RE: MS-CHAP failing?
Alan,
Well spotted! - yes there was a bit missing from the end of that line in mschap
- response=%(mschap:NT-Response:-00}" Twas indeed a cut-and-paste error.
Thanks very much - it now works!
Cheers,
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: 12 October 2010 15:04
To: FreeRadius users mailing list
Subject: Re: MS-CHAP failing?
Hi,
> my /modules/ntlm_auth looks like this:-
>
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key
> --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
> }
I'd hope it doesnt look like that- fix the /path/to bit to give it the proper
details.
> and modules/mschap looks like this
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response$
> }
and that entry looks a little broken too - ending in $ - a cut and paste issue?
> Sending Access-Challenge of id 5 to 192.168.30.1 port 1162
> EAP-Message =
> 0x0106004119001403010001011603010030f615a58846d51361b77eab5683e34a0a744f3af094b2c5478a0a1042f89c4f48d3f71abaae4bd259922300d95ae0bfb4
> Message-Authenticator = 0x
> State = 0xbc7efc4cb978e53c4bf33c60bc849290
> Finished request 11.
and waiting and challenging what client are you using? this looks like a
windows client that doesnt have the RADIUS CA installed on it
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP failing?
Stephen,
Thanks for this.
Actually I messed up - my ntlm_auth looks like this (which I think is correct)
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
The /path/to/ntlm_auth line is commented out in my config.
Cheers
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org]
On Behalf Of Sallee, Stephen (Jake)
Sent: 12 October 2010 15:03
To: FreeRadius users mailing list
Subject: RE: MS-CHAP failing?
Just checking but you did see the problem I the following line of config
right?
>exec ntlm_auth {
> wait = yes
>program = ***"/PATH/TO/NTLM_AUTH *** --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
-->password=%{User-Password}"
>}
I understand if you left it out on purpose but this code WILL NOT work
in production ; )
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Mark Holmes
Sent: Tuesday, October 12, 2010 8:47 AM
To: FreeRadius users mailing list
Subject: MS-CHAP failing?
OK, getting somewhere, but still won't let me connect. I can't see in
the debug output why it fails.
I'm trying to authenticate against AD, using PEAP-MSCHAPv2
I have checked ntlm_auth is working by
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser
--password=password
and I get (NT_STATUS_OK)
my /modules/ntlm_auth looks like this:-
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
}
and modules/mschap looks like this
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response$
}
In the debug output I can see this - should authentication realm = LOCAL
as below?
[suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name =
"testu...@mydomain.ox.ac.uk"
[suffix] Found realm "mydomain.ox.ac.uk"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "mydomain.ox.ac.uk"
[suffix] Authentication realm is LOCAL.
When I paste the debug into the checker it highlights this:-
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
But not sure I need to worry about that as I'm not doing PAP
Can't see anything else in there indicating a problem, but when I try to
connect a device (my iPhone) it just returns a 'cannot connect to'
message
What am I missing? No doubt something obvious
Debug output
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /e
Re: MS-CHAP failing?
Hi,
> my /modules/ntlm_auth looks like this:-
>
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key
> --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
> }
I'd hope it doesnt look like that- fix the /path/to bit to give it the proper
details.
> and modules/mschap looks like this
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response$
> }
and that entry looks a little broken too - ending in $ - a cut and paste issue?
> Sending Access-Challenge of id 5 to 192.168.30.1 port 1162
> EAP-Message =
> 0x0106004119001403010001011603010030f615a58846d51361b77eab5683e34a0a744f3af094b2c5478a0a1042f89c4f48d3f71abaae4bd259922300d95ae0bfb4
> Message-Authenticator = 0x
> State = 0xbc7efc4cb978e53c4bf33c60bc849290
> Finished request 11.
and waiting and challenging what client are you using? this looks like a
windows client that doesnt have the RADIUS CA installed on it
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP failing?
Just checking but you did see the problem I the following line of config
right?
>exec ntlm_auth {
> wait = yes
>program = ***"/PATH/TO/NTLM_AUTH *** --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
-->password=%{User-Password}"
>}
I understand if you left it out on purpose but this code WILL NOT work
in production ; )
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Mark Holmes
Sent: Tuesday, October 12, 2010 8:47 AM
To: FreeRadius users mailing list
Subject: MS-CHAP failing?
OK, getting somewhere, but still won't let me connect. I can't see in
the debug output why it fails.
I'm trying to authenticate against AD, using PEAP-MSCHAPv2
I have checked ntlm_auth is working by
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser
--password=password
and I get (NT_STATUS_OK)
my /modules/ntlm_auth looks like this:-
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
}
and modules/mschap looks like this
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response$
}
In the debug output I can see this - should authentication realm = LOCAL
as below?
[suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name =
"testu...@mydomain.ox.ac.uk"
[suffix] Found realm "mydomain.ox.ac.uk"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "mydomain.ox.ac.uk"
[suffix] Authentication realm is LOCAL.
When I paste the debug into the checker it highlights this:-
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
But not sure I need to worry about that as I'm not doing PAP
Can't see anything else in there indicating a problem, but when I try to
connect a device (my iPhone) it just returns a 'cannot connect to'
message
What am I missing? No doubt something obvious
Debug output
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/expr
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb
