--On 09 March 2006 23:20 +0000 James J J Hooper <[EMAIL PROTECTED]>
wrote:
------------------------------
Message: 6
Date: Thu, 9 Mar 2006 13:17:48 -0500
From: "King, Michael" <[EMAIL PROTECTED]>
Subject: Machine Authecitation with PEAP
Has anyone gotten Machine Authentication with PEAP working?
Yes
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key
--username=boy-it-tel-2528$ --domain=campus
--challenge=8498683817c21d86 --nt-response=c92c
121419368a6b599e159c9ef21bbc4d98138946d6df29 '
Exec-Program: /usr/bin/ntlm_auth --request-nt-key
--username=boy-it-tel-2528$ --domain=campus
--challenge=8498683817c21d86 --nt-response=c92c1
21419368a6b599e159c9ef21bbc4d98138946d6df29
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
From my experience this means the credentials the machine is sending are
wrong or your version of samba is too old - get 3.0.21c (or at least
3.0.21a)
I wish it was that easy. I'm using Debian Package of the Testing
release. It's currently at 3.0.21b
Does it have to anything to do with the host/ getting stripped off?
Nope ... --username=boy-it-tel-2528$ is in the correct format
If it helps, this the ntlm command (which i think you have correct):
/usr/bin/ntlm_auth --request-nt-key --username=cse-mpr$
--challenge=4de0a9c09623ab12
--nt-response=d4b9516b28ba1760f8d31f8ac2b257d74a2439b9e104a102
for the radius packet:
NAS-IP-Address = 172.17.51.78
NAS-Port = 50018
Cisco-NAS-Port = "GigabitEthernet0/18"
NAS-Port-Type = Ethernet
User-Name = "host/cse-mpr.cse.bris.ac.uk"
Called-Station-Id = "00-16-C8-7C-A9-12"
Calling-Station-Id = "00-07-E9-E7-41-50"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x2155356ae073362e26296c9869da2893
EAP-Message =
0x0207006d190017030100629bfa223d9efed1787d6bdeee43082a4a43adaf1792f0bd93a
cc6fbe8e4b7ee82d8d88380e459496d97435e7225e057fac5dd15e2525bd4ff36ae085cc5
4c677cc3e3a96d1f7a023f6b49
As far as i can tell the problem is with the windows / samba side of
things:
- might be a stupid question, but is the computer account properly
registered in the domain?
- is the account locked ??
- does it work if you try to auth as a user?
- if you updated samba recently - have you restarted winbindd?
- are you passing the domain correctly? (i dont specify the domain on
the ntlm_auth command line, whereas you have) i have the following in
samba.conf (the domain is UOB):
[global]
workgroup = UOB
netbios name = IS-RHUBARB
security = domain
password server = ads.bris.ac.uk
realm = ads.bris.ac.uk
winbind use default domain = no
winbind nested groups = Yes
winbind enum users = No
winbind enum groups = No
remote browse sync = ads.bris.ac.uk
where ads.bris.ac.uk is a round robin resolving to the IPs of 11 domain
controllers.
... on a different tack, i assume you are using the XP / 2000 builtin
supplicant? ... If your trying to use the 'MeetingHouse AEGIS 802.1x
client', I found it does not send the actual machine credentials ( it makes
up the password! - it uses the machine SID as password or something) and so
this would explain why authentication is failing.
James.
--
James J J Hooper,
Information Services
University of Bristol
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
