PEAP-MSCHAPv2 against AD
I'm trying todo PEAP-MSCHAPv2 with authentication against an AD Currently I have the following problem: When the domain is in the username the authentication fails, if the domainname isn't in the authentication the authentication succeeds. I'm using the following ntlm_auth line in radiusd.conf: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=%{mschap:NT-Domain:-IMZ} The with_ntdomain_hack = yes is enabled in the mschap {} Output from shell: radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key --username=IMZ\\beheerder --challenge=e456e008c25a9ac7 --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=IMZ Logon failure (0xc06d) radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key --username=beheerder --challenge=e456e008c25a9ac7 --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=IMZ NT_KEY: EB23807FB13B1CAB06F4F0BBE5C199D0 Debugging information (with a different user) Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 252 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020800471a0208004231f622919de18b1fdab0ca9902b9729d4913 37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e PEAP: Setting User-Name to IMZ\jonathan PEAP: Adding old state with 8f f9 PEAP: Sending tunneled request EAP-Message = 0x020800471a0208004231f622919de18b1fdab0ca9902b9729d4913 37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = IMZ\\jonathan State = 0x8ff913e6997d7ca8d6a9b4832ff5c931 NAS-IP-Address = 194.8.52.161 Connect-Info = CONNECT 802.11 Called-Station-Id = 000fb5df0524 Calling-Station-Id = 004096ab4eed NAS-Identifier = ap NAS-Port-Type = Wireless-802.11 NAS-Port = 4 NAS-Port-Id = 4 Framed-MTU = 1400 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 252 modcall[authorize]: module preprocess returns ok for request 252 modcall[authorize]: module attr_filter returns noop for request 252 modcall[authorize]: module chap returns noop for request 252 modcall[authorize]: module mschap returns noop for request 252 modcall[authorize]: module digest returns noop for request 252 rlm_realm: No '@' in User-Name = IMZ\jonathan, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 252 rlm_eap: EAP packet type response id 8 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 252 modcall[authorize]: module files returns notfound for request 252 radius_xlat: 'IMZ\\jonathan' rlm_sql (sql): sql_set_user escaped user -- 'IMZ\\jonathan' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'IMZ=5C=5C=5C=5Cjonathan' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): User IMZ\\jonathan not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'IMZ=5C=5C=5C=5Cjonathan' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'IMZ=5C=5C=5C=5Cjonathan' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User IMZ\\jonathan not found in radgroupcheck rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): User not found modcall[authorize]: module sql returns notfound for request 252 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module validfromlogin returns noop for request 252 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module
RE: PEAP-MSCHAPv2 against AD
Never mind, found the solutions as: ntlm_auth --username=%{mschap:User-Name} --foobar J. -- Jonathan De Graeve Network/System Engineer Imelda vzw Informatica Dienst +32 15/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Jonathan De Graeve Verzonden: maandag 25 september 2006 17:34 Aan: FreeRadius users mailing list Onderwerp: PEAP-MSCHAPv2 against AD I'm trying todo PEAP-MSCHAPv2 with authentication against an AD Currently I have the following problem: When the domain is in the username the authentication fails, if the domainname isn't in the authentication the authentication succeeds. I'm using the following ntlm_auth line in radiusd.conf: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=%{mschap:NT-Domain:-IMZ} The with_ntdomain_hack = yes is enabled in the mschap {} Output from shell: radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key --username=IMZ\\beheerder --challenge=e456e008c25a9ac7 --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=IMZ Logon failure (0xc06d) radius1:/etc/freeradius# /usr/bin/ntlm_auth --request-nt-key --username=beheerder --challenge=e456e008c25a9ac7 --nt-response=28e9d997b30267a36af64a4fcb530cd6b08f1141c09bc580 --require-membership-of=S-1-5-21-3816208617-2573269785-2633524980-1134 --domain=IMZ NT_KEY: EB23807FB13B1CAB06F4F0BBE5C199D0 Debugging information (with a different user) Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 252 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020800471a0208004231f622919de18b1fdab0ca9902b9729d4913 37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e PEAP: Setting User-Name to IMZ\jonathan PEAP: Adding old state with 8f f9 PEAP: Sending tunneled request EAP-Message = 0x020800471a0208004231f622919de18b1fdab0ca9902b9729d4913 37f654a247b82ba252becd3320cdd94974567666fa081800494d5a5c6a6f6e617468616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = IMZ\\jonathan State = 0x8ff913e6997d7ca8d6a9b4832ff5c931 NAS-IP-Address = 194.8.52.161 Connect-Info = CONNECT 802.11 Called-Station-Id = 000fb5df0524 Calling-Station-Id = 004096ab4eed NAS-Identifier = ap NAS-Port-Type = Wireless-802.11 NAS-Port = 4 NAS-Port-Id = 4 Framed-MTU = 1400 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 252 modcall[authorize]: module preprocess returns ok for request 252 modcall[authorize]: module attr_filter returns noop for request 252 modcall[authorize]: module chap returns noop for request 252 modcall[authorize]: module mschap returns noop for request 252 modcall[authorize]: module digest returns noop for request 252 rlm_realm: No '@' in User-Name = IMZ\jonathan, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 252 rlm_eap: EAP packet type response id 8 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 252 modcall[authorize]: module files returns notfound for request 252 radius_xlat: 'IMZ\\jonathan' rlm_sql (sql): sql_set_user escaped user -- 'IMZ\\jonathan' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'IMZ=5C=5C=5C=5Cjonathan' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): User IMZ\\jonathan not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'IMZ=5C=5C=5C=5Cjonathan' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute
RE: PEAP-MSCHAPv2 against AD
Login incorrect: [IMZ\\jonathan/no User-Password attribute] (from Do you have: realm IMZ { type= radius authhost= LOCAL accthost= LOCAL } In your proxy.conf file? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP-MSCHAPv2 against AD
Hi, When the domain is in the username the authentication fails, if the domainname isn't in the authentication the authentication succeeds. I'm using the following ntlm_auth line in radiusd.conf: you need to deal with your prefix (IMZ\\) - check the prefix section of the radiusd config - and make sure prefix is enabled in the auth sections. this should help deal with this issue alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP-MSCHAPv2 against AD
Login incorrect: [IMZ\\jonathan/no User-Password attribute] (from Do you have: realm IMZ { type= radius authhost= LOCAL accthost= LOCAL } In your proxy.conf file? You don't need the realm (I already tried that one and that didn't work) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html