I had this working
before, and I can't figure out what I'm missing to get it working on this
server.
Samba Version
3.0.23b
FreeRADIUS version
1.0.4
Users successfully
authenticate with the domain, Machine accounts do not
however.
My ntlm_auth line
is:
ntlm_auth =
"/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
I
have:
with_ntdomain_hack =
yes
in the mschap
section.
The debug is
below
The only thing that
looks different than last time is it looks like the host/ isn't getting stripped
off. Should it?
rad_recv: Access-Request packet from host 10.0.1.22:32769, id=171,
length=324
User-Name = "host/boytel2883.campus.bridgew.edu"
Calling-Station-Id = "00-90-96-F4-2A-BB"
Called-Station-Id = "00-0B-85-5B-55-A0:test"
NAS-Port = 29
NAS-IP-Address = 10.0.1.22
NAS-Identifier = "BUWISM2-2"
Vendor-14179-Attr-1 = 0x00000007
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "4000"
EAP-Message = 0x0207007419001703010069fad4edfbbed6d8fb51dcf6cb01ead274ca25439081be3955bfd614a066335309bfcc72d0f20a0891d43fd085e948c3a635622fcd52658bdc817970b87e859a66ec970d7433349e6cbd2d19184182eb762ea246e13202349e8c32c8acd5e5c322df88f7fd45aa24e13f
State = 0xdfdc87766140b541e2ac318d7ce82e0f
Message-Authenticator = 0x42318a374d505be3af9ffa7af0c39484
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
modcall[authorize]: module "preprocess" returns ok for request 19
modcall[authorize]: module "chap" returns noop for request 19
modcall[authorize]: module "mschap" returns noop for request 19
rlm_realm: No '@' in User-Name = "host/boytel2883.campus.bridgew.edu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 19
rlm_eap: EAP packet type response id 7 length 116
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 19
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 19
modcall: group authorize returns updated for request 19
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to host/boytel2883.campus.bridgew.edu
PEAP: Adding old state with f4 4b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
modcall[authorize]: module "preprocess" returns ok for request 19
modcall[authorize]: module "chap" returns noop for request 19
modcall[authorize]: module "mschap" returns noop for request 19
rlm_realm: No '@' in User-Name = "host/boytel2883.campus.bridgew.edu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 19
rlm_eap: EAP packet type response id 7 length 93
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 19
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 19
modcall: group authorize returns updated for request 19
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 19
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/boytel2883.campus.bridgew.edu with NT-Password
radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
mschap2: c4
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=host/boytel2883.campus.bridgew.edu --challenge=896edabb073ecbba --nt-response=ed45bb2d412865db09406089a5c4145c142b682a469717cb'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=host/boytel2883.campus.bridgew.edu --challenge=896edabb073ecbba --nt-response=ed45bb2d412865db09406089a5c4145c142b682a469717cb
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 19
modcall: group Auth-Type returns reject for request 19
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 19
modcall: group authenticate returns reject for request 19
auth: Failed to validate the user.
Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client localhost port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 19
modcall: group authenticate returns handled for request 19
Sending Access-Challenge of id 171 to 10.0.1.22:32769
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010800261900170301001b117712344a946d2ec4a5810ca84e7e8d679cd4db81a9d3ba62f02c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xda9104a0e99cbf878c499197750025dd
Finished request 19
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.0.1.22:32769, id=172, length=246
User-Name = "host/boytel2883.campus.bridgew.edu"
Calling-Station-Id = "00-90-96-F4-2A-BB"
Called-Station-Id = "00-0B-85-5B-55-A0:test"
NAS-Port = 29
NAS-IP-Address = 10.0.1.22
NAS-Identifier = "BUWISM2-2"
Vendor-14179-Attr-1 = 0x00000007
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "4000"
EAP-Message = 0x020800261900170301001b8391b7780fd0e65e7da0ff923b9c0239457f612ac17c79044626be
State = 0xda9104a0e99cbf878c499197750025dd
Message-Authenticator = 0x58d7a64496d15d4c60e90495b86ab1db
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 20
modcall[authorize]: module "preprocess" returns ok for request 20
modcall[authorize]: module "chap" returns noop for request 20
modcall[authorize]: module "mschap" returns noop for request 20
rlm_realm: No '@' in User-Name = "host/boytel2883.campus.bridgew.edu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 20
rlm_eap: EAP packet type response id 8 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 20
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 20
modcall: group authorize returns updated for request 20
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 20
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 20
modcall: group authenticate returns invalid for request 20
auth: Failed to validate the user.
Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client BUWiSM-2-2 port 29 cli 00-90-96-F4-2A-BB)
Delaying request 20 for 1 seconds
Finished request 20
User-Name = "host/boytel2883.campus.bridgew.edu"
Calling-Station-Id = "00-90-96-F4-2A-BB"
Called-Station-Id = "00-0B-85-5B-55-A0:test"
NAS-Port = 29
NAS-IP-Address = 10.0.1.22
NAS-Identifier = "BUWISM2-2"
Vendor-14179-Attr-1 = 0x00000007
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "4000"
EAP-Message = 0x0207007419001703010069fad4edfbbed6d8fb51dcf6cb01ead274ca25439081be3955bfd614a066335309bfcc72d0f20a0891d43fd085e948c3a635622fcd52658bdc817970b87e859a66ec970d7433349e6cbd2d19184182eb762ea246e13202349e8c32c8acd5e5c322df88f7fd45aa24e13f
State = 0xdfdc87766140b541e2ac318d7ce82e0f
Message-Authenticator = 0x42318a374d505be3af9ffa7af0c39484
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
modcall[authorize]: module "preprocess" returns ok for request 19
modcall[authorize]: module "chap" returns noop for request 19
modcall[authorize]: module "mschap" returns noop for request 19
rlm_realm: No '@' in User-Name = "host/boytel2883.campus.bridgew.edu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 19
rlm_eap: EAP packet type response id 7 length 116
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 19
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 19
modcall: group authorize returns updated for request 19
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to host/boytel2883.campus.bridgew.edu
PEAP: Adding old state with f4 4b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
modcall[authorize]: module "preprocess" returns ok for request 19
modcall[authorize]: module "chap" returns noop for request 19
modcall[authorize]: module "mschap" returns noop for request 19
rlm_realm: No '@' in User-Name = "host/boytel2883.campus.bridgew.edu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 19
rlm_eap: EAP packet type response id 7 length 93
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 19
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 19
modcall: group authorize returns updated for request 19
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 19
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/boytel2883.campus.bridgew.edu with NT-Password
radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
mschap2: c4
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=host/boytel2883.campus.bridgew.edu --challenge=896edabb073ecbba --nt-response=ed45bb2d412865db09406089a5c4145c142b682a469717cb'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=host/boytel2883.campus.bridgew.edu --challenge=896edabb073ecbba --nt-response=ed45bb2d412865db09406089a5c4145c142b682a469717cb
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 19
modcall: group Auth-Type returns reject for request 19
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 19
modcall: group authenticate returns reject for request 19
auth: Failed to validate the user.
Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client localhost port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 19
modcall: group authenticate returns handled for request 19
Sending Access-Challenge of id 171 to 10.0.1.22:32769
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010800261900170301001b117712344a946d2ec4a5810ca84e7e8d679cd4db81a9d3ba62f02c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xda9104a0e99cbf878c499197750025dd
Finished request 19
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.0.1.22:32769, id=172, length=246
User-Name = "host/boytel2883.campus.bridgew.edu"
Calling-Station-Id = "00-90-96-F4-2A-BB"
Called-Station-Id = "00-0B-85-5B-55-A0:test"
NAS-Port = 29
NAS-IP-Address = 10.0.1.22
NAS-Identifier = "BUWISM2-2"
Vendor-14179-Attr-1 = 0x00000007
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "4000"
EAP-Message = 0x020800261900170301001b8391b7780fd0e65e7da0ff923b9c0239457f612ac17c79044626be
State = 0xda9104a0e99cbf878c499197750025dd
Message-Authenticator = 0x58d7a64496d15d4c60e90495b86ab1db
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 20
modcall[authorize]: module "preprocess" returns ok for request 20
modcall[authorize]: module "chap" returns noop for request 20
modcall[authorize]: module "mschap" returns noop for request 20
rlm_realm: No '@' in User-Name = "host/boytel2883.campus.bridgew.edu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 20
rlm_eap: EAP packet type response id 8 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 20
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 20
modcall: group authorize returns updated for request 20
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 20
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 20
modcall: group authenticate returns invalid for request 20
auth: Failed to validate the user.
Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client BUWiSM-2-2 port 29 cli 00-90-96-F4-2A-BB)
Delaying request 20 for 1 seconds
Finished request 20
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html