Hello Will,
it looks that the authentication fail in the chroot.
What you can try is the following:
chroot /chroots/RadiusAD
wbinfo -u
ntlm_auth --userbane=helpdesk --password=...
And let me know the result.
Regards
Fabrice
Le 2018-05-02 à 03:39, Will Halsall via PacketFence-users a écrit :
Hi Folks
I am still having problems with the eduroam authentication to our AD
domain. I am now getting rejected although the username and password
are correct
Below are the radius logs for the test and was wondering if anyone
could shed some light on my problem
Thanks
Will Halsall
ap: Finished EAP session with state 0xdecad538decdcfad
(7) eap: Previous EAP request found for state 0xdecad538decdcfad,
released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(7) eap_mschapv2: Auth-Type MS-CHAP {
(7) packetfence: $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'helpd...@farn-ct.ac.uk'
(7) packetfence: $RAD_REQUEST{'NAS-IP-Address'} =
&request:NAS-IP-Address -> '127.0.0.1'
(7) packetfence: $RAD_REQUEST{'Service-Type'} = &request:Service-Type
-> 'Authenticate-Only'
(7) packetfence: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU ->
'1400'
(7) packetfence: $RAD_REQUEST{'State'} = &request:State ->
'0xdecad538decdcfad2cf97d0726a24922'
(7) packetfence: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '02:00:00:00:00:01'
(7) packetfence: $RAD_REQUEST{'NAS-Identifier'} =
&request:NAS-Identifier -> 'eduroamUK-test'
(7) packetfence: $RAD_REQUEST{'NAS-Port-Type'} =
&request:NAS-Port-Type -> 'Wireless-802.11'
(7) packetfence: $RAD_REQUEST{'Event-Timestamp'} =
&request:Event-Timestamp -> 'May 2 2018 00:06:23 BST'
(7) packetfence: $RAD_REQUEST{'Connect-Info'} = &request:Connect-Info
-> 'eduroam UK test'
(7) packetfence: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message ->
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626db0000000000000000ff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'
(7) packetfence: $RAD_REQUEST{'Operator-Name'} =
&request:Operator-Name -> '1eduroam.uk'
(7) packetfence: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} =
&request:FreeRADIUS-Proxied-To -> '127.0.0.1'
(7) packetfence: $RAD_REQUEST{'MS-CHAP-Challenge'} =
&request:MS-CHAP-Challenge -> '0xc7f5b2bc7fe7c7b528641a052426ae7a'
(7) packetfence: $RAD_REQUEST{'MS-CHAP2-Response'} =
&request:MS-CHAP2-Response ->
'0x07659f14a65ad77f1546d8aca5f2196626db0000000000000000ff9d32e6c1679c7f27c071374f109360595818fb0202de96'
(7) packetfence: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type ->
'MSCHAPv2'
(7) packetfence: $RAD_REQUEST{'Realm'} = &request:Realm -> 'farn-ct.ac.uk'
(7) packetfence: $RAD_REQUEST{'MS-CHAP-User-Name'} =
&request:MS-CHAP-User-Name -> 'helpd...@farn-ct.ac.uk'
(7) packetfence: $RAD_REQUEST{'PacketFence-Domain'} =
&request:PacketFence-Domain -> 'RadiusAD'
(7) packetfence: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'eap'
(7) packetfence: $RAD_CHECK{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'LOCAL'
(7) packetfence: $RAD_CHECK{'Tmp-Integer-2'} = &control:Tmp-Integer-2
-> '0'
(7) packetfence: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'eap'
(7) packetfence: $RAD_CONFIG{'Proxy-To-Realm'} =
&control:Proxy-To-Realm -> 'LOCAL'
(7) packetfence: $RAD_CONFIG{'Tmp-Integer-2'} = &control:Tmp-Integer-2
-> '0'
(7) packetfence: &request:NAS-Port-Type =
$RAD_REQUEST{'NAS-Port-Type'} -> 'Wireless-802.11'
(7) packetfence: &request:Service-Type = $RAD_REQUEST{'Service-Type'}
-> 'Authenticate-Only'
(7) packetfence: &request:Operator-Name =
$RAD_REQUEST{'Operator-Name'} -> '1eduroam.uk'
(7) packetfence: &request:State = $RAD_REQUEST{'State'} ->
'0xdecad538decdcfad2cf97d0726a24922'
(7) packetfence: &request:FreeRADIUS-Proxied-To =
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(7) packetfence: &request:Connect-Info = $RAD_REQUEST{'Connect-Info'}
-> 'eduroam UK test'
(7) packetfence: &request:Realm = $RAD_REQUEST{'Realm'} -> 'farn-ct.ac.uk'
(7) packetfence: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} ->
