> -----Original Message-----
> From: freeradius-users-bounces+eastb=pffcu....@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+eastb=pffcu....@lists.freeradius.org] On Behalf Of Phil Mayers
> Sent: Tuesday, April 19, 2011 4:38 AM
> To: freeradius-users@lists.freeradius.org
> Subject: Re: The last piece of the puzzle - XP host authentication
> Have you made sure that your root cert is present in the right stores -
> remember windows
> clients have both machine and per-user cert stores.
> Machine auth requires it be in the machine store.
Bah, I should have known that. It's fixed, now.
>
> >
> > The configuration is: AD 2008 with a Slackware Linux server running
> > the lastest Samba and Kerberos as well as obviously FR. The client is
> > a Windows XP box with the latest service pack. Below is a mildly
> > sanitized copy of radiusd -X with both failed machine logins (LP-0010
> > is the host) and a successful user (myuser) login.
>
> Couple of points: the debug is actually quite mangled. The indenting has all
> gone away, making
> it really hard to follow, and you've chopped the top off where FreeRADIUS
> starts and prints out
> the config, meaning some vital info is absent.
>
I shouldn't have clipped the top, if I post a full debug again I'll fix that.
As for the formatting, I'm not sure where that's going, I'm copying from putty
to gvim and out to Outlook. I know where I'd put my money for making unwanted
changes to text, though.
> Also, it only looks sanitised; much of the data you *think* you've removed is
> actually contained
> again inside the hex of the EAP-Message packets, so it's basically pointless.
> If you don't want to
> reveal sensitive data, create a test user.
Makes sense, but at least folks googling for basic information such as my org
name won't have it all set out for them on a platter.
>
> So given the mangling this is a guess, but as Alan says you're apparently
> manglnig the
> usernames, which will definitely break things; but to my eye, it looks like
> it's failing earlier than
> that, as the the certificate exchange bit, implying the issue I note above.
>
> On the subject of mangling usernames - if you want to deal with all 3 of:
>
> domain\user
> user
> host/name.domain.com
>
> ...you can use the following:
>
> %{mschap:User-Name}
>
> ...and the mschap module will strip them all into the right form.
> Specifically, when you configure your ntlm_auth helper line in
> raddb/modules/mschap, I
> recommend it read:
>
> ntlm_auth = "... --username=%{mschap:User-Name} ..."
Aha!
This looks highly promising.
I've got the syntax right in mschap now, I think, but the challenge is still
being created strangely (or is it supposed to look like that?)
[mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/LP-0010.pffcu.org
[mschap] Told to do MS-CHAPv2 for host/LP-0010.pffcu.org with NT-Password
[mschap] expand: %{mschap:User-Name} -> LP-0010$
[mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}}
-> --username=LP-0010$
[mschap] mschap2: ac
[mschap] Creating challenge hash with username: host/LP-0010.pffcu.org
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=cc01b9d88b911c44
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
I appreciate your help with this
This E-mail, along with any attachments, is considered confidential and may
well be legally privileged. If you have received it in error, you are on notice
of its status. Please notify us immediately by reply e-mail or call
215-931-0300 / 800-228-8801 and then delete this message from your system.
Please do not copy it or use it for any purposes, or disclose its contents to
any other person. Thank you for your cooperation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
