Machine Authecitation with PEAP
Has anyone gotten Machine Authentication with PEAP working?
rad_recv: Access-Request packet from host 10.0.1.21:32768, id=2,
length=342
User-Name = host/boy-it-tel-2528.campus.bridgew.edu
Calling-Station-Id = 00-0B-7D-1B-B0-BA
Called-Station-Id = 00-0B-85-5F-66-E0:[EMAIL PROTECTED]
NAS-Port = 29
NAS-IP-Address = 10.0.1.21
NAS-Identifier = BUWISM2-1
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 4000
EAP-Message =
0x020900791900170301006ed6d5858d2d5e437d5127e2f91a69520faa2104d0573c0a1d
098dce6c763982b9a2b160a55541d1fcec125fb106c4668c
0d3d5b4facf2737febb2a5f98c4344d36b9c4fbcf52f2b6d3d613b79f6a123bf30d5e5bc
09d2cf2859aabada6c297a14d782995bce310f879a006e2c6ba0
State = 0x332bd4a26a3495ca8b876c3936b99a50
Message-Authenticator = 0x4fec0b430cc29964546aa3c9fee52d2c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 40
modcall[authorize]: module preprocess returns ok for request 40
radius_xlat:
'/var/log/freeradius/radacct/10.0.1.21/auth-detail-20060309'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.0.1.21/auth-detail-2
0060309
modcall[authorize]: module auth_log returns ok for request 40
modcall[authorize]: module chap returns noop for request 40
modcall[authorize]: module mschap returns noop for request 40
rlm_realm: No '@' in User-Name =
host/boy-it-tel-2528.campus.bridgew.edu, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 40
rlm_eap: EAP packet type response id 9 length 121
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 40
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module files returns ok for request 40
modcall: leaving group authorize (returns updated) for request 40
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 40
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
0x020900621a0209005d310575b329205687211101eef2ea1463b6c9
2c121419368a6b599e159c9ef21bbc4d98138946d6df2900
686f73742f626f792d69742d74656c2d323532382e63616d7075732e627269646765772e
656475
PEAP: Setting User-Name to host/boy-it-tel-2528.campus.bridgew.edu
PEAP: Adding old state with c0 be
PEAP: Sending tunneled request
EAP-Message =
0x020900621a0209005d310575b329205687211101eef2ea1463b6c9
2c121419368a6b599e159c9ef21bbc4d98138946d6df2900
686f73742f626f792d69742d74656c2d323532382e63616d7075732e627269646765772e
656475
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = host/boy-it-tel-2528.campus.bridgew.edu
State = 0xc0be9e82d71e93ec07c4074441377fb0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 40
modcall[authorize]: module preprocess returns ok for request 40
radius_xlat:
'/var/log/freeradius/radacct/127.0.0.1/auth-detail-20060309'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-2
0060309
modcall[authorize]: module auth_log returns ok for request 40
modcall[authorize]: module chap returns noop for request 40
modcall[authorize]: module mschap returns noop for request 40
rlm_realm: No '@' in User-Name =
host/boy-it-tel-2528.campus.bridgew.edu, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 40
rlm_eap: EAP packet type response id 9 length 98
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 40
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 40
modcall: leaving group authorize (returns updated) for request 40
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the
Re: Machine Authecitation with PEAP
-- Message: 6 Date: Thu, 9 Mar 2006 13:17:48 -0500 From: King, Michael [EMAIL PROTECTED] Subject: Machine Authecitation with PEAP Has anyone gotten Machine Authentication with PEAP working? Yes radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c 121419368a6b599e159c9ef21bbc4d98138946d6df29 ' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c1 21419368a6b599e159c9ef21bbc4d98138946d6df29 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) From my experience this means the credentials the machine is sending are wrong or your version of samba is too old - get 3.0.21c (or at least 3.0.21a) Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Authecitation with PEAP
-Original Message- [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of james Sent: Thursday, March 09, 2006 3:06 PM From my experience this means the credentials the machine is sending are wrong or your version of samba is too old - get 3.0.21c (or at least 3.0.21a) Regards, James I wish it was that easy. I'm using Debian Package of the Testing release. It's currently at 3.0.21b Does it have to anything to do with the host/ getting stripped off? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authecitation with PEAP
-- Message: 6 Date: Thu, 9 Mar 2006 13:17:48 -0500 From: King, Michael [EMAIL PROTECTED] Subject: Machine Authecitation with PEAP Has anyone gotten Machine Authentication with PEAP working? Yes radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c 121419368a6b599e159c9ef21bbc4d98138946d6df29 ' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c1 21419368a6b599e159c9ef21bbc4d98138946d6df29 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) From my experience this means the credentials the machine is sending are wrong or your version of samba is too old - get 3.0.21c (or at least 3.0.21a) I wish it was that easy. I'm using Debian Package of the Testing release. It's currently at 3.0.21b Does it have to anything to do with the host/ getting stripped off? Nope ... --username=boy-it-tel-2528$ is in the correct format If it helps, this the ntlm command (which i think you have correct): /usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$ --challenge=4de0a9c09623ab12 --nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102 for the radius packet: NAS-IP-Address = 172.17.51.78 NAS-Port = 50018 Cisco-NAS-Port = GigabitEthernet0/18 NAS-Port-Type = Ethernet User-Name = host/cse-mpr.cse.bris.ac.uk Called-Station-Id = 00-16-C8-7C-A9-12 Calling-Station-Id = 00-07-E9-E7-41-50 Service-Type = Framed-User Framed-MTU = 1500 State = 0x2155356ae073362e26296c9869da2893 EAP-Message = 0x0207006d190017030100629bfa223d9efed1787d6bdeee43082a4a43adaf1792f0bd93acc6fbe8e4b7ee82d8d88380e459496d97435e7225e057fac5dd15e2525bd4ff36ae085cc54c677cc3e3a96d1f7a023f6b49 As far as i can tell the problem is with the windows / samba side of things: - might be a stupid question, but is the computer account properly registered in the domain? - is the account locked ?? - does it work if you try to auth as a user? - if you updated samba recently - have you restarted winbindd? - are you passing the domain correctly? (i dont specify the domain on the ntlm_auth command line, whereas you have) i have the following in samba.conf (the domain is UOB): [global] workgroup = UOB netbios name = IS-RHUBARB security = domain password server = ads.bris.ac.uk realm = ads.bris.ac.uk winbind use default domain = no winbind nested groups = Yes winbind enum users = No winbind enum groups = No remote browse sync = ads.bris.ac.uk where ads.bris.ac.uk is a round robin resolving to the IPs of 11 domain controllers. Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authecitation with PEAP
--On 09 March 2006 23:20 + James J J Hooper [EMAIL PROTECTED] wrote: -- Message: 6 Date: Thu, 9 Mar 2006 13:17:48 -0500 From: King, Michael [EMAIL PROTECTED] Subject: Machine Authecitation with PEAP Has anyone gotten Machine Authentication with PEAP working? Yes radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c 121419368a6b599e159c9ef21bbc4d98138946d6df29 ' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86 --nt-response=c92c1 21419368a6b599e159c9ef21bbc4d98138946d6df29 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) From my experience this means the credentials the machine is sending are wrong or your version of samba is too old - get 3.0.21c (or at least 3.0.21a) I wish it was that easy. I'm using Debian Package of the Testing release. It's currently at 3.0.21b Does it have to anything to do with the host/ getting stripped off? Nope ... --username=boy-it-tel-2528$ is in the correct format If it helps, this the ntlm command (which i think you have correct): /usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$ --challenge=4de0a9c09623ab12 --nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102 for the radius packet: NAS-IP-Address = 172.17.51.78 NAS-Port = 50018 Cisco-NAS-Port = GigabitEthernet0/18 NAS-Port-Type = Ethernet User-Name = host/cse-mpr.cse.bris.ac.uk Called-Station-Id = 00-16-C8-7C-A9-12 Calling-Station-Id = 00-07-E9-E7-41-50 Service-Type = Framed-User Framed-MTU = 1500 State = 0x2155356ae073362e26296c9869da2893 EAP-Message = 0x0207006d190017030100629bfa223d9efed1787d6bdeee43082a4a43adaf1792f0bd93a cc6fbe8e4b7ee82d8d88380e459496d97435e7225e057fac5dd15e2525bd4ff36ae085cc5 4c677cc3e3a96d1f7a023f6b49 As far as i can tell the problem is with the windows / samba side of things: - might be a stupid question, but is the computer account properly registered in the domain? - is the account locked ?? - does it work if you try to auth as a user? - if you updated samba recently - have you restarted winbindd? - are you passing the domain correctly? (i dont specify the domain on the ntlm_auth command line, whereas you have) i have the following in samba.conf (the domain is UOB): [global] workgroup = UOB netbios name = IS-RHUBARB security = domain password server = ads.bris.ac.uk realm = ads.bris.ac.uk winbind use default domain = no winbind nested groups = Yes winbind enum users = No winbind enum groups = No remote browse sync = ads.bris.ac.uk where ads.bris.ac.uk is a round robin resolving to the IPs of 11 domain controllers. ... on a different tack, i assume you are using the XP / 2000 builtin supplicant? ... If your trying to use the 'MeetingHouse AEGIS 802.1x client', I found it does not send the actual machine credentials ( it makes up the password! - it uses the machine SID as password or something) and so this would explain why authentication is failing. James. -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Authecitation with PEAP
-Original Message-
If it helps, this the ntlm command (which i think you have correct):
/usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$
--challenge=4de0a9c09623ab12
--nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102
- are you passing the domain correctly? (i dont specify the domain on
the ntlm_auth command line, whereas you have) i have the following in
samba.conf
I didn't have the ntlm_auth line correct. I did have the domain
correct.
I had this in the radius.conf file
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{msc
hap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
BUT, in my notes, and on my working server, I had this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=
%{mschap:NT-Response}
I removed the :-00 from the NT-Response and the Challenge options, and I
also removed the --domain, since I had no idea why it was in there
either. I think I only replaced bits and pieces of the default line in
the example config, instead of deleting the whole line and pasting in my
notes.
Thanks, it works great now!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
