Re: Machine Authecitation with PEAP

Thu, 09 Mar 2006 15:30:43 -0800 




------------------------------

Message: 6
Date: Thu, 9 Mar 2006 13:17:48 -0500
From: "King, Michael" <[EMAIL PROTECTED]>
Subject: Machine Authecitation with PEAP

Has anyone gotten Machine Authentication with PEAP working?

Yes


radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key
--username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86
--nt-response=c92c
121419368a6b599e159c9ef21bbc4d98138946d6df29  '

Exec-Program: /usr/bin/ntlm_auth --request-nt-key
--username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86
--nt-response=c92c1
21419368a6b599e159c9ef21bbc4d98138946d6df29

Exec-Program output: Logon failure (0xc000006d)

Exec-Program-Wait: plaintext: Logon failure (0xc000006d)


From my experience this means the credentials the machine is sending are
wrong or your version of samba is too old - get 3.0.21c (or at least
3.0.21a)



I wish it was that easy.  I'm using Debian Package of the Testing
release.  It's currently at 3.0.21b

Does it have to anything to do with the host/ getting stripped off?


Nope ... --username=boy-it-tel-2528$ is in the correct format

If it helps, this the ntlm command (which i think you have correct):

/usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$ 
--challenge=4de0a9c09623ab12 
--nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102


for the radius packet:
NAS-IP-Address = 172.17.51.78
       NAS-Port = 50018
       Cisco-NAS-Port = "GigabitEthernet0/18"
       NAS-Port-Type = Ethernet
       User-Name = "host/cse-mpr.cse.bris.ac.uk"
       Called-Station-Id = "00-16-C8-7C-A9-12"
       Calling-Station-Id = "00-07-E9-E7-41-50"
       Service-Type = Framed-User
       Framed-MTU = 1500
       State = 0x2155356ae073362e26296c9869da2893

       EAP-Message = 
0x0207006d190017030100629bfa223d9efed1787d6bdeee43082a4a43adaf1792f0bd93acc6fbe8e4b7ee82d8d88380e459496d97435e7225e057fac5dd15e2525bd4ff36ae085cc54c677cc3e3a96d1f7a023f6b49


As far as i can tell the problem is with the windows / samba side of things:

 - might be a stupid question, but is the computer account properly 
registered in the domain?

 - is the account locked ??
 - does it work if you try to auth as a user?
 - if you updated samba recently - have you restarted winbindd?

 - are you passing the domain correctly? (i dont specify the domain on the 
ntlm_auth command line, whereas you have) i have the following in 
samba.conf (the domain is UOB):


[global]
  workgroup = UOB
  netbios name = IS-RHUBARB
  security = domain
  password server = ads.bris.ac.uk
  realm = ads.bris.ac.uk
  winbind use default domain = no
  winbind nested groups = Yes
  winbind enum users = No
  winbind enum groups = No
  remote browse sync = ads.bris.ac.uk



where ads.bris.ac.uk is a round robin resolving to the IPs of 11 domain 
controllers.


Regards,
  James

--
James J J Hooper,
Information Services
University of Bristol
--


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to