Re: Problem with MSCHAP and Freeradius authentication
NdK wrote: Il 20/01/2012 21:46, Alan DeKok ha scritto: Yeah, I've gone and fixed that. git is nice for updating web pages. Still there's Then, fine the mschap module. s/fine/find/ :) Fixed, thanks. BTW, in a real AD setup, with AD servers used as DNS, there should be no need to setup /etc/krb5.conf: samba can auto detect the needed settings. OK. Not everyone does that, but it's good to know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Thanks ndk and alan I lll give it a fresh try to the testbed. I have already deleted the DEFAULT entry from the users file and updated mschap as indicated. I think what might be forcing NTLM_AUTH is an entry which i made to the authorize section of default file after which ntlm_auth strated to work for me if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth } } I ll try removing the same and then need to see how mschap thing will work. Would appreciate if you may point me to a further howto on the same. I aim to connect and eap client through radius without the use of certificates for which MSCHAP seems to be an option. I think I ll write a howto or add a wiki entry if I can make it work fine. regards Dhiraj Gaur On Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok al...@deployingradius.comwrote: NdK wrote: The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work. Yeah, I've gone and fixed that. git is nice for updating web pages. It *should* work is more correct :( There still are many things that can go wrong. If it doesn't work, the web pages explain which part to blame. 99% of the time, it's a bug in someone else's software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Dhiraj Gaur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Hi I did my tests and after removing that custom block of authorize section the following is the output. rad_recv: Access-Request packet from host 127.0.0.1 port 54347, id=2, length=57 User-Name = 01546 User-Password = NAS-IP-Address = 192.168.0.99 NAS-Port = 0 Sat Jan 21 19:21:08 2012 : Info: +- entering group authorize {...} Sat Jan 21 19:21:08 2012 : Info: ++[preprocess] returns ok Sat Jan 21 19:21:08 2012 : Info: ++[chap] returns noop Sat Jan 21 19:21:08 2012 : Info: ++[mschap] returns noop Sat Jan 21 19:21:08 2012 : Info: [suffix] No '@' in User-Name = 01546, looking up realm NULL Sat Jan 21 19:21:08 2012 : Info: [suffix] No such realm NULL Sat Jan 21 19:21:08 2012 : Info: ++[suffix] returns noop Sat Jan 21 19:21:08 2012 : Info: [eap] No EAP-Message, not doing EAP Sat Jan 21 19:21:08 2012 : Info: ++[eap] returns noop Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]expand: --username=%{mschap:User-Name} - --username=01546 Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]expand: --password=%{User-Password} - --password=x Sat Jan 21 19:21:08 2012 : Debug: Exec-Program output: NT_STATUS_OK: Success (0x0) Sat Jan 21 19:21:08 2012 : Debug: Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Sat Jan 21 19:21:08 2012 : Debug: Exec-Program: returned: 0 Sat Jan 21 19:21:08 2012 : Info: ++[ntlm_auth] returns ok Sat Jan 21 19:21:08 2012 : Info: ++[expiration] returns noop Sat Jan 21 19:21:08 2012 : Info: ++[logintime] returns noop Sat Jan 21 19:21:08 2012 : Info: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Sat Jan 21 19:21:08 2012 : Info: ++[pap] returns noop Sat Jan 21 19:21:08 2012 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Sat Jan 21 19:21:08 2012 : Info: Failed to authenticate the user. Sat Jan 21 19:21:08 2012 : Info: Using Post-Auth-Type Reject Sat Jan 21 19:21:08 2012 : Info: +- entering group REJECT {...} Sat Jan 21 19:21:08 2012 : Info: [attr_filter.access_reject]expand: %{User-Name} - 01546 Sat Jan 21 19:21:08 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 - So means that ntlm_auth is still wokring good bt some access control triggers the Access-Reject. I am still directionless as to where should I head next, I mean how to make tht EAP client and MSCHAP authentication work. Would appreciate if I could get some handy quick and dirty list of works to do next OR some URL/mailing list entry etc which explains the same. I am reading a FreeRadius book (Packet Publishing) which just might help. Regards Dhiraj Gaur On Sat, Jan 21, 2012 at 7:12 PM, Dhiraj Gaur dhiraj.g...@gmail.com wrote: Thanks ndk and alan I lll give it a fresh try to the testbed. I have already deleted the DEFAULT entry from the users file and updated mschap as indicated. I think what might be forcing NTLM_AUTH is an entry which i made to the authorize section of default file after which ntlm_auth strated to work for me if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth } } I ll try removing the same and then need to see how mschap thing will work. Would appreciate if you may point me to a further howto on the same. I aim to connect and eap client through radius without the use of certificates for which MSCHAP seems to be an option. I think I ll write a howto or add a wiki entry if I can make it work fine. regards Dhiraj Gaur On Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok al...