Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: I'm still not seeing it. If it's listed in the authorize section, it will be printed out in debugging mode. Are you willing to provide debug logs? Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? ntlm_auth. It works, and other people have gotten it to work. The issue now becomes poking your configuration so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I'm still not seeing it. Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 24, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I am trying to set up 802.1x on our network and I would like the users to be able to use their current Active Directory credentials. I need the AD domain to be stripped from the username so that I can feed it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 server. Here is part of my config file. Modules { realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { authtype = MS-CHAP with_ntdomain_hack = no ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI / --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / --nt-response=%{mschap:NT-Response:-00} } } authorize { preprocess ntdomain eap files } authenticate { Auth-Type MS-CHAP { Mschap } eap } From the debug output: radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 If I try ntlm_auth manually, it works fine: [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / --username=chand password: NT_STATUS_OK: Success (0x0) Has anyone successfully used freeradius to authenticate against Active Directory (Windows 2003)? Chris Hand Network Engineer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Did you cut and paste or type the lines from your config file? According the the config file ntlm_auth has the argument '--challence', but the debug output has the argument '--challenge'. Hand, Chris wrote: I am trying to set up 802.1x on our network and I would like the users to be able to use their current Active Directory credentials. I need the AD domain to be stripped from the username so that I can feed it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 server. Here is part of my config file. Modules { realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { authtype = MS-CHAP with_ntdomain_hack = no ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI / --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / --nt-response=%{mschap:NT-Response:-00} } } authorize { preprocess ntdomain eap files } authenticate { Auth-Type MS-CHAP { Mschap } eap } From the debug output: radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 If I try ntlm_auth manually, it works fine: [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / --username=chand password: NT_STATUS_OK: Success (0x0) Has anyone successfully used freeradius to authenticate against Active Directory (Windows 2003)? Chris Hand Network Engineer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I retyped the config. That is a typo. It should be '--challenge'. -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Bender Sent: Monday, August 23, 2004 4:01 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Did you cut and paste or type the lines from your config file? According the the config file ntlm_auth has the argument '--challence', but the debug output has the argument '--challenge'. Hand, Chris wrote: I am trying to set up 802.1x on our network and I would like the users to be able to use their current Active Directory credentials. I need the AD domain to be stripped from the username so that I can feed it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003 server. Here is part of my config file. Modules { realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { authtype = MS-CHAP with_ntdomain_hack = no ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI / --username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} / --nt-response=%{mschap:NT-Response:-00} } } authorize { preprocess ntdomain eap files } authenticate { Auth-Type MS-CHAP { Mschap } eap } From the debug output: radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 If I try ntlm_auth manually, it works fine: [EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI / --username=chand password: NT_STATUS_OK: Success (0x0) Has anyone successfully used freeradius to authenticate against Active Directory (Windows 2003)? Chris Hand Network Engineer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. If I use --username=%{User-Name}, then it feeds 'MI\\chand' to ntlm_auth. -Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 5:19 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html