Re: Authenticating agains AD issues
On Fri, Oct 29, 2010 at 6:37 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, This may be 100% off the mark, but have tried using the AD radius plugin IAS? I have tested its support for proxying for a proof-of-concept and it was quite simple to setup. I have no production experience. cough splutter. why use IAS? this is a FreeRADIUS mailing list. FR is superior in so many ways its not even funnyso if the choice of RADIUS is FR - then why think of using another one? AD integration with FR works fine (we use it and have AAA action of several thousand sessions per hour) - some distros and setups (particular the windows side of the setup) may require some extra knowledge. binding our systems to the local ADs (all 3 of them) was trivial Oh, yes, to be clear, I only meant to use IAS to check the membership in AD from Freeradius. Not as a replacement of Freeradius. I do give credit to MS for their support of the standard. nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On Thu, Oct 28, 2010 at 6:15 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius. interesting; do you have a link? I cant pull out a direct link but can say that standard system scripts start smbd before winbindd - as winbindd uses some samba reosurces it does make sense. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This may be 100% off the mark, but have tried using the AD radius plugin IAS? I have tested its support for proxying for a proof-of-concept and it was quite simple to setup. I have no production experience. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
Hi, This may be 100% off the mark, but have tried using the AD radius plugin IAS? I have tested its support for proxying for a proof-of-concept and it was quite simple to setup. I have no production experience. cough splutter. why use IAS? this is a FreeRADIUS mailing list. FR is superior in so many ways its not even funnyso if the choice of RADIUS is FR - then why think of using another one? AD integration with FR works fine (we use it and have AAA action of several thousand sessions per hour) - some distros and setups (particular the windows side of the setup) may require some extra knowledge. binding our systems to the local ADs (all 3 of them) was trivial alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating agains AD issues
I've been following the reciepe on the Deploying RADIUS web site, but I have been unable to get an iPhone or Laptop to authenticate to wireless. It appears from the log that ntlm_auth is behaving correctly but the the challenge continues. I'm running 2.1.9 on Fedora 12 using the demonstration certificates. Here is the last part of the log file: Thanks in advance. -Neil [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password [mschap]expand: %{Stripped-User-Name} - [mschap]... expanding second conditional [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: %{User-Name:-None} - IOWA\nmjoo [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User- Name:-None}} - --username=IOWA\nmjoo [mschap] mschap2: 5e [mschap]expand: --challenge=%{mschap:Challenge:-00} - -- challenge=13fe382b60e3bba9 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - -- nt-response=24bf15cdc812e5f7fb9723f21143bb775b24a1914870caf0 Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d36463744463330464436383432423542423738463736454339423230454534453639434431463338 Message-Authenticator = 0x State = 0x9b59f55f9a53ef43871eb82ef0802a05 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d36463744463330464436383432423542423738463736454339423230454534453639434431463338 Message-Authenticator = 0x State = 0x9b59f55f9a53ef43871eb82ef0802a05 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 112 to 128.255.11.74 port 32768 EAP-Message = 0x010a005b19001703010050f59dec82774ce4b8dc5bb542e29881b2cb321a7136c39e4f1a498708fa2515da475f29ec726bd310dd96ab7ae6de4a85f079285567b375a7fa02d137f9d0d2adcf75dc887c91c50a41e041c13b370882 Message-Authenticator = 0x State = 0xa489d972ac83c05d8d6d2302f3fa3977 Finished request 17. Going to the next request Waking up in 3.2 seconds. Cleaning up request 0 ID 95 with timestamp +9 Cleaning up request 1 ID 96 with timestamp +9 Cleaning up request 2 ID 97 with timestamp +9 Cleaning up request 3 ID 98 with timestamp +9 Cleaning up request 4 ID 99 with timestamp +9 Cleaning up request 5 ID 100 with timestamp +9 Cleaning up request 6 ID 101 with timestamp +9 Cleaning up request 7 ID 102 with timestamp +9 Cleaning up request 8 ID 103 with timestamp +9 Waking up in 1.0 seconds. Cleaning up request 9 ID 104 with timestamp +10 Cleaning up request 10 ID 105 with timestamp +10 Cleaning up request 11 ID 106 with timestamp +10 Cleaning up request 12 ID 107 with timestamp +10 Cleaning up request 13 ID 108 with timestamp +10 Cleaning up request 14 ID 109 with timestamp +10 Cleaning up request 15 ID 110 with timestamp +10 Cleaning up request 16 ID 111 with timestamp +10 Cleaning up request 17 ID 112 with timestamp +10 Ready to process requests. -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
Did you enable the WITH NT DOMAIN HACK in your MSCHAP module? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Johnson, Neil M Sent: Thursday, October 28, 2010 9:48 AM To: freeradius-users@lists.freeradius.org Subject: Authenticating agains AD issues I've been following the reciepe on the Deploying RADIUS web site, but I have been unable to get an iPhone or Laptop to authenticate to wireless. It appears from the log that ntlm_auth is behaving correctly but the the challenge continues. I'm running 2.1.9 on Fedora 12 using the demonstration certificates. Here is the last part of the log file: Thanks in advance. -Neil [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password [mschap]expand: %{Stripped-User-Name} - [mschap]... expanding second conditional [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: %{User-Name:-None} - IOWA\nmjoo [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=IOWA\nmjoo [mschap] mschap2: 5e [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=13fe382b60e3bba9 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=24bf15cdc812e5f7fb9723f21143bb775b24a1914870caf0 Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d364637444633304644363834324235424237384637364543 39423230454534453639434431463338 Message-Authenticator = 0x State = 0x9b59f55f9a53ef43871eb82ef0802a05 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d364637444633304644363834324235424237384637364543 39423230454534453639434431463338 Message-Authenticator = 0x State = 0x9b59f55f9a53ef43871eb82ef0802a05 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 112 to 128.255.11.74 port 32768 EAP-Message = 0x010a005b19001703010050f59dec82774ce4b8dc5bb542e29881b2cb321a7136c39e4f 1a498708fa2515da475f29ec726bd310dd96ab7ae6de4a85f079285567b375a7fa02d137 f9d0d2adcf75dc887c91c50a41e041c13b370882 Message-Authenticator = 0x State = 0xa489d972ac83c05d8d6d2302f3fa3977 Finished request 17. Going to the next request Waking up in 3.2 seconds. Cleaning up request 0 ID 95 with timestamp +9 Cleaning up request 1 ID 96 with timestamp +9 Cleaning up request 2 ID 97 with timestamp +9 Cleaning up request 3 ID 98 with timestamp +9 Cleaning up request 4 ID 99 with timestamp +9 Cleaning up request 5 ID 100 with timestamp +9 Cleaning up request 6 ID 101 with timestamp +9 Cleaning up request 7 ID 102 with timestamp +9 Cleaning up request 8 ID 103 with timestamp +9 Waking up in 1.0 seconds. Cleaning up request 9 ID 104 with timestamp +10 Cleaning up request 10 ID 105 with timestamp +10 Cleaning up request 11 ID 106 with timestamp +10 Cleaning up request 12 ID 107 with timestamp +10 Cleaning up request 13 ID 108 with timestamp +10 Cleaning up request 14 ID 109 with timestamp +10 Cleaning up request 15 ID 110 with timestamp +10 Cleaning up request 16 ID 111 with timestamp +10 Cleaning up request 17 ID 112 with timestamp +10 Ready to process requests. -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On 28/10/10 15:48, Johnson, Neil M wrote: I've been following the reciepe on the Deploying RADIUS web site, but I have been unable to get an iPhone or Laptop to authenticate to wireless. It appears from the log that ntlm_auth is behaving correctly but the the challenge continues. I'm running 2.1.9 on Fedora 12 using the demonstration certificates. Here is the last part of the log file: Hmm. Since this happens inside the PEAP tunnel, I don't think it's the usual bad certs error. I suspect it's the Buggy samba mis-calculating MS-CHAP response issue. See here for the latest round