Re: Authenticating agains AD issues
On Fri, Oct 29, 2010 at 6:37 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, This may be 100% off the mark, but have tried using the AD radius plugin IAS? I have tested its support for proxying for a proof-of-concept and it was quite simple to setup. I have no production experience. cough splutter. why use IAS? this is a FreeRADIUS mailing list. FR is superior in so many ways its not even funnyso if the choice of RADIUS is FR - then why think of using another one? AD integration with FR works fine (we use it and have AAA action of several thousand sessions per hour) - some distros and setups (particular the windows side of the setup) may require some extra knowledge. binding our systems to the local ADs (all 3 of them) was trivial Oh, yes, to be clear, I only meant to use IAS to check the membership in AD from Freeradius. Not as a replacement of Freeradius. I do give credit to MS for their support of the standard. nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On Thu, Oct 28, 2010 at 6:15 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius. interesting; do you have a link? I cant pull out a direct link but can say that standard system scripts start smbd before winbindd - as winbindd uses some samba reosurces it does make sense. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This may be 100% off the mark, but have tried using the AD radius plugin IAS? I have tested its support for proxying for a proof-of-concept and it was quite simple to setup. I have no production experience. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
Hi, This may be 100% off the mark, but have tried using the AD radius plugin IAS? I have tested its support for proxying for a proof-of-concept and it was quite simple to setup. I have no production experience. cough splutter. why use IAS? this is a FreeRADIUS mailing list. FR is superior in so many ways its not even funnyso if the choice of RADIUS is FR - then why think of using another one? AD integration with FR works fine (we use it and have AAA action of several thousand sessions per hour) - some distros and setups (particular the windows side of the setup) may require some extra knowledge. binding our systems to the local ADs (all 3 of them) was trivial alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating agains AD issues
I've been following the reciepe on the Deploying RADIUS web site,
but I have been unable to get an iPhone or Laptop to authenticate to
wireless.
It appears from the log that ntlm_auth is behaving correctly but the
the challenge continues.
I'm running 2.1.9 on Fedora 12 using the demonstration certificates.
Here is the last part of the log file:
Thanks in advance.
-Neil
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap]... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap]expand: %{User-Name:-None} - IOWA\nmjoo
[mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-
Name:-None}} - --username=IOWA\nmjoo
[mschap] mschap2: 5e
[mschap]expand: --challenge=%{mschap:Challenge:-00} - --
challenge=13fe382b60e3bba9
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --
nt-response=24bf15cdc812e5f7fb9723f21143bb775b24a1914870caf0
Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d36463744463330464436383432423542423738463736454339423230454534453639434431463338
Message-Authenticator = 0x
State = 0x9b59f55f9a53ef43871eb82ef0802a05
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00331a0309002e533d36463744463330464436383432423542423738463736454339423230454534453639434431463338
Message-Authenticator = 0x
State = 0x9b59f55f9a53ef43871eb82ef0802a05
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 112 to 128.255.11.74 port 32768
EAP-Message =
0x010a005b19001703010050f59dec82774ce4b8dc5bb542e29881b2cb321a7136c39e4f1a498708fa2515da475f29ec726bd310dd96ab7ae6de4a85f079285567b375a7fa02d137f9d0d2adcf75dc887c91c50a41e041c13b370882
Message-Authenticator = 0x
State = 0xa489d972ac83c05d8d6d2302f3fa3977
Finished request 17.
Going to the next request
Waking up in 3.2 seconds.
Cleaning up request 0 ID 95 with timestamp +9
Cleaning up request 1 ID 96 with timestamp +9
Cleaning up request 2 ID 97 with timestamp +9
Cleaning up request 3 ID 98 with timestamp +9
Cleaning up request 4 ID 99 with timestamp +9
Cleaning up request 5 ID 100 with timestamp +9
Cleaning up request 6 ID 101 with timestamp +9
Cleaning up request 7 ID 102 with timestamp +9
Cleaning up request 8 ID 103 with timestamp +9
Waking up in 1.0 seconds.
Cleaning up request 9 ID 104 with timestamp +10
Cleaning up request 10 ID 105 with timestamp +10
Cleaning up request 11 ID 106 with timestamp +10
Cleaning up request 12 ID 107 with timestamp +10
Cleaning up request 13 ID 108 with timestamp +10
Cleaning up request 14 ID 109 with timestamp +10
Cleaning up request 15 ID 110 with timestamp +10
Cleaning up request 16 ID 111 with timestamp +10
Cleaning up request 17 ID 112 with timestamp +10
Ready to process requests.
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
Did you enable the WITH NT DOMAIN HACK in your MSCHAP module?
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Johnson, Neil M
Sent: Thursday, October 28, 2010 9:48 AM
To: freeradius-users@lists.freeradius.org
Subject: Authenticating agains AD issues
I've been following the reciepe on the Deploying RADIUS web site, but
I have been unable to get an iPhone or Laptop to authenticate to
wireless.
It appears from the log that ntlm_auth is behaving correctly but the the
challenge continues.
I'm running 2.1.9 on Fedora 12 using the demonstration certificates.
Here is the last part of the log file:
Thanks in advance.
-Neil
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap]... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap]expand: %{User-Name:-None} - IOWA\nmjoo
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=IOWA\nmjoo
[mschap] mschap2: 5e
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=13fe382b60e3bba9
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=24bf15cdc812e5f7fb9723f21143bb775b24a1914870caf0
Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d364637444633304644363834324235424237384637364543
39423230454534453639434431463338
Message-Authenticator = 0x
State = 0x9b59f55f9a53ef43871eb82ef0802a05
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00331a0309002e533d364637444633304644363834324235424237384637364543
39423230454534453639434431463338
Message-Authenticator = 0x
State = 0x9b59f55f9a53ef43871eb82ef0802a05
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 112 to 128.255.11.74 port 32768
EAP-Message =
0x010a005b19001703010050f59dec82774ce4b8dc5bb542e29881b2cb321a7136c39e4f
1a498708fa2515da475f29ec726bd310dd96ab7ae6de4a85f079285567b375a7fa02d137
f9d0d2adcf75dc887c91c50a41e041c13b370882
Message-Authenticator = 0x
State = 0xa489d972ac83c05d8d6d2302f3fa3977
Finished request 17.
Going to the next request
Waking up in 3.2 seconds.
Cleaning up request 0 ID 95 with timestamp +9
Cleaning up request 1 ID 96 with timestamp +9
Cleaning up request 2 ID 97 with timestamp +9
Cleaning up request 3 ID 98 with timestamp +9
Cleaning up request 4 ID 99 with timestamp +9
Cleaning up request 5 ID 100 with timestamp +9
Cleaning up request 6 ID 101 with timestamp +9
Cleaning up request 7 ID 102 with timestamp +9
Cleaning up request 8 ID 103 with timestamp +9
Waking up in 1.0 seconds.
Cleaning up request 9 ID 104 with timestamp +10
Cleaning up request 10 ID 105 with timestamp +10
Cleaning up request 11 ID 106 with timestamp +10
Cleaning up request 12 ID 107 with timestamp +10
Cleaning up request 13 ID 108 with timestamp +10
Cleaning up request 14 ID 109 with timestamp +10
Cleaning up request 15 ID 110 with timestamp +10
Cleaning up request 16 ID 111 with timestamp +10
Cleaning up request 17 ID 112 with timestamp +10
Ready to process requests.
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On 28/10/10 15:48, Johnson, Neil M wrote: I've been following the reciepe on the Deploying RADIUS web site, but I have been unable to get an iPhone or Laptop to authenticate to wireless. It appears from the log that ntlm_auth is behaving correctly but the the challenge continues. I'm running 2.1.9 on Fedora 12 using the demonstration certificates. Here is the last part of the log file: Hmm. Since this happens inside the PEAP tunnel, I don't think it's the usual bad certs error. I suspect it's the Buggy samba mis-calculating MS-CHAP response issue. See here for the latest round of discussion: http://freeradius.1045715.n5.nabble.com/which-samba-version-patch-for-Active-Directory-2008-td2837914.html Samba 3.0.x is known to work, as is very recent 3.5 or 3.4 releases. For other versions, you may need the patch here: https://bugzilla.samba.org/show_bug.cgi?id=7568 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On 28/10/10 16:14, Sallee, Stephen (Jake) wrote: Did you enable the “WITH NT DOMAIN HACK” in your MSCHAP module? Oops, well spotted - disregard my email. Jake is right - you have DOMAIN\user going into ntlm_auth, which may be messing up the challenge/response calculation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
Yes, I did.
Thanks.
-Neil
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu
From: freeradius-users-bounces+neil-johnson=uiowa@lists.freeradius.org
[mailto:freeradius-users-bounces+neil-johnson=uiowa@lists.freeradius.org]
On Behalf Of Sallee, Stephen (Jake)
Sent: Thursday, October 28, 2010 10:15 AM
To: FreeRadius users mailing list
Subject: RE: Authenticating agains AD issues
Did you enable the WITH NT DOMAIN HACK in your MSCHAP module?
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of Johnson, Neil M
Sent: Thursday, October 28, 2010 9:48 AM
To: freeradius-users@lists.freeradius.org
Subject: Authenticating agains AD issues
I've been following the reciepe on the Deploying RADIUS web site, but I have
been unable to get an iPhone or Laptop to authenticate to wireless.
It appears from the log that ntlm_auth is behaving correctly but the the
challenge continues.
I'm running 2.1.9 on Fedora 12 using the demonstration certificates.
Here is the last part of the log file:
Thanks in advance.
-Neil
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap]... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap]expand: %{User-Name:-None} - IOWA\nmjoo
[mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
- --username=IOWA\nmjoo
[mschap] mschap2: 5e
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=13fe382b60e3bba9
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=24bf15cdc812e5f7fb9723f21143bb775b24a1914870caf0
Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d36463744463330464436383432423542423738463736454339423230454534453639434431463338
Message-Authenticator = 0x
State = 0x9b59f55f9a53ef43871eb82ef0802a05
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00331a0309002e533d36463744463330464436383432423542423738463736454339423230454534453639434431463338
Message-Authenticator = 0x
State = 0x9b59f55f9a53ef43871eb82ef0802a05
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 112 to 128.255.11.74 port 32768
EAP-Message =
0x010a005b19001703010050f59dec82774ce4b8dc5bb542e29881b2cb321a7136c39e4f1a498708fa2515da475f29ec726bd310dd96ab7ae6de4a85f079285567b375a7fa02d137f9d0d2adcf75dc887c91c50a41e041c13b370882
Message-Authenticator = 0x
State = 0xa489d972ac83c05d8d6d2302f3fa3977
Finished request 17.
Going to the next request
Waking up in 3.2 seconds.
Cleaning up request 0 ID 95 with timestamp +9
Cleaning up request 1 ID 96 with timestamp +9
Cleaning up request 2 ID 97 with timestamp +9
Cleaning up request 3 ID 98 with timestamp +9
Cleaning up request 4 ID 99 with timestamp +9
Cleaning up request 5 ID 100 with timestamp +9
Cleaning up request 6 ID 101 with timestamp +9
Cleaning up request 7 ID 102 with timestamp +9
Cleaning up request 8 ID 103 with timestamp +9
Waking up in 1.0 seconds.
Cleaning up request 9 ID 104 with timestamp +10
Cleaning up request 10 ID 105 with timestamp +10
Cleaning up request 11 ID 106 with timestamp +10
Cleaning up request 12 ID 107 with timestamp +10
Cleaning up request 13 ID 108 with timestamp +10
Cleaning up request 14 ID 109 with timestamp +10
Cleaning up request 15 ID 110 with timestamp +10
Cleaning up request 16 ID 111 with timestamp +10
Cleaning up request 17 ID 112 with timestamp +10
Ready to process requests.
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On 28/10/10 16:22, Johnson, Neil M wrote:
Yes, I did.
Ah. However, the debug output says:
[mschap] expand: %{Stripped-User-Name} -
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand: %{User-Name:-None} - IOWA\nmjoo
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
- --username=IOWA\nmjoo
i.e. the username still contains a DOMAIN\. You need to change the
ntlm_auth command in /etc/raddb/modules/mschap to have:
ntlm_auth = ... --username=%{mschap:User-Name} ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
Okay, I made those changes, but it still isn't working..
