Re: [PacketFence-users] Issues with machine authentication using MS-CHAPv2

2022-10-24 Thread Fabrice Durand via PacketFence-users 
Hello Matthies,

can you provide the radius debug section where you can see the call to
ntlm_auth ?

Regards
Fabrice


Le lun. 24 oct. 2022 à 11:29, Matthies, Heiko via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hello,
>
>
>
> I troubleshooted this issue a little further and discovered, that no there
> is no authentication sent to the domain controllers when using machine
> authentication. When switching to user auth, everything works fine and I
> see packages in the tcpdump.
>
> Is there something I’m missing? According to the official guide, this
> should work out of the box…
>
>
>
> Kind Regards
>
>
>
> Heiko Matthies
>
>
>
>
>
> <https://www.asap.de/newsroom/presse-detail/asap-gruppe-zaehlt-erneut-zu-bayerns-best-50>
>
>
> *ASAP Engineering GmbH* Sachsstraße 1A | 85080 Gaimersheim
> Tel. +49 8458 3389 252 <+49%208458%203389%20252> | Fax. +49 (8458) 3389
> 399
> heiko.matth...@asap.de | www.asap.de
>
> Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz
> der Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408
>
> Datenschutz: Ausführliche Informationen zum Umgang mit Ihren
> personenbezogenen Daten bei ASAP erhalten Sie auf unserer Website unter
> Datenschutz. <http://www.asap.de/datenschutz/>
>
> *Von:* Matthies, Heiko via PacketFence-users <
> packetfence-users@lists.sourceforge.net>
> *Gesendet:* Dienstag, 18. Oktober 2022 18:21
> *An:* packetfence-users@lists.sourceforge.net
> *Cc:* Matthies, Heiko 
> *Betreff:* [PacketFence-users] Issues with machine authentication using
> MS-CHAPv2
>
>
>
> Hello Guys,
>
>
>
> i’m trying to implement machine- and user authentication on Windows 10
> Clients via MS-CHAPv2 using Packetfence v11.1. While the user
> authentication works like a charm, I’m having trouble setting up the
> machine authentication. I got the following log information from the radius
> debug log:
>
>
>
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: Auth-Type
> MS-CHAP {
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'User-Name'} = :User-Name -> 'host/
> IN19NB-1003.group.asap.de'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-IP-Address'} = :NAS-IP-Address -> '10.23.16.10'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Port'} = :NAS-Port -> '45'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Framed-MTU'} = :Framed-MTU -> '1500'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'State'} = :State -> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Called-Station-Id'} = :Called-Station-Id ->
> '**'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Calling-Station-Id'} = :Calling-Station-Id ->
> '**'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Identifier'} = :NAS-Identifier -> '**'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Port-Type'} = :NAS-Port-Type -> 'Ethernet'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Event-Timestamp'} = :Event-Timestamp -> 'Oct 18 2022
> 18:52:46 CEST'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'EAP-Message'} = :EAP-Message ->
> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'NAS-Port-Id'} = :NAS-Port-Id ->
> 'Tengigabitethernet1/0/45'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'EAP-Key-Name'} = :EAP-Key-Name -> '0x00'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = :FreeRADIUS-Proxied-To ->
> '127.0.0.1'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'MS-CHAP-Challenge'} = :MS-CHAP-Challenge ->
> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'MS-CHAP2-Response'} = :MS-CHAP2-Response ->
> ''
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'EAP-Type'} = :EAP-Type -> 'MSCHAPv2'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'Realm'} = :Realm -> 'group.asap.de'
> Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence:
> $RAD_REQUEST{'MS-CHAP-User-Name'} = :MS-CHAP-User-Name -> 'host/
> IN19NB-1003.group.asap.de'
> Oct 18 17:52:46 in19sv-nws18 auth

[PacketFence-users] Issues with machine authentication using MS-CHAPv2

2022-10-18 Thread Matthies, Heiko via PacketFence-users 
Hello Guys,

i'm trying to implement machine- and user authentication on Windows 10 Clients 
via MS-CHAPv2 using Packetfence v11.1. While the user authentication works like 
a charm, I'm having trouble setting up the machine authentication. I got the 
following log information from the radius debug log:

Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) eap_mschapv2: Auth-Type MS-CHAP {
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'User-Name'} = :User-Name -> 
'host/IN19NB-1003.group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-IP-Address'} = :NAS-IP-Address -> '10.23.16.10'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-Port'} = :NAS-Port -> '45'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Framed-MTU'} = :Framed-MTU -> '1500'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'State'} = :State -> ''
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Called-Station-Id'} = :Called-Station-Id -> 
'**'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Calling-Station-Id'} = :Calling-Station-Id -> 
'**'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-Identifier'} = :NAS-Identifier -> '**'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-Port-Type'} = :NAS-Port-Type -> 'Ethernet'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Event-Timestamp'} = :Event-Timestamp -> 'Oct 18 2022 
18:52:46 CEST'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'EAP-Message'} = :EAP-Message -> ''
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'NAS-Port-Id'} = :NAS-Port-Id -> 'Tengigabitethernet1/0/45'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'EAP-Key-Name'} = :EAP-Key-Name -> '0x00'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} = :FreeRADIUS-Proxied-To -> 
'127.0.0.1'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'MS-CHAP-Challenge'} = :MS-CHAP-Challenge -> 
''
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'MS-CHAP2-Response'} = :MS-CHAP2-Response -> 
''
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'EAP-Type'} = :EAP-Type -> 'MSCHAPv2'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'Realm'} = :Realm -> 'group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'MS-CHAP-User-Name'} = :MS-CHAP-User-Name -> 
'host/IN19NB-1003.group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-Domain'} = :PacketFence-Domain -> 'group'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-KeyBalanced'} = :PacketFence-KeyBalanced -> 
''
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-Radius-Ip'} = :PacketFence-Radius-Ip -> 
'10.20.10.55'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-NTLMv2-Only'} = :PacketFence-NTLMv2-Only -> 
'--allow-mschapv2'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_REQUEST{'PacketFence-Outer-User'} = :PacketFence-Outer-User -> 
'host/IN19NB-1003.group.asap.de'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'Auth-Type'} = :Auth-Type -> 'eap'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'Proxy-To-Realm'} = :Proxy-To-Realm -> 'LOCAL'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'NT-Password'} = :NT-Password -> ''
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'MS-CHAP-Use-NTLM-Auth'} = :MS-CHAP-Use-NTLM-Auth -> 'No'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CHECK{'PacketFence-Tenant-Id'} = :PacketFence-Tenant-Id -> '1'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'Auth-Type'} = :Auth-Type -> 'eap'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'Proxy-To-Realm'} = :Proxy-To-Realm -> 'LOCAL'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'NT-Password'} = :NT-Password -> ''
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'MS-CHAP-Use-NTLM-Auth'} = :MS-CHAP-Use-NTLM-Auth -> 'No'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
$RAD_CONFIG{'PacketFence-Tenant-Id'} = :PacketFence-Tenant-Id -> '1'
Oct 18 17:52:46 in19sv-nws18 auth[26857]: (11) packetfence: 
:MS-CHAP-User-Name = $RAD_REQUEST{'MS-CHAP-User-Name'} -> 
'host/IN19NB-1003.group.asap.de'
Oct