of discussion: http://freeradius.1045715.n5.nabble.com/which-samba-version-patch-for-Active-Directory-2008-td2837914.html Samba 3.0.x is known to work, as is very recent 3.5 or 3.4 releases. For other versions, you may need the patch here: https://bugzilla.samba.org/show_bug.cgi?id=7568 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On 28/10/10 16:14, Sallee, Stephen (Jake) wrote: Did you enable the “WITH NT DOMAIN HACK” in your MSCHAP module? Oops, well spotted - disregard my email. Jake is right - you have DOMAIN\user going into ntlm_auth, which may be messing up the challenge/response calculation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
Yes, I did. Thanks. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu From: freeradius-users-bounces+neil-johnson=uiowa@lists.freeradius.org [mailto:freeradius-users-bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: Thursday, October 28, 2010 10:15 AM To: FreeRadius users mailing list Subject: RE: Authenticating agains AD issues Did you enable the WITH NT DOMAIN HACK in your MSCHAP module? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Johnson, Neil M Sent: Thursday, October 28, 2010 9:48 AM To: freeradius-users@lists.freeradius.org Subject: Authenticating agains AD issues I've been following the reciepe on the Deploying RADIUS web site, but I have been unable to get an iPhone or Laptop to authenticate to wireless. It appears from the log that ntlm_auth is behaving correctly but the the challenge continues. I'm running 2.1.9 on Fedora 12 using the demonstration certificates. Here is the last part of the log file: Thanks in advance. -Neil [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password [mschap]expand: %{Stripped-User-Name} - [mschap]... expanding second conditional [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: %{User-Name:-None} - IOWA\nmjoo [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=IOWA\nmjoo [mschap] mschap2: 5e [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=13fe382b60e3bba9 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=24bf15cdc812e5f7fb9723f21143bb775b24a1914870caf0 Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d36463744463330464436383432423542423738463736454339423230454534453639434431463338 Message-Authenticator = 0x State = 0x9b59f55f9a53ef43871eb82ef0802a05 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d36463744463330464436383432423542423738463736454339423230454534453639434431463338 Message-Authenticator = 0x State = 0x9b59f55f9a53ef43871eb82ef0802a05 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 112 to 128.255.11.74 port 32768 EAP-Message = 0x010a005b19001703010050f59dec82774ce4b8dc5bb542e29881b2cb321a7136c39e4f1a498708fa2515da475f29ec726bd310dd96ab7ae6de4a85f079285567b375a7fa02d137f9d0d2adcf75dc887c91c50a41e041c13b370882 Message-Authenticator = 0x State = 0xa489d972ac83c05d8d6d2302f3fa3977 Finished request 17. Going to the next request Waking up in 3.2 seconds. Cleaning up request 0 ID 95 with timestamp +9 Cleaning up request 1 ID 96 with timestamp +9 Cleaning up request 2 ID 97 with timestamp +9 Cleaning up request 3 ID 98 with timestamp +9 Cleaning up request 4 ID 99 with timestamp +9 Cleaning up request 5 ID 100 with timestamp +9 Cleaning up request 6 ID 101 with timestamp +9 Cleaning up request 7 ID 102 with timestamp +9 Cleaning up request 8 ID 103 with timestamp +9 Waking up in 1.0 seconds. Cleaning up request 9 ID 104 with timestamp +10 Cleaning up request 10 ID 105 with timestamp +10 Cleaning up request 11 ID 106 with timestamp +10 Cleaning up request 12 ID 107 with timestamp +10 Cleaning up request 13 ID 108 with timestamp +10 Cleaning up request 14 ID 109 with timestamp +10 Cleaning up request 15 ID 110 with timestamp +10 Cleaning up request 16 ID 111 with timestamp +10 Cleaning up request 17 ID 112 with timestamp +10 Ready to process requests. -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On 28/10/10 16:22, Johnson, Neil M wrote: Yes, I did. Ah. However, the debug output says: [mschap] expand: %{Stripped-User-Name} - [mschap] ... expanding second conditional [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: %{User-Name:-None} - IOWA\nmjoo [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=IOWA\nmjoo i.e. the username still contains a DOMAIN\. You need to change the ntlm_auth command in /etc/raddb/modules/mschap to have: ntlm_auth = ... --username=%{mschap:User-Name} ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
