RE: MS-CHAP failing?
Alan, Well spotted! - yes there was a bit missing from the end of that line in mschap - response=%(mschap:NT-Response:-00}" Twas indeed a cut-and-paste error. Thanks very much - it now works! Cheers, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 12 October 2010 15:04 To: FreeRadius users mailing list Subject: Re: MS-CHAP failing? Hi, > my /modules/ntlm_auth looks like this:- > > exec ntlm_auth { > wait = yes > program = "/path/to/ntlm_auth --request-nt-key > --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" > } I'd hope it doesnt look like that- fix the /path/to bit to give it the proper details. > and modules/mschap looks like this > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{mschap:User-Name:-None} > --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response$ > } and that entry looks a little broken too - ending in $ - a cut and paste issue? > Sending Access-Challenge of id 5 to 192.168.30.1 port 1162 > EAP-Message = > 0x0106004119001403010001011603010030f615a58846d51361b77eab5683e34a0a744f3af094b2c5478a0a1042f89c4f48d3f71abaae4bd259922300d95ae0bfb4 > Message-Authenticator = 0x > State = 0xbc7efc4cb978e53c4bf33c60bc849290 > Finished request 11. and waiting and challenging what client are you using? this looks like a windows client that doesnt have the RADIUS CA installed on it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP failing?
Stephen, Thanks for this. Actually I messed up - my ntlm_auth looks like this (which I think is correct) exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" } The /path/to/ntlm_auth line is commented out in my config. Cheers Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: 12 October 2010 15:03 To: FreeRadius users mailing list Subject: RE: MS-CHAP failing? Just checking but you did see the problem I the following line of config right? >exec ntlm_auth { > wait = yes >program = ***"/PATH/TO/NTLM_AUTH *** --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} -->password=%{User-Password}" >} I understand if you left it out on purpose but this code WILL NOT work in production ; ) Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Mark Holmes Sent: Tuesday, October 12, 2010 8:47 AM To: FreeRadius users mailing list Subject: MS-CHAP failing? OK, getting somewhere, but still won't let me connect. I can't see in the debug output why it fails. I'm trying to authenticate against AD, using PEAP-MSCHAPv2 I have checked ntlm_auth is working by ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser --password=password and I get (NT_STATUS_OK) my /modules/ntlm_auth looks like this:- exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" } and modules/mschap looks like this ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response$ } In the debug output I can see this - should authentication realm = LOCAL as below? [suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name = "testu...@mydomain.ox.ac.uk" [suffix] Found realm "mydomain.ox.ac.uk" [suffix] Adding Stripped-User-Name = "testuser" [suffix] Adding Realm = "mydomain.ox.ac.uk" [suffix] Authentication realm is LOCAL. When I paste the debug into the checker it highlights this:- [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. But not sure I need to worry about that as I'm not doing PAP Can't see anything else in there indicating a problem, but when I try to connect a device (my iPhone) it just returns a 'cannot connect to' message What am I missing? No doubt something obvious Debug output FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/preprocess including configuration file /e
Re: MS-CHAP failing?
Hi, > my /modules/ntlm_auth looks like this:- > > exec ntlm_auth { > wait = yes > program = "/path/to/ntlm_auth --request-nt-key > --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" > } I'd hope it doesnt look like that- fix the /path/to bit to give it the proper details. > and modules/mschap looks like this > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{mschap:User-Name:-None} > --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response$ > } and that entry looks a little broken too - ending in $ - a cut and paste issue? > Sending Access-Challenge of id 5 to 192.168.30.1 port 1162 > EAP-Message = > 0x0106004119001403010001011603010030f615a58846d51361b77eab5683e34a0a744f3af094b2c5478a0a1042f89c4f48d3f71abaae4bd259922300d95ae0bfb4 > Message-Authenticator = 0x > State = 0xbc7efc4cb978e53c4bf33c60bc849290 > Finished request 11. and waiting and challenging what client are you using? this looks like a windows client that doesnt have the RADIUS CA installed on it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP failing?
Just checking but you did see the problem I the following line of config right? >exec ntlm_auth { > wait = yes >program = ***"/PATH/TO/NTLM_AUTH *** --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} -->password=%{User-Password}" >} I understand if you left it out on purpose but this code WILL NOT work in production ; ) Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Mark Holmes Sent: Tuesday, October 12, 2010 8:47 AM To: FreeRadius users mailing list Subject: MS-CHAP failing? OK, getting somewhere, but still won't let me connect. I can't see in the debug output why it fails. I'm trying to authenticate against AD, using PEAP-MSCHAPv2 I have checked ntlm_auth is working by ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser --password=password and I get (NT_STATUS_OK) my /modules/ntlm_auth looks like this:- exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" } and modules/mschap looks like this ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response$ } In the debug output I can see this - should authentication realm = LOCAL as below? [suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name = "testu...@mydomain.ox.ac.uk" [suffix] Found realm "mydomain.ox.ac.uk" [suffix] Adding Stripped-User-Name = "testuser" [suffix] Adding Realm = "mydomain.ox.ac.uk" [suffix] Authentication realm is LOCAL. When I paste the debug into the checker it highlights this:- [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. But not sure I need to worry about that as I'm not doing PAP Can't see anything else in there indicating a problem, but when I try to connect a device (my iPhone) it just returns a 'cannot connect to' message What am I missing? No doubt something obvious Debug output FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb