Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: I'm still not seeing it. If it's listed in the authorize section, it will be printed out in debugging mode. Are you willing to provide debug logs? Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? ntlm_auth. It works, and other people have gotten it to work. The issue now becomes poking your configuration so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I'm still not seeing it. Let's start over. What is the best way of authenticating users to an NT domain over PEAP? Am I even on the right track? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 24, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? If it's listed there, you should see it printed out in debugging mode. Try listing it immediately after preprocess, and double-checking the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
I retyped the config. That is a typo. It should be '--challenge'.
-Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Bender
Sent: Monday, August 23, 2004 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can
feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part of my config file.
Modules {
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
with_ntdomain_hack = no
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MI /
--username=%{Stripped-User-Name} --challence=%{mschap:Challenge:-00} /
--nt-response=%{mschap:NT-Response:-00}
}
}
authorize {
preprocess
ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
Mschap
}
eap
}
From the debug output:
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
If I try ntlm_auth manually, it works fine:
[EMAIL PROTECTED] raddb]# ntlm_auth --requeset-nt-key --domain=MI /
--username=chand
password:
NT_STATUS_OK: Success (0x0)
Has anyone successfully used freeradius to authenticate against Active
Directory (Windows 2003)?
Chris Hand
Network Engineer
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI --username= --challenge=3d66c96d9aa150e6 --nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463 Exec-Program-Wait: plaintext: Logon failure (0xc06d) Where's the username? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Exactly... The username is not getting fed into ntlm_auth. It seems that
the stripping of the domain from the username is not working. If I use
--username=%{User-Name}, then it feeds 'MI\\chand' to ntlm_auth.
-Chris Hand
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, August 23, 2004 4:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Where's the username?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client
Yes, I am using the ntdomain realm. However, I do not see it show up in the debugging output. Do I need to do anything other than list ntdomain in the 'authorize' section to make freeradius use it? Chris Hand -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, August 23, 2004 5:19 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP client Hand, Chris [EMAIL PROTECTED] wrote: Exactly... The username is not getting fed into ntlm_auth. It seems that the stripping of the domain from the username is not working. Are you using the ntdomain realm, as given in radiusd.conf? Are you running it in debugging mode, to see that the ntdomain realm is working? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