'MSCHAPv2'
(7) packetfence: &request:NAS-IP-Address =
$RAD_REQUEST{'NAS-IP-Address'} -> '127.0.0.1'
(7) packetfence: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '02:00:00:00:00:01'
(7) packetfence: &request:MS-CHAP-User-Name =
$RAD_REQUEST{'MS-CHAP-User-Name'} -> 'helpd...@farn-ct.ac.uk'
(7) packetfence: &request:MS-CHAP-Challenge =
$RAD_REQUEST{'MS-CHAP-Challenge'} -> '0xc7f5b2bc7fe7c7b528641a052426ae7a'
(7) packetfence: &request:PacketFence-Domain =
$RAD_REQUEST{'PacketFence-Domain'} -> 'RadiusAD'
(7) packetfence: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'helpd...@farn-ct.ac.uk'
(7) packetfence: &request:NAS-Identifier =
$RAD_REQUEST{'NAS-Identifier'} -> 'eduroamUK-test'
(7) packetfence: &request:Event-Timestamp =
$RAD_REQUEST{'Event-Timestamp'} -> 'May 2 2018 00:06:23 BST'
(7) packetfence: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} ->
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626db0000000000000000ff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'
(7) packetfence: &request:MS-CHAP2-Response =
$RAD_REQUEST{'MS-CHAP2-Response'} ->
'0x07659f14a65ad77f1546d8aca5f2196626db0000000000000000ff9d32e6c1679c7f27c071374f109360595818fb0202de96'
(7) packetfence: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} ->
'1400'
(7) packetfence: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'eap'
(7) packetfence: &control:Tmp-Integer-2 = $RAD_CHECK{'Tmp-Integer-2'}
-> '0'
(7) packetfence: &control:Proxy-To-Realm =
$RAD_CHECK{'Proxy-To-Realm'} -> 'LOCAL'
(7) [packetfence] = noop
(7) if (&control:NT-Password && &control:NT-Password != "") {
(7) if (&control:NT-Password && &control:NT-Password != "") -> FALSE
(7) else {
(7) policy packetfence-mschap-authenticate {
(7) if (PacketFence-Domain) {
(7) if (PacketFence-Domain) -> TRUE
(7) if (PacketFence-Domain) {
(7) if ( "%{User-Name}" =~ /^host\/.*/) {
(7) EXPAND %{User-Name}
(7) --> helpd...@farn-ct.ac.uk
<mailto:helpd...@farn-ct.ac.uk>
(7) if ( "%{User-Name}" =~ /^host\/.*/) -> FALSE
(7) else {
(7) chrooted_mschap: Creating challenge hash with username:
helpd...@farn-ct.ac.uk <mailto:helpd...@farn-ct.ac.uk>
(7) chrooted_mschap: Client is using MS-CHAPv2
(7) chrooted_mschap: Executing: /usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper --
--request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}:
(7) chrooted_mschap: EXPAND /chroots/%{PacketFence-Domain}
(7) chrooted_mschap: --> /chroots/RadiusAD
(7) chrooted_mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(7) chrooted_mschap: --> --username=helpd...@farn-ct.ac.uk
<mailto:--username=helpd...@farn-ct.ac.uk>
(7) chrooted_mschap: Creating challenge hash with username:
helpd...@farn-ct.ac.uk <mailto:helpd...@farn-ct.ac.uk>
(7) chrooted_mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(7) chrooted_mschap: --> --challenge=3c45509edd2101f9
(7) chrooted_mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(7) chrooted_mschap: -->
--nt-response=ff9d32e6c1679c7f27c071374f109360595818fb0202de96
(7) chrooted_mschap: ERROR: Program returned code (1) and output
'Logon failure (0xc000006d)'
(7) chrooted_mschap: External script failed
(7) chrooted_mschap: ERROR: External script says: Logon failure
(0xc000006d)
(7) chrooted_mschap: ERROR: MS-CHAP2-Response is incorrect
(7) [chrooted_mschap] = reject
(7) } # else = reject
(7) } # if (PacketFence-Domain) = reject
(7) } # policy packetfence-mschap-authenticate = reject
(7) } # else = reject
(7) } # Auth-Type MS-CHAP = reject
(7) eap: Sending EAP Failure (code 4) ID 7 length 4
(7) eap: Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
<https://www.farn-ct.ac.uk/about/Events>
This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential
information.
If it has come to you in error, please contact the sender as soon as
possible,
and note that you must take no action based on the content, nor must
you copy,
distribute, or show the content to any other person.
In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users