Hello List, i've got a strange behavior here. I've got a running freeradius with peap and ntlm_auth authentication and everything works fine.
But if i enhance the ntlm_auth with the "--require-membership-of" Switch, authentication still works, but i get no EAP-Response from the client anymore. +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: usern...@realm.de [mschap] Told to do MS-CHAPv2 for usern...@realm.de with NT-Password [mschap] expand: --require-membership-of=%{Huntgroup-Name} -> --require-membership-of=adp.realm.de\wlan [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=username [mschap] Creating challenge hash with username: usern...@realm.de [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=aefab931ad734f6e [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=884c07bf7ed6d38688c6730be8e92b714f912da037da8554 Exec-Program output: NT_KEY: 84092FAC9DC4C216C61D4411B5BB768C Exec-Program-Wait: plaintext: NT_KEY: 84092FAC9DC4C216C61D4411B5BB768C Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok WARNING: Empty session section. Using default return values. WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/raddb/sites-enabled/mitarb } # server mitarb Going to the next request <<< Received proxied response code 2 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. server eduroam-inner-tunnel { [eap] Passing reply back for EAP-MS-CHAP-V2 # Executing section post-proxy from file /etc/raddb/sites-enabled/eduroam +- entering group post-proxy {...} [eap] Doing post-proxy callback rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x86a4e0 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success ++[eap] returns ok Looks good so far , but then ...... server eduroam-outer-tunnel { } # server eduroam-outer-tunnel Sending Access-Challenge of id 2 to 141.72.64.3 port 32768 EAP-Message = 0x0115005b19001703010050cb972ac25fca4ed1fb69d92f327ffc0a5d206ef0541edb35627a0d93187423d332a9c1194dcf844077258dd435d362bcba65c361650224ca83a669d82fc36f2a1cff8ea1868802734676ea1474288492 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0bbe76ce9aefea746f07bdba2aaec4b Finished request 9. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 249 with timestamp +19 Cleaning up request 1 ID 250 with timestamp +19 Cleaning up request 2 ID 251 with timestamp +19 Cleaning up request 3 ID 252 with timestamp +19 Cleaning up request 4 ID 253 with timestamp +19 Cleaning up request 5 ID 254 with timestamp +19 Cleaning up request 6 ID 255 with timestamp +19 Cleaning up request 7 ID 0 with timestamp +19 Cleaning up request 8 ID 1 with timestamp +19 Cleaning up request 9 ID 2 with timestamp +19 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xe0bbe76ce9aefea7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. My ntlm_auth string in modules/mschap looks like this: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --require-membership-of=%{Huntgroup-Name} --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" If i remove the "require-membership-of" everything works fine. Why ? Help would be great ! Yours Patrick Machauer
<<attachment: PatrickMachauer.vcf>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html