTECTED] Namens
Jonathan
 De Graeve
 Verzonden: maandag 25 september 2006 17:34
 Aan: FreeRadius users mailing list
 Onderwerp: PEAP-MSCHAPv2 against AD
 
 I'm trying todo PEAP-MSCHAPv2 with authentication against an AD
 
 Currently I have the following problem:
 
 When the domain is in the username the authentication fails, if the
 domainname isn't in the authentication the authentication succeeds.
I'm
 using the following ntlm_auth line in radiusd.conf:
 
 ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
 --username=%{Stripped-User-Name:-%{User-Name:-None}}
 --challenge=%{mschap:Challenge:-00}
 --nt-response=%{mschap:NT-Response:-00}
 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134
 --domain=%{mschap:NT-Domain:-IMZ}
 
 The with_ntdomain_hack = yes is enabled in the mschap {}
 
 Output from shell:
 radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key
 --username=IMZ\\beheerder --challenge=e456e008c25a9ac7
 --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580
 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134
 --domain=IMZ
 Logon failure (0xc06d)
 radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key
 --username=beheerder --challenge=e456e008c25a9ac7
 --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580
 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134
 --domain=IMZ
 NT_KEY: EB23807FB13B1CAB06F4F0BBE5C199D0
 
 
 Debugging information (with a different user)
   Processing the authenticate section of radiusd.conf
 modcall: entering group authenticate for request 252
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
   eaptls_verify returned 7
   rlm_eap_tls: Done initial handshake
   eaptls_process returned 7
   rlm_eap_peap: EAPTLS_OK
   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: EAP type mschapv2
   rlm_eap_peap: Tunneled data is valid.
   PEAP: Got tunneled EAP-Message
 EAP-Message =

0x020800471a0208004231f622919de18b1fdab0ca9902b9729d4913

37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e
   PEAP: Setting User-Name to IMZ\jonathan
   PEAP: Adding old state with 8f f9
   PEAP: Sending tunneled request
 EAP-Message =

0x020800471a0208004231f622919de18b1fdab0ca9902b9729d4913

37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e
 FreeRADIUS-Proxied-To = 127.0.0.1
 User-Name = IMZ\\jonathan
 State = 0x8ff913e6997d7ca8d6a9b4832ff5c931
 NAS-IP-Address = 194.8.52.161
 Connect-Info = CONNECT 802.11
 Called-Station-Id = 000fb5df0524
 Calling-Station-Id = 004096ab4eed
 NAS-Identifier = ap
 NAS-Port-Type = Wireless-802.11
 NAS-Port = 4
 NAS-Port-Id = 4
 Framed-MTU = 1400
   Processing the authorize section of radiusd.conf
 modcall: entering group authorize for request 252
   modcall[authorize]: module preprocess returns ok for request 252
   modcall[authorize]: module attr_filter returns noop for request
252
   modcall[authorize]: module chap returns noop for request 252
   modcall[authorize]: module mschap returns noop for request 252
   modcall[authorize]: module digest returns noop for request 252
 rlm_realm: No '@' in User-Name = IMZ\jonathan, looking up realm
 NULL
 rlm_realm: No such realm NULL
   modcall[authorize]: module suffix returns noop for request 252
   rlm_eap: EAP packet type response id 8 length 71
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module eap returns updated for request 252
   modcall[authorize]: module files returns notfound for request 252
 radius_xlat:  'IMZ\\jonathan'
 rlm_sql (sql): sql_set_user escaped user -- 'IMZ\\jonathan'
 radius_xlat:  'SELECT id, UserName, Attribute, Value, op
FROM
 radcheck   WHERE Username = 'IMZ=5C=5C=5C=5Cjonathan'
 ORDER BY id'
 rlm_sql (sql): Reserving sql socket id: 3
 rlm_sql (sql): User IMZ\\jonathan not found in radcheck
 radius_xlat:  'SELECT

radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
 pcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
 usergroup.Username = 'IMZ=5C=5C=5C=5Cjonathan' AND usergroup.GroupName
=
 radgroupcheck.GroupName ORDER BY radgroupcheck.id'
 radius_xlat:  'SELECT

RE: PEAP-MSCHAPv2 against AD

2006-09-25 Thread Garber, Neal 
 Login incorrect: [IMZ\\jonathan/no User-Password attribute] (from

Do you have:

realm IMZ {
type= radius
authhost= LOCAL
accthost= LOCAL
}

In your proxy.conf file?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP-MSCHAPv2 against AD

2006-09-25 Thread A . L . M . Buxey 
Hi,

 When the domain is in the username the authentication fails, if the
 domainname isn't in the authentication the authentication succeeds. I'm
 using the following ntlm_auth line in radiusd.conf:

you need to deal with your prefix (IMZ\\) - check the prefix section
of the radiusd config - and make sure prefix is enabled in the auth
sections. this should help deal with this issue

alan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PEAP-MSCHAPv2 against AD

2006-09-25 Thread Jonathan De Graeve 
 
  Login incorrect: [IMZ\\jonathan/no User-Password attribute] (from
 
 Do you have:
 
 realm IMZ {
 type= radius
 authhost= LOCAL
 accthost= LOCAL
 }
 
 In your proxy.conf file?

You don't need the realm (I already tried that one and that didn't work)

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html