Hi All,
I have an environment where I'm trying to use FreeRADIUS to authenticate with
two Active Directory domains at the same time. The problem I'm encountering is
that I can authenticate one domain at a time, but not both, by manipulating the
ntlm_auth syntax in radiusd.conf.
For example, my parent AD domain is idmcorp.net (IDMCORP), and my subdomain is
sub.idmcorp.net (SUB). The redhat linux system is joined to the parent domain
and I can authenticate users via the ntlm_auth command line executable as shown.
ProCurve RADIUS(ms):/etc/raddb # ntlm_auth --nt-request-key --username=codo
password:
NT_STATUS_OK: Success (0x0)
ProCurve RADIUS(ms):/etc/raddb # ntlm_auth --nt-request-key
--username='SUB\subusr1'
password:
NT_STATUS_OK: Success (0x0)
I have two test systems which are Windows XP, configured for machine
authentication, and each joined to one of the AD domains. The following
radiusd.conf ntlm_auth configuration will allow machines in idmcorp.net to
authenticate successfully, but not sub.idmcorp.net. If I change the --domain to
sub.idmcorp.net, then that domain can authentication successfully but not
idmcorp.net.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{NT-Domain:-idmcorp.net}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
The bottom line when I look at radiusd -X is that the challenge fails because
only idmcorp.net is applied:
radius_xlat: Running registered xlat function of module mschap for string
'User-Name'
radius_xlat: '--username=subusr1'
WARNING: Attempt to use unknown xlat function, or non-existent attribute in
string %{NT-Domain}
radius_xlat: '--domain=idmcorp.net'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: b2
radius_xlat: '--challenge=f5ba542c686e9959'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '--nt-response=dfdebeef4582ae2ee49bba789b110a6af1507b67abc97e5e'
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
I thought removing the domain argument from ntlm_auth might work, but this
fails as well:
radius_xlat: Running registered xlat function of module mschap for string
'User-Name'
radius_xlat: '--username=subusr1'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: 49
radius_xlat: '--challenge=dcadf8974326b238'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '--nt-response=804ebd5ea2b41d58ee34f221268885086ca958434d969593'
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
Sorry so wordy. Can anyone think of a way to get this working for both the
parent/child domains ?
Thanks,
Corey
Corey Dow
Security Solutions Test Engineer
ProCurve Networking
Hewlett-Packard Company
8000 Foothills Blvd. (MS 5549)
Roseville, CA 95747
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
