Machine Authecitation with PEAP
Has anyone gotten Machine Authentication with PEAP working? rad_recv: Access-Request packet from host 10.0.1.21:32768, id=2, length=342 User-Name = host/boy-it-tel-2528.campus.bridgew.edu Calling-Station-Id = 00-0B-7D-1B-B0-BA Called-Station-Id = 00-0B-85-5F-66-E0:[EMAIL PROTECTED] NAS-Port = 29 NAS-IP-Address = 10.0.1.21 NAS-Identifier = BUWISM2-1 Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 4000 EAP-Message = 0x020900791900170301006ed6d5858d2d5e437d5127e2f91a69520faa2104d0573c0a1d 098dce6c763982b9a2b160a55541d1fcec125fb106c4668c 0d3d5b4facf2737febb2a5f98c4344d36b9c4fbcf52f2b6d3d613b79f6a123bf30d5e5bc 09d2cf2859aabada6c297a14d782995bce310f879a006e2c6ba0 State = 0x332bd4a26a3495ca8b876c3936b99a50 Message-Authenticator = 0x4fec0b430cc29964546aa3c9fee52d2c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 40 modcall[authorize]: module preprocess returns ok for request 40 radius_xlat: '/var/log/freeradius/radacct/10.0.1.21/auth-detail-20060309' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.0.1.21/auth-detail-2 0060309 modcall[authorize]: module auth_log returns ok for request 40 modcall[authorize]: module chap returns noop for request 40 modcall[authorize]: module mschap returns noop for request 40 rlm_realm: No '@' in User-Name = host/boy-it-tel-2528.campus.bridgew.edu, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 40 rlm_eap: EAP packet type response id 9 length 121 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 40 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module files returns ok for request 40 modcall: leaving group authorize (returns updated) for request 40 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 40 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900621a0209005d310575b329205687211101eef2ea1463b6c9 2c121419368a6b599e159c9ef21bbc4d98138946d6df2900 686f73742f626f792d69742d74656c2d323532382e63616d7075732e627269646765772e 656475 PEAP: Setting User-Name to host/boy-it-tel-2528.campus.bridgew.edu PEAP: Adding old state with c0 be PEAP: Sending tunneled request EAP-Message = 0x020900621a0209005d310575b329205687211101eef2ea1463b6c9 2c121419368a6b599e159c9ef21bbc4d98138946d6df2900 686f73742f626f792d69742d74656c2d323532382e63616d7075732e627269646765772e 656475 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = host/boy-it-tel-2528.campus.bridgew.edu State = 0xc0be9e82d71e93ec07c4074441377fb0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 40 modcall[authorize]: module preprocess returns ok for request 40 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/auth-detail-20060309' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-2 0060309 modcall[authorize]: module auth_log returns ok for request 40 modcall[authorize]: module chap returns noop for request 40 modcall[authorize]: module mschap returns noop for request 40 rlm_realm: No '@' in User-Name = host/boy-it-tel-2528.campus.bridgew.edu, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 40 rlm_eap: EAP packet type response id 9 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 40 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 40 modcall: leaving group authorize (returns updated) for request 40 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the
Re: Machine Authecitation with PEAP
-- Message: 6 Date: Thu, 9 Mar 2006 13:17:48 -0500 From: King, Michael [EMAIL PROTECTED] Subject: Machine Authecitation with PEAP Has anyone gotten Machine Authentication with PEAP working? Yes radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c 121419368a6b599e159c9ef21bbc4d98138946d6df29 ' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c1 21419368a6b599e159c9ef21bbc4d98138946d6df29 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) From my experience this means the credentials the machine is sending are wrong or your version of samba is too old - get 3.0.21c (or at least 3.0.21a) Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Authecitation with PEAP
-Original Message- [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of james Sent: Thursday, March 09, 2006 3:06 PM From my experience this means the credentials the machine is sending are wrong or your version of samba is too old - get 3.0.21c (or at least 3.0.21a) Regards, James I wish it was that easy. I'm using Debian Package of the Testing release. It's currently at 3.0.21b Does it have to anything to do with the host/ getting stripped off? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authecitation with PEAP
-- Message: 6 Date: Thu, 9 Mar 2006 13:17:48 -0500 From: King, Michael [EMAIL PROTECTED] Subject: Machine Authecitation with PEAP Has anyone gotten Machine Authentication with PEAP working? Yes radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c 121419368a6b599e159c9ef21bbc4d98138946d6df29 ' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c1 21419368a6b599e159c9ef21bbc4d98138946d6df29 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) From my experience this means the credentials the machine is sending are wrong or your version of samba is too old - get 3.0.21c (or at least 3.0.21a) I wish it was that easy. I'm using Debian Package of the Testing release. It's currently at 3.0.21b Does it have to anything to do with the host/ getting stripped off? Nope ... --username=boy-it-tel-2528$ is in the correct format If it helps, this the ntlm command (which i think you have correct): /usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$ --challenge=4de0a9c09623ab12 --nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102 for the radius packet: NAS-IP-Address = 172.17.51.78 NAS-Port = 50018 Cisco-NAS-Port = GigabitEthernet0/18 NAS-Port-Type = Ethernet User-Name = host/cse-mpr.cse.bris.ac.uk Called-Station-Id = 00-16-C8-7C-A9-12 Calling-Station-Id = 00-07-E9-E7-41-50 Service-Type = Framed-User Framed-MTU = 1500 State = 0x2155356ae073362e26296c9869da2893 EAP-Message = 0x0207006d190017030100629bfa223d9efed1787d6bdeee43082a4a43adaf1792f0bd93acc6fbe8e4b7ee82d8d88380e459496d97435e7225e057fac5dd15e2525bd4ff36ae085cc54c677cc3e3a96d1f7a023f6b49 As far as i can tell the problem is with the windows / samba side of things: - might be a stupid question, but is the computer account properly registered in the domain? - is the account locked ?? - does it work if you try to auth as a user? - if you updated samba recently - have you restarted winbindd? - are you passing the domain correctly? (i dont specify the domain on the ntlm_auth command line, whereas you have) i have the following in samba.conf (the domain is UOB): [global] workgroup = UOB netbios name = IS-RHUBARB security = domain password server = ads.bris.ac.uk realm = ads.bris.ac.uk winbind use default domain = no winbind nested groups = Yes winbind enum users = No winbind enum groups = No remote browse sync = ads.bris.ac.uk where ads.bris.ac.uk is a round robin resolving to the IPs of 11 domain controllers. Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authecitation with PEAP
--On 09 March 2006 23:20 + James J J Hooper [EMAIL PROTECTED] wrote: -- Message: 6 Date: Thu, 9 Mar 2006 13:17:48 -0500 From: King, Michael [EMAIL PROTECTED] Subject: Machine Authecitation with PEAP Has anyone gotten Machine Authentication with PEAP working? Yes radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c 121419368a6b599e159c9ef21bbc4d98138946d6df29 ' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c1 21419368a6b599e159c9ef21bbc4d98138946d6df29 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) From my experience this means the credentials the machine is sending are wrong or your version of samba is too old - get 3.0.21c (or at least 3.0.21a) I wish it was that easy. I'm using Debian Package of the Testing release. It's currently at 3.0.21b Does it have to anything to do with the host/ getting stripped off? Nope ... --username=boy-it-tel-2528$ is in the correct format If it helps, this the ntlm command (which i think you have correct): /usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$ --challenge=4de0a9c09623ab12 --nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102 for the radius packet: NAS-IP-Address = 172.17.51.78 NAS-Port = 50018 Cisco-NAS-Port = GigabitEthernet0/18 NAS-Port-Type = Ethernet User-Name = host/cse-mpr.cse.bris.ac.uk Called-Station-Id = 00-16-C8-7C-A9-12 Calling-Station-Id = 00-07-E9-E7-41-50 Service-Type = Framed-User Framed-MTU = 1500 State = 0x2155356ae073362e26296c9869da2893 EAP-Message = 0x0207006d190017030100629bfa223d9efed1787d6bdeee43082a4a43adaf1792f0bd93a cc6fbe8e4b7ee82d8d88380e459496d97435e7225e057fac5dd15e2525bd4ff36ae085cc5 4c677cc3e3a96d1f7a023f6b49 As far as i can tell the problem is with the windows / samba side of things: - might be a stupid question, but is the computer account properly registered in the domain? - is the account locked ?? - does it work if you try to auth as a user? - if you updated samba recently - have you restarted winbindd? - are you passing the domain correctly? (i dont specify the domain on the ntlm_auth command line, whereas you have) i have the following in samba.conf (the domain is UOB): [global] workgroup = UOB netbios name = IS-RHUBARB security = domain password server = ads.bris.ac.uk realm = ads.bris.ac.uk winbind use default domain = no winbind nested groups = Yes winbind enum users = No winbind enum groups = No remote browse sync = ads.bris.ac.uk where ads.bris.ac.uk is a round robin resolving to the IPs of 11 domain controllers. ... on a different tack, i assume you are using the XP / 2000 builtin supplicant? ... If your trying to use the 'MeetingHouse AEGIS 802.1x client', I found it does not send the actual machine credentials ( it makes up the password! - it uses the machine SID as password or something) and so this would explain why authentication is failing. James. -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Authecitation with PEAP
-Original Message- If it helps, this the ntlm command (which i think you have correct): /usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$ --challenge=4de0a9c09623ab12 --nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102 - are you passing the domain correctly? (i dont specify the domain on the ntlm_auth command line, whereas you have) i have the following in samba.conf I didn't have the ntlm_auth line correct. I did have the domain correct. I had this in the radius.conf file ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{msc hap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} BUT, in my notes, and on my working server, I had this: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response= %{mschap:NT-Response} I removed the :-00 from the NT-Response and the Challenge options, and I also removed the --domain, since I had no idea why it was in there either. I think I only replaced bits and pieces of the default line in the example config, instead of deleting the whole line and pasting in my notes. Thanks, it works great now! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html