AW: AW: PEAP+MSCHAP+AD (please help)
(SecureW2) seemed to work, but not using PEAP. I
selected EAP-MSCHAP v2 and both automatic and manual logins worked on my
computer through SW2. Then I tried it on another computer, and didn't work.
Different accounts and the result is the same.
I haven't tried yet bumping the debugging level in Samba. I was just trying on
the client side, but unfortunately nothing succeeded :(
Well, now I have to try things on the server side.
Do you have any more ideas to try?
Héctor
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Phil Mayers
Gesendet: Montag, 11. Dezember 2006 11:26
An: FreeRadius users mailing list
Betreff: Re: AW: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote:
Hello. No, I haven't edited the debug output. Why would I do this if I
have a problem that want to get solved??. The debug output is exactly
what I get from FreeRadius.
People do some surprising things on this mailing list...
I saw that you had a domain called DOMAIN, which is not very common, and
assumed the worst i.e. that you had edited the output.
There have been more people in this list with the same problem, being
the latest
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.html.
Even though he found a solution for his own problem, I followed his
howto but unfortunately didn't worked for me.
About the client, when I turn the computer on, I have to type in the
user credentials, the same ones that I use when testing FreeRadius.
Windows sends FreeRadius the same user information in the two cases,
but the outcome is completely different and this of course makes no
sense.
There is no trick, this is a real problem I have.
I didn't imagine you were trying to trick us.
As far as I can tell, your FreeRadius configuration looks correct. It's able to
answer at least some MS-CHAP requests, and as you say there's no real
difference as far as the server is concerned between and automatic or manual
client login.
This makes me suspect that there *is* a difference between such on the client
side.
Couple of other things you could try:
netsh ras set tracing * enable
...on the windows client side, then inspect the logs (If memory serves they go
do %WINDIR%/system32/tracing)
Also - the client is in DOMAIN, the server is also in DOMAIN yes? As in, you're
not trying to authenticate a trusted domain user?
Finally, I see you've got the ntlm_auth helper set to:
/opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN}
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
You could try removing the --domain argument completely - though you should not
need to.
You could obviously also bump the Samba debugging level for a failing login and
inspect the samba logs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote: on the windows client. I tried first one automatic login and then a manual one. The CHAP log generated by Windows is as follows: Hmph. That wasn't as useful as I'd hoped (the PPP logs are much better) Windows sends both domain and username, but only the manual login succeeds. For the manual login, Windows uses DES and MD5 but for the automatic one uses Local Security Authority, but I don't think this has something to do with my problem, does it? Not really - the automatic login calls out to the LSA to get the logged-in creds. The manual login does a portion of that locally. I've also tried other things on the client side: Cleaned cached user credentials from regedit, just in case, but the result is the same. I've tried using different computers and the result is the same. Using a different supplicant (SecureW2) seemed to work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic and manual logins worked on my computer through SW2. Then I tried it on another computer, and didn't work. Different accounts and the result is the same. I haven't tried yet bumping the debugging level in Samba. I was just trying on the client side, but unfortunately nothing succeeded :( Well, now I have to try things on the server side. I doubt there's anything in the Radius server that'll help at this point. Only two things I can think of: 1. Does your password have odd (non-ascii) characters in it? That should NOT matter for MS-CHAP since it's explicitly unicode aware 2. Does the domain you are in have particular tight security policies that might be preventing the LSA from successfully completing an MS-CHAP but would allow the manual code to work? Both are extremely unlikely. Sorry I can't be more help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AW: AW: PEAP+MSCHAP+AD (please help)
1. Does your password have odd (non-ascii) characters in it? That should NOT matter for MS-CHAP since it's explicitly unicode aware MS-CHAP is unicode aware, but FreeRADIUS' implementation is not. It definitely borks on non-ASCII characters in passwords. (I submitted a patch some time ago to fix this, check the archives). (I've not been following this thread, so I don't know if pertinent or not.) Josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: PEAP+MSCHAP+AD (please help)
Hello. No, I haven't edited the debug output. Why would I do this if I have a problem that want to get solved??. The debug output is exactly what I get from FreeRadius. There have been more people in this list with the same problem, being the latest http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.html. Even though he found a solution for his own problem, I followed his howto but unfortunately didn't worked for me. About the client, when I turn the computer on, I have to type in the user credentials, the same ones that I use when testing FreeRadius. Windows sends FreeRadius the same user information in the two cases, but the outcome is completely different and this of course makes no sense. There is no trick, this is a real problem I have. Thanks for any further assistance Héctor -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Phil Mayers Gesendet: Freitag, 8. Dezember 2006 19:32 An: FreeRadius users mailing list Betreff: Re: PEAP+MSCHAP+AD (please help) [EMAIL PROTECTED] wrote: Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy. In the first attempt the user has checked the option Automatically use my Windows logon name and password (and domain if any), user account is valid in the domain and is not locked out, however user authentication fails. In the next attempt the user has unchecked this option, so everytime he connects to the network he has to type his credentials in. After clicking Connect he gets access. Why if Windows sends the same user information only in the latter case user is able to get in? Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 It failed because the client returned the wrong challenge Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program: returned: 0 modcall[authenticate]: module mschap returns ok for request 16 modcall: leaving group MS-CHAP (returns ok) for request 16 MSCHAP Success Whereas that worked. It looks to me as if you've edited the debug output so I can't be sure, but I'd suggest looking at the client - the radius server is configured correctly. Perhaps the client is not in fact logging on to the laptop with the correct username and password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote:
Hello. No, I haven't edited the debug output. Why would I do this if
I have a problem that want to get solved??. The debug output is
exactly what I get from FreeRadius.
People do some surprising things on this mailing list...
I saw that you had a domain called DOMAIN, which is not very common, and
assumed the worst i.e. that you had edited the output.
There have been more people in this list with the same problem, being
the latest
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.html.
Even though he found a solution for his own problem, I followed his
howto but unfortunately didn't worked for me.
About the client, when I turn the computer on, I have to type in the
user credentials, the same ones that I use when testing FreeRadius.
Windows sends FreeRadius the same user information in the two cases,
but the outcome is completely different and this of course makes no
sense.
There is no trick, this is a real problem I have.
I didn't imagine you were trying to trick us.
As far as I can tell, your FreeRadius configuration looks correct. It's
able to answer at least some MS-CHAP requests, and as you say there's no
real difference as far as the server is concerned between and automatic
or manual client login.
This makes me suspect that there *is* a difference between such on the
client side.
Couple of other things you could try:
netsh ras set tracing * enable
...on the windows client side, then inspect the logs (If memory serves
they go do %WINDIR%/system32/tracing)
Also - the client is in DOMAIN, the server is also in DOMAIN yes? As in,
you're not trying to authenticate a trusted domain user?
Finally, I see you've got the ntlm_auth helper set to:
/opt/samba/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
You could try removing the --domain argument completely -
though you should not need to.
You could obviously also bump the Samba debugging level for a failing
login and inspect the samba logs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote: About the client, when I turn the computer on, I have to type in the user credentials, the same ones that I use when testing FreeRadius. Windows sends FreeRadius the same user information in the two cases, but the outcome is completely different and this of course makes no sense. Windows is *not* sending the same information in both cases. Please go back and read the debugging output. In each case, Windows is sending a random challenge, and a response hash. The response hash depends on the challenge, password, and user name, so it is different for EVERY request. Look at the debugging output, and type in the ntlm_auth lines by hand on a command line (i.e. cut paste from the debug output). One will succeed and one will fail. This is because Active Directory is deciding that one succeeds and the other fails. What is probably happening is that the Windows box is treating the user name as user in one case, and DOMAIN\user in the other. This means that the expected response calculated by Active Directory MAY use a different username than what the Windows client is using. The expected response is therefore not the same as what the Windows box sends, so authentication fails. As to how to fix it? I'm not sure. The Windows box appears to be doing something odd, and I don't know why. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote: Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy. In the first attempt the user has checked the option Automatically use my Windows logon name and password (and domain if any), user account is valid in the domain and is not locked out, however user authentication fails. In the next attempt the user has unchecked this option, so everytime he connects to the network he has to type his credentials in. After clicking Connect he gets access. Why if Windows sends the same user information only in the latter case user is able to get in? Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 It failed because the client returned the wrong challenge Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program: returned: 0 modcall[authenticate]: module mschap returns ok for request 16 modcall: leaving group MS-CHAP (returns ok) for request 16 MSCHAP Success Whereas that worked. It looks to me as if you've edited the debug output so I can't be sure, but I'd suggest looking at the client - the radius server is configured correctly. Perhaps the client is not in fact logging on to the laptop with the correct username and password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