Okay, I made those changes, but it still isn't working.. New log output: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password [mschap]expand: --username=%{mschap:User-Name:-None} - --username=nmjoo [mschap]expand: %{mschap:NT-Domain} - IOWA [mschap]expand: --domain=%{%{mschap:NT-Domain}:-IOWA} - --domain=IOWA [mschap] mschap2: f7 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=7ec345e462e886cc [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=a702419f587f109f326572c6e275dde4c144ccf18a11cc1d Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413335313237463630414239443345323741 Message-Authenticator = 0x State = 0x685b4a666951502b3811a806682630a9 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413335313237463630414239443345323741 Message-Authenticator = 0x State = 0x685b4a666951502b3811a806682630a9 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 128.255.11.74 port 32768 EAP-Message = 0x010a005b19001703010050a8e7120ce3206005ece77b52e24df05d1ea02d75ff3620697699ee570a8b6a06d08cc95c2d4f4985bd9d8754d8a895ca87582ba6f7973a78d16d781735fb1e7274f297ef87971da17a0f708d6d0d Message-Authenticator = 0x State = 0x122499391a2e80cc44ec4cdf9c13104c Finished request 17. Going to the next request Waking up in 3.2 seconds. C -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: freeradius-users-bounces+neil- johnson=uiowa@lists.freeradius.org [mailto:freeradius-users- bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Thursday, October 28, 2010 10:44 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authenticating agains AD issues On 28/10/10 16:22, Johnson, Neil M wrote: Yes, I did. Ah. However, the debug output says: [mschap] expand: %{Stripped-User-Name} - [mschap] ... expanding second conditional [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: %{User-Name:-None} - IOWA\nmjoo [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:- None}} - --username=IOWA\nmjoo i.e. the username still contains a DOMAIN\. You need to change the ntlm_auth command in /etc/raddb/modules/mschap to have: ntlm_auth = ... --username=%{mschap:User-Name} ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
Could this be the samba bug ? I'm running 3.4.9 of samba. I thought it was fixed in that release. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: freeradius-users-bounces+neil- johnson=uiowa@lists.freeradius.org [mailto:freeradius-users- bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of Johnson, Neil M Sent: Thursday, October 28, 2010 10:58 AM To: FreeRadius users mailing list Subject: RE: Authenticating agains AD issues Okay, I made those changes, but it still isn't working.. New log output: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password [mschap]expand: --username=%{mschap:User-Name:-None} - -- username=nmjoo [mschap]expand: %{mschap:NT-Domain} - IOWA [mschap]expand: --domain=%{%{mschap:NT-Domain}:-IOWA} - -- domain=IOWA [mschap] mschap2: f7 [mschap]expand: --challenge=%{mschap:Challenge:-00} - -- challenge=7ec345e462e886cc [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - -- nt-response=a702419f587f109f326572c6e275dde4c144ccf18a11cc1d Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413 335313237463630414239443345323741 Message-Authenticator = 0x State = 0x685b4a666951502b3811a806682630a9 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413 335313237463630414239443345323741 Message-Authenticator = 0x State = 0x685b4a666951502b3811a806682630a9 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 128.255.11.74 port 32768 EAP-Message = 0x010a005b19001703010050a8e7120ce3206005ece77b52e24df05d1ea02d75ff36206 97699ee570a8b6a06d08cc95c2d4f4985bd9d8754d8a895ca87582ba6f7973a78d1 6d781735fb1e7274f297ef87971da17a0f708d6d0d Message-Authenticator = 0x State = 0x122499391a2e80cc44ec4cdf9c13104c Finished request 17. Going to the next request Waking up in 3.2 seconds. C -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: freeradius-users-bounces+neil- johnson=uiowa@lists.freeradius.org [mailto:freeradius-users- bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Thursday, October 28, 2010 10:44 