@deployingradius.comwrote: NdK wrote: The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work. Yeah, I've gone and fixed that. git is nice for updating web pages. It *should* work is more correct :( There still are many things that can go wrong. If it doesn't work, the web pages explain which part to blame. 99% of the time, it's a bug in someone else's software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Dhiraj Gaur -- Regards Dhiraj Gaur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 21:46, Alan DeKok ha scritto: Yeah, I've gone and fixed that. git is nice for updating web pages. Uh... forgot... When using ntlm_auth with a password, --request-nt-key seems to have no effect. Tested in different distros. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
hi Fajar I did read the replies as well as Alan's page. Being a newbie to FR i actually started with that only. On Sat, Jan 21, 2012 at 7:44 PM, Fajar A. Nugraha l...@fajar.net wrote: Did you REALLY read the replies sent to this list? Did you REALLY read Alan's page, http://deployingradius.com/documents/configuration/active_directory.html to the end? The version of radtest on my system doesnt support the -t option, hence even after doing radtest -h I could not find anything. I settled for jradius client to achieve the same effect already. Have tried upgrading the package but its already in the latest version. If yes, you'd know that: - radtest can send mschap request as well (see 'radtest -h') The only changes I have done to default config is in the inner tunnel or default file. Attaching the same if you may have a look. I have never blamed Alan that his recipe is flawed. - Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth', contains detailed instruction on how to make FR works with AD and pap. If you can't get it to work, that means you're doing something wrong. Probably editing some entries you shouldn't, since your ntlm_auth result is OK (which means samba + AD part is working correctly). It's perfectly fine to be creative and edit the config file as you see fit, but ONLY if you know what you're doing. If you're given a recipe, and choose to stray from it, and messed up, don't blame the guy who created the recipe. The PAP things is already working fine as I mentioned earlier and have followed every bit of Alans guide. Would redo the things again if it works. - Also on Alan's page, there's the section 'Configuring FreeRADIUS to use ntlm_auth for MS-CHAP'. That pretty much answers the last part of your question, but ONLY if you already got pap working properly. Attaching the inner tunnel and default file, please go through the same and point out if something is amiss. Default File -- authorize { preprocess #auth_log chap mschap #digest #wimax #IPASS suffix #ntdomain eap { ok = return } #unix #files #sql ntlm_auth #etc_smbpasswd #ldap #checkval expiration logintime pap #if(!control:Auth-Type) { #update control { #Auth-Type = ntlm_auth #} #} #Autz-Type Status-Server { # #} } authenticate { Auth-Type NTLM_AUTH { ntlm_auth } Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } #digest #pam #unix #Auth-Type LDAP { #ldap #} eap #Auth-Type eap { #eap { #handled = 1 #} #if (handled (Response-Packet-Type == Access-Challenge)) { #attr_filter.access_challenge.post-auth #handled # override the updated code from attr_filter #} #} } INNER TUNNEL FILE -- server inner-tunnel { #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} authorize { chap mschap #unix #IPASS suffix #ntdomain update control { Proxy-To-Realm := LOCAL } eap { ok = return } files #sql ntlm_auth #etc_smbpasswd #ldap #daily #checkval expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } #pam ntlm_auth #unix #Auth-Type LDAP { #ldap #} eap } -- Regards Dhiraj Gaur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Dhiraj Gaur wrote: The version of radtest on my system doesnt support the -t option, hence even after doing radtest -h I could not find anything. Upgrade. It really helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
On Sat, Jan 21, 2012 at 11:14 PM, Dhiraj Gaur dhiraj.g...@gmail.com wrote: The version of radtest on my system doesnt support the -t option, hence even after doing radtest -h I could not find anything. I settled for jradius client to achieve the same effect already. It doesn't really matter which client you use, IF you're familiar-enough with it and know how to use it. However, your posted log still shows you use pap. So that either means: - you don't know how to send mschap request using that client, or - you haven't got pap working correctly, or - you don't know the difference between pap and mschap - you posted the wrong debug output which is it? Have tried upgrading the package but its already in the latest version. You could always compile from source, or build your own package. If you use debian or ubuntu my ppa has the latest stable freeradius version: https://launchpad.net/~freeradius/+archive/stable Lucid version should fit debian installations just fine. The PAP things is already working fine as I mentioned earlier and have followed every bit of Alans guide. Would redo the things again if it works. I take your word for it - Also on Alan's page, there's the section 'Configuring FreeRADIUS to use ntlm_auth for MS-CHAP'. That pretty much answers the last part of your question, but ONLY if you already got pap working properly. Attaching the inner tunnel and default file, please go through the same and point out if something is amiss. Re-read that section, and do what it says. If you do it correctly, AND send mschap request (using whatever client you're familiar with), there should be NO debug line that says ntlm_auth with User-Password together. That's because mschap does NOT send User-Password attribute, and the ntlm_auth line is adjusted accordingly per instructions on the site. If you STILL have problems after doing that, post the updated debug logs. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Dhiraj Gaur wrote: I have been trying to implement radius authetication server at my workplace. The idea is to have all wifi access points authenticate against a radius server. That is a common deployment, and should be easy to do. The radius server needs to pass authentication to a backend Active Directory server. I have been sucessful in authenticating wifi users against file based and SQL based authentication in radius. NTLM_AUTH using PAP also works fine, wherein plaintext password is sucessfully authenticated against the AD and I get an Access-Accept. However when I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not working and I end up in a Access-Reject. CHAP will *not* work with AD. See my web site: http://deployingradius.com/documents/protocols/compatibility.html Seems like that the ntlm_auth program is not parsing the received encrypted password hence the authetication fails. MSCHAP is a requirement as wifi clients at my place mostly have eap supplicant. (Read in freeradius documentation that eap and ldap doesnt go hand in hand, I may be wrong at interpreting the same) You've misconfigured the server. You have it trying to do ntlm_auth using the User-Password, and then sending it an MS-CHAP authentication. There's no User-Password in MS-CHAP. Follow the instructions on my web site for configuring ntlm_auth: http://deployingradius.com/documents/configuration/active_directory.html And then follow the other instructions for getting EAP to work. The freeradius logs for all the cases is listed below. Radius gurus please point me to the right direction as to make MS_CHAP authentication owrk over ntlm_auth or ldap(if possible). PS: I did all the testing using JRadius simulator. FreeRADIUS comes with radclient, which does PAP, CHAP, and MS-CHAP. That should be all you need. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
HI Alan Thanks for the reply. I already followed your site and was able to make ntlm_auth work. For MS-CHAP the AD page of your site says Start the server and use a test client to send an MS-CHAP authentication request. The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accepthttp://freeradius.org/rfc/rfc2865.html#Access-Acceptmessage as above. Hence I was of the view radtest cannot work for MS-CHAP authentication. Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand There's no User-Password in MS-CHAP. Regards Dhiraj Gaur On Fri, Jan 20, 2012 at 9:15 PM, Alan DeKok al...@deployingradius.comwrote: Dhiraj Gaur wrote: I have been trying to implement radius authetication server at my workplace. The idea is to have all wifi access points authenticate against a radius server. That is a common deployment, and should be easy to do. The radius server needs to pass authentication to a backend Active Directory server. I have been sucessful in authenticating wifi users against file based and SQL based authentication in radius. NTLM_AUTH using PAP also works fine, wherein plaintext password is sucessfully authenticated against the AD and I get an Access-Accept. However when I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not working and I end up in a Access-Reject. CHAP will *not* work with AD. See my web site: http://deployingradius.com/documents/protocols/compatibility.html Seems like that the ntlm_auth program is not parsing the received encrypted password hence the authetication fails. MSCHAP is a requirement as wifi clients at my place mostly have eap supplicant. (Read in freeradius documentation that eap and ldap doesnt go hand in hand, I may be wrong at interpreting the same) You've misconfigured the server. You have it trying to do ntlm_auth using the User-Password, and then sending it an MS-CHAP authentication. There's no User-Password in MS-CHAP. Follow the instructions on my web site for configuring ntlm_auth: http://deployingradius.com/documents/configuration/active_directory.html And then follow the other instructions for getting EAP to work. The freeradius logs for all the cases is listed below. Radius gurus please point me to the right direction as to make MS_CHAP authentication owrk over ntlm_auth or ldap(if possible). PS: I did all the testing using JRadius simulator. FreeRADIUS comes with radclient, which does PAP, CHAP, and MS-CHAP. That should be all you need. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Dhiraj Gaur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 17:17, Dhiraj Gaur ha scritto: Thanks for the reply. I already followed your site and was able to make ntlm_auth work. For MS-CHAP the AD page of your site says Start the server and use a test client to send an MS-CHAP authentication request. The |radclient| cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept http://freeradius.org/rfc/rfc2865.html#Access-Accept message as above. Been there too. But after that I tested with eapol_test from wpa_supplicant. With negative results :( Hence I was of the view radtest cannot work for MS-CHAP authentication. Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand There's no User-Password in MS-CHAP. It's not sent to the server, so you can't use --pass= for ntlm_auth. It's only used to encrypt the challenge. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Dhiraj Gaur wrote: rt the server and use a test client to send an MS-CHAP authentication request. The |radclient| cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accept http://freeradius.org/rfc/rfc2865.html#Access-Accept message as above. The radclient program has since been updated. Hence I was of the view radtest cannot work for MS-CHAP authentication. Sure. However, see radtest -h. If you're running a recent version, it will tell you it can do MS-CHAP. Request you to point me to the right link and way to do the MS-CHAP procedure and testing the same thorugh radtest. I could not understand There's no User-Password in MS-CHAP. You hard-coded it to *always* do NTLM authentication, using the PAP credentials. Then you sent it a request which didn't contain a cleartext password. Again, the guide explains this in great detail. Follow it, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 19:44, Alan DeKok ha scritto: The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work. You hard-coded it to *always* do NTLM authentication, using the PAP credentials. Then you sent it a request which didn't contain a cleartext password. That's easy, it's on the page: remove the DEFAUL added for testing :) Again, the guide explains this in great detail. Follow it, and it will work. It *should* work is more correct :( There still are many things that can go wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
NdK wrote: The radclient program has since been updated. Then it could be better to update that page, since it's the reference for all newbies that try to make it work. Yeah, I've gone and fixed that. git is nice for updating web pages. It *should* work is more correct :( There still are many things that can go wrong. If it doesn't work, the web pages explain which part to blame. 99% of the time, it's a bug in someone else's software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
OK, Just to recap, I'm working on setting Freeradius up to authenticate users to our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against Active Directory. I'm using samba and ntlm_auth. Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29 Needless to say it's failing. I set the mydomain.ox.ac.uk realm in proxy.conf as someone on here suggested on Friday, and that has cleared up the warning about unknown realms. When connecting, I still get several errors before auth fails. I've pasted my debug output into the web tool and it picks out the following in red security { max_attributes = 200 reject_delay = 1 (This line in red) status_server = yes } (all in red) Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject [pap] WARNING! No known good password found for the user. Authentication may fail because of this. (In yellow) I also see (not highlighted) that I'm still getting [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect I have configured modules/mschap to use ntlm_auth as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Am I missing something in the MSCHAP config? Cheers, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP
Hi, I've pasted my debug output into the web tool and it picks out the following in red security { max_attributes = 200 reject_delay = 1 (This line in red) status_server = yes } (all in red) Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject ignore those - the word 'reject' is being flagged without context. [pap] WARNING! No known good password found for the user. Authentication may fail because of this. (In yellow) okay. I also see (not highlighted) that I'm still getting [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect and that will mean that MSCHAPv2 wont be working I have configured modules/mschap to use ntlm_auth as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Am I missing something in the MSCHAP config? how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here - you should see the incantation of the ntlm_auth line - if not, then its not being called...and it would be with the default configuration files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
Alan, Thanks for your reply. how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here I'm testing with a real client and access point. OK - I wasn't sure posting the whole debug would be appreciated, but I have posted it at http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt you should see the incantation of the ntlm_auth line - if not, then it's not being called I can only see two references to ntlm_auth, this:- Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} input_pairs = request shell_escape = yes } And another line indicating the ntlm_auth config file is being included:- including configuration file /etc/raddb/modules/ntlm_auth Should I also see ntlm_auth being called during the authentication - presumably I should... Thanks, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 12 October 2010 10:41 To: FreeRadius users mailing list Subject: Re: Problem with MSCHAP Hi, I've pasted my debug output into the web tool and it picks out the following in red security { max_attributes = 200 reject_delay = 1 (This line in red) status_server = yes } (all in red) Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject ignore those - the word 'reject' is being flagged without context. [pap] WARNING! No known good password found for the user. Authentication may fail because of this. (In yellow) okay. I also see (not highlighted) that I'm still getting [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect and that will mean that MSCHAPv2 wont be working I have configured modules/mschap to use ntlm_auth as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Am I missing something in the MSCHAP config? how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here - you should see the incantation of the ntlm_auth line - if not, then its not being called...and it would be with the default configuration files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
Ah - I think I see the issue - the ntlm auth line in modules/mschap is after the } so presumably not being read... -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Mark Holmes Sent: 12 October 2010 11:25 To: FreeRadius users mailing list Subject: RE: Problem with MSCHAP Alan, Thanks for your reply. how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here I'm testing with a real client and access point. OK - I wasn't sure posting the whole debug would be appreciated, but I have posted it at http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt you should see the incantation of the ntlm_auth line - if not, then it's not being called I can only see two references to ntlm_auth, this:- Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} input_pairs = request shell_escape = yes } And another line indicating the ntlm_auth config file is being included:- including configuration file /etc/raddb/modules/ntlm_auth Should I also see ntlm_auth being called during the authentication - presumably I should... Thanks, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 12 October 2010 10:41 To: FreeRadius users mailing list Subject: Re: Problem with MSCHAP Hi, I've pasted my debug output into the web tool and it picks out the following in red security { max_attributes = 200 reject_delay = 1 (This line in red) status_server = yes } (all in red) Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject ignore those - the word 'reject' is being flagged without context. [pap] WARNING! No known good password found for the user. Authentication may fail because of this. (In yellow) okay. I also see (not highlighted) that I'm still getting [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect and that will mean that MSCHAPv2 wont be working I have configured modules/mschap to use ntlm_auth as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Am I missing something in the MSCHAP config? how are you testing this - a real client, command line tool etc? when you run it in full debug mode - and you arent helping yourself by failing to post that here - you should see the incantation of the ntlm_auth line - if not, then its not being called...and it would be with the default configuration files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP
On 08/10/10 14:24, Mark Holmes wrote: and I see the server returns Access-Accept. Firstly, don't set Auth-Type. It's almost always the wrong thing to do. Secondly, this is just testing PAP i.e. plain username/password auth. Wireless typically uses 802.1x via EAP. I then configure MS-CHAP, removing the DEFAULT Auth-Type from users and editing modules/mschap as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} That looks about right. Output from radius -X at the bottom of this message. The bit that looks relevant to me is ++[mschap] returns noop No, you're misreading it - see below. [suffix] Looking up realm mydomain.ox.ac.uk for User-Name = firstname.lastn...@mydomain.ox.ac.uk [suffix] No such realm mydomain.ox.ac.uk However I'm not sure I need to worry about that bit - at the moment this is just a single, stand alone RADIUS server so I'm not sure I need to worry about realms or do I? Not for the moment. Not sure where to go from here - are there some basic things I should check? I haven't included my conf files in this post but happy to do so if required. Don't post the config files. The *full* debug output (from start to failure) is what's needed. Something like: /usr/sbin/radiusd -X | tee thelog.txt EAP is a multi-pass protocol; there will be 4-8 requests, and the actual MS-CHAP failure will be somewhere in the middle, after the EAP-PEAP TLS tunnel is established, but before the failure is sent. Output from -X That's just the final packet. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap This is an EAP-PEAP, not MS-CHAP request (hence the noop) The failure occurred in an earlier packet; please post the full debug output. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
[peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. You need to look earlier in your debug output to see why it was rejected (that's what this error message means) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP
Hi, I'm new to freeradius, I'm working on setting it up to authenticate users to our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against Active Directory. I'm using samba and ntlm_auth. okay - a fairly standard setup for modern 802.1X Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29 okay - the right 'blend'..as it were I have the ntlm_auth part working in as far as I can put DEFAULT Auth-Type = ntlm_auth in users and then do you dont need to set Auth-Type for the MSCHAPv2 stuff... you might need it if, for example, you wanted to do MSCHAPv2 AND kerberos for different type of requests - even then, you only need to set kerberos to be the Auth-Type as the EAP module is intelligent I then configure MS-CHAP, removing the DEFAULT Auth-Type from users and editing modules/mschap as follows ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} do you REALLY want to accept what the user puts in as the gospel truth? ie, I wouldnt be comfirtable taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it really was a local user!) Output from radius -X at the bottom of this message. The bit that looks relevant to me is what you have posted is the 'replay' of a transaction - try starting the daemon up and launching the request ASAP - ie so what we have is straight after the 'listen and ready' line - especially as with your current ntlm_auth line I'd expect to see a deprecated warning [suffix] Looking up realm mydomain.ox.ac.uk for User-Name = firstname.lastn...@mydomain.ox.ac.uk [suffix] No such realm mydomain.ox.ac.uk However I'm not sure I need to worry about that bit - at the moment this is just a single, stand alone RADIUS server so I'm not sure I need to worry about realms or do I? it'd still be best to define that realm, if using prefix, to be local eg in proxy.conf realm mydomain.ox.ac.uk { strip } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
All, Many thanks for the replies. Firstly, don't set Auth-Type. It's almost always the wrong thing to do. Sure - I set that just to test the AD auth was working, and removed it again prior to configuring mschap. EAP is a multi-pass protocol; there will be 4-8 requests, and the actual MS-CHAP failure will be somewhere in the middle, after the EAP-PEAP TLS tunnel is established, but before the failure is sent. Ah - doh!. I wasn't sure about posting the whole lot to this list as it runs to quite a few lines so posted it here http://www.nuffield.ox.ac.uk/scratch/logfile.txt Thanks, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP
Mark Holmes wrote: I wasn't sure about posting the whole lot to this list as it runs to quite a few lines so posted it here http://www.nuffield.ox.ac.uk/scratch/logfile.txt Cut paste that into the form on this page: http://networkradius.com/freeradius.html Then, look for red / yellow text. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP
do you REALLY want to accept what the user puts in as the gospel truth? ie, I wouldnt be comfirtable taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it really was a local user!) Good point. Our existing setup uses IAS, and is configured to expect the domain to be appended. I want to switch to FreeRADIUS without too many changed being required client side - possibly even none if I moved the cert from the IAS box to the FreeRADIUS machine. Cheers, Mark On 8 Oct 2010, at 14:59, Alan Buxey a.l.m.bu...@lboro.ac.ukmailto:a.l.m.bu...@lboro.ac.uk wrote: do you REALLY want to accept what the user puts in as the gospel truth? ie, I wouldnt be comfirtable taking the user-supplied domain for the ntlm_auth - I'd set it manually (if it really was a local user!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with mschap, ntlm_auth and a conditional syntax
Lukasz Lacinski wrote: Below is my previous e-mail, but with output from freeradius in format easier to read. I use ntlm_auth in mschapv2 (freeradius 20070409) by the following line in radiusd.conf: ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} I've committed a fix to CVS head. Please re-test. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with mschap, ntlm_auth and a conditional syntax
Alan DeKok wrote: I've committed a fix to CVS head. Please re-test. OK. I'm going to test it as soon as possible. It means when SIGSEGV will not be so fast ;-) Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.2 port 1645, id=160, length=166 User-Name = [EMAIL PROTECTED] Framed-MTU = 1400 Called-Station-Id = 0014.1bb6.da30 Calling-Station-Id = 0002.b306.4cf1 Service-Type = Login-User Message-Authenticator = 0x1b86f1e76d4be2fa3bb2c0c5daf968d6 EAP-Message = 0x0202001d01757a79737a6b6f646e696b406c6174696e2e70637a2e706c NAS-Port-Type = Wireless-802.11 NAS-Port = 863 NAS-Port-Id = 863 NAS-IP-Address = 10.0.0.2 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Program received signal SIGSEGV, Segmentation fault. 0xb7c13c26 in ?? () (gdb) where #0 0xb7c13c26 in ?? () #1 0x801228a0 in ?? () #2 0x in ?? () (gdb) Lukasz Lacinski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with mschap, ntlm_auth and a conditional syntax
Below is my previous e-mail, but with output from freeradius in format easier to read. I use ntlm_auth in mschapv2 (freeradius 20070409) by the following line in radiusd.conf: ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} A corresponding part of debug from radiusd -X is: rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password radius_xlat: '--username=uzyszkodnik' radius_xlat: Running registered xlat function of module mschap for string 'Challenge:-00' rlm_mschap: Unknown expansion string Challenge:-00 radius_xlat: '--challenge=' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response:-00' rlm_mschap: Unknown expansion string NT-Response:-00 radius_xlat: '--nt-response=' Exec-Program output: Specify all required command line parameters! Exec-Program-Wait: plaintext: Specify all required command line parameters! Exec-Program: returned: 1 When I remove conditional syntax: ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response} an athentication operates correctly: rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password radius_xlat: '--username=uzyszkodnik' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: ca radius_xlat: '--challenge=1d6796d06b4bab53' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=69bbd30b6a06d6be5cc2fb88c658c1582da5a8a91ebcbee8' Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY: 9D1F2EBC255B18C110A446E5DE42389E Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY: 9D1F2EBC255B18C110A446E5DE42389E Exec-Program: returned: 0 I tested freeradius 1.1.4 with conditional syntax: ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} and here parameters with conditional syntax are interpreted correctly: rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password radius_xlat: '--username=uzyszkodnik' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: af radius_xlat: '--challenge=eebe17185aaa4366' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=f668c0b7b4e32deeb49529c2f3295699561589836d73f474' Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY: 9D1F2EBC255B18C110A446E5DE42389E Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY: 9D1F2EBC255B18C110A446E5DE42389E Exec-Program: returned: 0 Lukasz Lacinski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html