Re: [PacketFence-users] Issues with machine authentication using MS-CHAPv2
Hello Matthies, can you provide the radius debug section where you can see the call to ntlm_auth ? Regards Fabrice Le lun. 24 oct. 2022 à 11:29, Matthies, Heiko via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hello, > > > > I troubleshooted this issue a little further and discovered, that no there > is no authentication sent to the domain controllers when using machine > authentication. When switching to user auth, everything works fine and I > see packages in the tcpdump. > > Is there something I’m missing? According to the official guide, this > should work out of the box… > > > > Kind Regards > > > > Heiko Matthies > > > > > > <https://www.asap.de/newsroom/presse-detail/asap-gruppe-zaehlt-erneut-zu-bayerns-best-50> > > > *ASAP Engineering GmbH* Sachsstraße 1A | 85080 Gaimersheim > Tel. +49 8458 3389 252 <+49%208458%203389%20252> | Fax. +49 (8458) 3389 > 399 > heiko.matth...@asap.de | www.asap.de > > Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz > der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408 > > Datenschutz: Ausführliche Informationen zum Umgang mit Ihren > personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter > Datenschutz. <http://www.asap.de/datenschutz/> > > *Von:* Matthies, Heiko via PacketFence-users < > packetfence-users@lists.sourceforge.net> > *Gesendet:* Dienstag, 18. Oktober 2022 18:21 > *An:* packetfence-users@lists.sourceforge.net > *Cc:* Matthies, Heiko > *Betreff:* [PacketFence-users] Issues with machine authentication using > MS-CHAPv2 > > > > Hello Guys, > > > > i’m trying to implement machine- and user authentication on Windows 10 > Clients via MS-CHAPv2 using Packetfence v11.1. While the user > authentication works like a charm, I’m having trouble setting up the > machine authentication. I got the following log information from the radius > debug log: > > > > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: Auth-Type > MS-CHAP { > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'User-Name'} = :User-Name -> 'host/ > IN19NB-1003.group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-IP-Address'} = :NAS-IP-Address -> '10.23.16.10' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-Port'} = :NAS-Port -> '45' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Framed-MTU'} = :Framed-MTU -> '1500' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'State'} = :State -> '' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Called-Station-Id'} = :Called-Station-Id -> > '**' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Calling-Station-Id'} = :Calling-Station-Id -> > '**' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-Identifier'} = :NAS-Identifier -> '**' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-Port-Type'} = :NAS-Port-Type -> 'Ethernet' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Event-Timestamp'} = :Event-Timestamp -> 'Oct 18 2022 > 18:52:46 CEST' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'EAP-Message'} = :EAP-Message -> > '' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'NAS-Port-Id'} = :NAS-Port-Id -> > 'Tengigabitethernet1/0/45' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'EAP-Key-Name'} = :EAP-Key-Name -> '0x00' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = :FreeRADIUS-Proxied-To -> > '127.0.0.1' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'MS-CHAP-Challenge'} = :MS-CHAP-Challenge -> > '' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'MS-CHAP2-Response'} = :MS-CHAP2-Response -> > '' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'EAP-Type'} = :EAP-Type -> 'MSCHAPv2' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'Realm'} = :Realm -> 'group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: > $RAD_REQUEST{'MS-CHAP-User-Name'} = :MS-CHAP-User-Name -> 'host/ > IN19NB-1003.group.asap.de' > Oct 18 17:52:46 in19sv-nws18 auth
[PacketFence-users] Issues with machine authentication using MS-CHAPv2
Hello Guys, i'm trying to implement machine- and user authentication on Windows 10 Clients via MS-CHAPv2 using Packetfence v11.1. While the user authentication works like a charm, I'm having trouble setting up the machine authentication. I got the following log information from the radius debug log: Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: Auth-Type MS-CHAP { Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'User-Name'} = :User-Name -> 'host/IN19NB-1003.group.asap.de' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'NAS-IP-Address'} = :NAS-IP-Address -> '10.23.16.10' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'NAS-Port'} = :NAS-Port -> '45' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'Framed-MTU'} = :Framed-MTU -> '1500' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'State'} = :State -> '' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'Called-Station-Id'} = :Called-Station-Id -> '**' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'Calling-Station-Id'} = :Calling-Station-Id -> '**' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'NAS-Identifier'} = :NAS-Identifier -> '**' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'NAS-Port-Type'} = :NAS-Port-Type -> 'Ethernet' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'Event-Timestamp'} = :Event-Timestamp -> 'Oct 18 2022 18:52:46 CEST' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'EAP-Message'} = :EAP-Message -> '' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'NAS-Port-Id'} = :NAS-Port-Id -> 'Tengigabitethernet1/0/45' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'EAP-Key-Name'} = :EAP-Key-Name -> '0x00' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = :FreeRADIUS-Proxied-To -> '127.0.0.1' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'MS-CHAP-Challenge'} = :MS-CHAP-Challenge -> '' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'MS-CHAP2-Response'} = :MS-CHAP2-Response -> '' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'EAP-Type'} = :EAP-Type -> 'MSCHAPv2' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'Realm'} = :Realm -> 'group.asap.de' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'MS-CHAP-User-Name'} = :MS-CHAP-User-Name -> 'host/IN19NB-1003.group.asap.de' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'PacketFence-Domain'} = :PacketFence-Domain -> 'group' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'PacketFence-KeyBalanced'} = :PacketFence-KeyBalanced -> '' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'PacketFence-Radius-Ip'} = :PacketFence-Radius-Ip -> '10.20.10.55' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'PacketFence-NTLMv2-Only'} = :PacketFence-NTLMv2-Only -> '--allow-mschapv2' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_REQUEST{'PacketFence-Outer-User'} = :PacketFence-Outer-User -> 'host/IN19NB-1003.group.asap.de' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CHECK{'Auth-Type'} = :Auth-Type -> 'eap' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CHECK{'Proxy-To-Realm'} = :Proxy-To-Realm -> 'LOCAL' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CHECK{'NT-Password'} = :NT-Password -> '' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CHECK{'MS-CHAP-Use-NTLM-Auth'} = :MS-CHAP-Use-NTLM-Auth -> 'No' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CHECK{'PacketFence-Tenant-Id'} = :PacketFence-Tenant-Id -> '1' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CONFIG{'Auth-Type'} = :Auth-Type -> 'eap' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CONFIG{'Proxy-To-Realm'} = :Proxy-To-Realm -> 'LOCAL' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CONFIG{'NT-Password'} = :NT-Password -> '' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CONFIG{'MS-CHAP-Use-NTLM-Auth'} = :MS-CHAP-Use-NTLM-Auth -> 'No' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: $RAD_CONFIG{'PacketFence-Tenant-Id'} = :PacketFence-Tenant-Id -> '1' Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: :MS-CHAP-User-Name = $RAD_REQUEST{'MS-CHAP-User-Name'} -> 'host/IN19NB-1003.group.asap.de' Oct