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authenticating agains AD issues On 28/10/10 16:22, Johnson, Neil M wrote: Yes, I did. Ah. However, the debug output says: [mschap] expand: %{Stripped-User-Name} - [mschap] ... expanding second conditional [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: %{User-Name:-None} - IOWA\nmjoo [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:- None}} - --username=IOWA\nmjoo i.e. the username still contains a DOMAIN\. You need to change the ntlm_auth command in /etc/raddb/modules/mschap to have: ntlm_auth = ... --username=%{mschap:User-Name} ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating agains AD issues
I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius. Issue resolved. Thanks for the help. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: freeradius-users-bounces+neil- johnson=uiowa@lists.freeradius.org [mailto:freeradius-users- bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of Johnson, Neil M Sent: Thursday, October 28, 2010 11:27 AM To: FreeRadius users mailing list Subject: RE: Authenticating agains AD issues Could this be the samba bug ? I'm running 3.4.9 of samba. I thought it was fixed in that release. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: freeradius-users-bounces+neil- johnson=uiowa@lists.freeradius.org [mailto:freeradius-users- bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of Johnson, Neil M Sent: Thursday, October 28, 2010 10:58 AM To: FreeRadius users mailing list Subject: RE: Authenticating agains AD issues Okay, I made those changes, but it still isn't working.. New log output: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password [mschap]expand: --username=%{mschap:User-Name:-None} - -- username=nmjoo [mschap]expand: %{mschap:NT-Domain} - IOWA [mschap]expand: --domain=%{%{mschap:NT-Domain}:-IOWA} - -- domain=IOWA [mschap] mschap2: f7 [mschap]expand: --challenge=%{mschap:Challenge:-00} - -- challenge=7ec345e462e886cc [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - -- nt-response=a702419f587f109f326572c6e275dde4c144ccf18a11cc1d Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413 335313237463630414239443345323741 Message-Authenticator = 0x State = 0x685b4a666951502b3811a806682630a9 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413 335313237463630414239443345323741 Message-Authenticator = 0x State = 0x685b4a666951502b3811a806682630a9 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 128.255.11.74 port 32768 EAP-Message = 0x010a005b19001703010050a8e7120ce3206005ece77b52e24df05d1ea02d75ff36206 97699ee570a8b6a06d08cc95c2d4f4985bd9d8754d8a895ca87582ba6f7973a78d1 6d781735fb1e7274f297ef87971da17a0f708d6d0d Message-Authenticator = 0x State = 0x122499391a2e80cc44ec4cdf9c13104c Finished request 17. Going to the next request Waking up in 3.2 seconds. C -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: freeradius-users-bounces+neil- johnson=uiowa@lists.freeradius.org [mailto:freeradius-users- bounces+neil-johnson=uiowa@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Thursday, October 28, 2010 10:44 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authenticating agains AD issues On 28/10/10 16:22, Johnson, Neil M wrote: Yes, I did. Ah. However, the debug output says: [mschap] expand: %{Stripped-User-Name} - [mschap] ... expanding second conditional [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: %{User-Name:-None} - IOWA\nmjoo [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User- Name:- None}} - --username=IOWA\nmjoo i.e. the username still contains a DOMAIN\. You need to change the ntlm_auth command in /etc/raddb/modules/mschap to have: ntlm_auth = ... --username=%{mschap:User-Name} ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http
Re: Authenticating agains AD issues
On 10/28/2010 09:02 PM, Johnson, Neil M wrote: I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius. interesting; do you have a link? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
Hi, I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius. interesting; do you have a link? I cant pull out a direct link but can say that standard system scripts start smbd before winbindd - as winbindd uses some samba reosurces it does make sense. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html