New log output:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} - --username=nmjoo
[mschap]expand: %{mschap:NT-Domain} - IOWA
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-IOWA} - --domain=IOWA
[mschap] mschap2: f7
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=7ec345e462e886cc
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=a702419f587f109f326572c6e275dde4c144ccf18a11cc1d
Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d37304443454534424441463830433945444643443943413335313237463630414239443345323741
Message-Authenticator = 0x
State = 0x685b4a666951502b3811a806682630a9
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00331a0309002e533d37304443454534424441463830433945444643443943413335313237463630414239443345323741
Message-Authenticator = 0x
State = 0x685b4a666951502b3811a806682630a9
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 128.255.11.74 port 32768
EAP-Message =
0x010a005b19001703010050a8e7120ce3206005ece77b52e24df05d1ea02d75ff3620697699ee570a8b6a06d08cc95c2d4f4985bd9d8754d8a895ca87582ba6f7973a78d16d781735fb1e7274f297ef87971da17a0f708d6d0d
Message-Authenticator = 0x
State = 0x122499391a2e80cc44ec4cdf9c13104c
Finished request 17.
Going to the next request
Waking up in 3.2 seconds.
C
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu
-Original Message-
From: freeradius-users-bounces+neil-
johnson=uiowa@lists.freeradius.org [mailto:freeradius-users-
bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of Phil
Mayers
Sent: Thursday, October 28, 2010 10:44 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Authenticating agains AD issues
On 28/10/10 16:22, Johnson, Neil M wrote:
Yes, I did.
Ah. However, the debug output says:
[mschap] expand: %{Stripped-User-Name} -
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand: %{User-Name:-None} - IOWA\nmjoo
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-
None}}
- --username=IOWA\nmjoo
i.e. the username still contains a DOMAIN\. You need to change the
ntlm_auth command in /etc/raddb/modules/mschap to have:
ntlm_auth = ... --username=%{mschap:User-Name} ...
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
Could this be the samba bug ? I'm running 3.4.9 of samba. I thought it was
fixed in that release.
-Neil
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu
-Original Message-
From: freeradius-users-bounces+neil-
johnson=uiowa@lists.freeradius.org [mailto:freeradius-users-
bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of
Johnson, Neil M
Sent: Thursday, October 28, 2010 10:58 AM
To: FreeRadius users mailing list
Subject: RE: Authenticating agains AD issues
Okay, I made those changes, but it still isn't working..
New log output:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} - --
username=nmjoo
[mschap]expand: %{mschap:NT-Domain} - IOWA
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-IOWA} - --
domain=IOWA
[mschap] mschap2: f7
[mschap]expand: --challenge=%{mschap:Challenge:-00} - --
challenge=7ec345e462e886cc
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --
nt-response=a702419f587f109f326572c6e275dde4c144ccf18a11cc1d
Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d37304443454534424441463830433945444643443943413
335313237463630414239443345323741
Message-Authenticator = 0x
State = 0x685b4a666951502b3811a806682630a9
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00331a0309002e533d37304443454534424441463830433945444643443943413
335313237463630414239443345323741
Message-Authenticator = 0x
State = 0x685b4a666951502b3811a806682630a9
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 128.255.11.74 port 32768
EAP-Message =
0x010a005b19001703010050a8e7120ce3206005ece77b52e24df05d1ea02d75ff36206
97699ee570a8b6a06d08cc95c2d4f4985bd9d8754d8a895ca87582ba6f7973a78d1
6d781735fb1e7274f297ef87971da17a0f708d6d0d
Message-Authenticator = 0x
State = 0x122499391a2e80cc44ec4cdf9c13104c
Finished request 17.
Going to the next request
Waking up in 3.2 seconds.
C
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu
-Original Message-
From: freeradius-users-bounces+neil-
johnson=uiowa@lists.freeradius.org [mailto:freeradius-users-
bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of
Phil
Mayers
Sent: Thursday, October 28, 2010 10:44 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Authenticating agains AD issues
On 28/10/10 16:22, Johnson, Neil M wrote:
Yes, I did.
Ah. However, the debug output says:
[mschap] expand: %{Stripped-User-Name} -
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand: %{User-Name:-None} - IOWA\nmjoo
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-
None}}
- --username=IOWA\nmjoo
i.e. the username still contains a DOMAIN\. You need to change the
ntlm_auth command in /etc/raddb/modules/mschap to have:
ntlm_auth = ... --username=%{mschap:User-Name} ...
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
I ran across a post on the redhat forums that stated that you must start smbd
before winbindd, otherwise even though running ntlm_auth seems to work from the
command line. It doesn't work when running FreeRadius.
Issue resolved. Thanks for the help.
-Neil
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu
-Original Message-
From: freeradius-users-bounces+neil-
johnson=uiowa@lists.freeradius.org [mailto:freeradius-users-
bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of
Johnson, Neil M
Sent: Thursday, October 28, 2010 11:27 AM
To: FreeRadius users mailing list
Subject: RE: Authenticating agains AD issues
Could this be the samba bug ? I'm running 3.4.9 of samba. I thought it
was fixed in that release.
-Neil
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu
-Original Message-
From: freeradius-users-bounces+neil-
johnson=uiowa@lists.freeradius.org [mailto:freeradius-users-
bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of
Johnson, Neil M
Sent: Thursday, October 28, 2010 10:58 AM
To: FreeRadius users mailing list
Subject: RE: Authenticating agains AD issues
Okay, I made those changes, but it still isn't working..
New log output:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} - --
username=nmjoo
[mschap]expand: %{mschap:NT-Domain} - IOWA
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-IOWA} - --
domain=IOWA
[mschap] mschap2: f7
[mschap]expand: --challenge=%{mschap:Challenge:-00} - --
challenge=7ec345e462e886cc
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --
nt-response=a702419f587f109f326572c6e275dde4c144ccf18a11cc1d
Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program-Wait: plaintext: NT_KEY:
0FD5C0593F3B79F0478DB821B51BCB38
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d37304443454534424441463830433945444643443943413
335313237463630414239443345323741
Message-Authenticator = 0x
State = 0x685b4a666951502b3811a806682630a9
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00331a0309002e533d37304443454534424441463830433945444643443943413
335313237463630414239443345323741
Message-Authenticator = 0x
State = 0x685b4a666951502b3811a806682630a9
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 128.255.11.74 port 32768
EAP-Message =
0x010a005b19001703010050a8e7120ce3206005ece77b52e24df05d1ea02d75ff36206
97699ee570a8b6a06d08cc95c2d4f4985bd9d8754d8a895ca87582ba6f7973a78d1
6d781735fb1e7274f297ef87971da17a0f708d6d0d
Message-Authenticator = 0x
State = 0x122499391a2e80cc44ec4cdf9c13104c
Finished request 17.
Going to the next request
Waking up in 3.2 seconds.
C
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu
-Original Message-
From: freeradius-users-bounces+neil-
johnson=uiowa@lists.freeradius.org [mailto:freeradius-users-
bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of
Phil
Mayers
Sent: Thursday, October 28, 2010 10:44 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Authenticating agains AD issues
On 28/10/10 16:22, Johnson, Neil M wrote:
Yes, I did.
Ah. However, the debug output says:
[mschap] expand: %{Stripped-User-Name} -
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand: %{User-Name:-None} - IOWA\nmjoo
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-
Name:-
None}}
- --username=IOWA\nmjoo
i.e. the username still contains a DOMAIN\. You need to change
the
ntlm_auth command in /etc/raddb/modules/mschap to have:
ntlm_auth = ... --username=%{mschap:User-Name} ...
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http
Re: Authenticating agains AD issues
On 10/28/2010 09:02 PM, Johnson, Neil M wrote: I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius. interesting; do you have a link? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
Hi, I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius. interesting; do you have a link? I cant pull out a direct link but can say that standard system scripts start smbd before winbindd - as winbindd uses some samba reosurces it does make sense. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
