Re: eapol_test giving up and win-like error?

[NdK]

Il 20/01/2012 11:55, Phil Mayers ha scritto:

 If that's really all you've changed, there must be something wrong with
 Samba; it's getting the final crypto blob wrong, and the client is
 dropping the packets. You'll need to investigate and fix this.
Just tested with radtest (have had to use single quotes and FOUR
backslashes! -- my password is obviously in $P):
# radtest -t mschap 'PERSONALEdiego.zuccato' $P localhost 0 testing123
Sending Access-Request of id 123 to 127.0.0.1 port 1812
User-Name = PERSONALE\\diego.zuccato
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
MS-CHAP-Challenge = 0x7f218889d9de0c84
MS-CHAP-Response =
0x000115ea491108aa02bb34b5fe79918a67cd8a7b069240091194
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=123,
length=84
MS-CHAP-MPPE-Keys =
0x3b1acd0b65d7af221df50f6ca50447cf
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006

And the Access-Accept is quite fast.

When using eapol_test, I get the timeout.

The difference is that radtest seems to use mschapv1 while eapol_test
uses mschapv2.

What could be so wrong that v1 works and v2 doesn't? IIUC v2 includes
username and client nonce in the authenticator, while v1 doesn't.

BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[Phil Mayers]

Mschap v1 doesn't validate the reply from server to client, which is what is 
failing with eapol_test. Therefore you're not testing the same path.

Try using a local i.e. non samba user to test. I am sure the problem is with 
your samba daemon.
-- 
Sent from my phone. Please excuse brevity and typos.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[Phil Mayers]

Phil Mayers p.may...@imperial.ac.uk wrote:

Mschap v1 doesn't validate the reply from server to client, which is
what is failing with eapol_test. Therefore you're not testing the same
path.

Try using a local i.e. non samba user to test. I am sure the problem is
with your samba daemon.
-- 
Sent from my phone. Please excuse brevity and typos.



See also:

 https://bugzilla.samba.org/show_bug.cgi?id=6563

...which I think is the problem you are seeing. Comment 18 gives a way to test 
this.

See also the final comment about invalid nt key until I restarted winbind 
which might be the issue.
-- 
Sent from my phone. Please excuse brevity and typos.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eapol_test giving up and win-like error?

[Sergio NNX]

I mentioned exactly that last week but he disregarded it! 

 Subject: Re: eapol_test giving up and win-like error?
 From: p.may...@imperial.ac.uk
 Date: Mon, 23 Jan 2012 10:12:08 +
 To: freeradius-users@lists.freeradius.org
 
 Phil Mayers p.may...@imperial.ac.uk wrote:
 
 Mschap v1 doesn't validate the reply from server to client, which is
 what is failing with eapol_test. Therefore you're not testing the same
 path.
 
 Try using a local i.e. non samba user to test. I am sure the problem is
 with your samba daemon.
 -- 
 Sent from my phone. Please excuse brevity and typos.
 
 
 
 See also:
 
  https://bugzilla.samba.org/show_bug.cgi?id=6563
 
 ...which I think is the problem you are seeing. Comment 18 gives a way to 
 test this.
 
 See also the final comment about invalid nt key until I restarted winbind 
 which might be the issue.
 -- 
 Sent from my phone. Please excuse brevity and typos.
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[NdK]

Il 23/01/2012 11:02, Phil Mayers ha scritto:

 Mschap v1 doesn't validate the reply from server to client, which is what is 
 failing with eapol_test. Therefore you're not testing the same path.
So radtest isn't actually equivalent to eapol_test. It's just another
step for testing.

 Try using a local i.e. non samba user to test. I am sure the problem is with 
 your samba daemon.
What do you mean by local user? One added in users file? I know it
works (tested while following the guide), but it's not using mschapv2,
IIUC...

From https://bugzilla.samba.org/show_bug.cgi?id=6563 it seems that
script only generates NTLMv1 responses... And it references a quite old
Samba version. I'm using 3.5.10.
From comment 46: Yes, 3.5.6 has all necessary fixes for this issue.
Unless the sernet packages do contain other changes, it should just work
with those packages.

I retested, adding winbind:forcesamlogon = True and eapol_test is now
successful.
Might be useful to add to the guide. Seems, after all, it's needed for
recent SAMBA releases, too.

Just for completeness my (now working) smb.conf is:
[global]
workgroup = PERSONALE
realm = PERSONALE.DIR.UNIBO.IT
server string = %v
security = ADS
restrict anonymous = 2
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
dns proxy = No
idmap uid = 10-1
idmap gid = 10-1
template shell = /bin/bash
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
winbind normalize names = Yes
idmap config STUDENTI:range = 5000 - 
idmap config STUDENTI:base_rid = 500
idmap config STUDENTI:backend = rid
idmap config PERSONALE:range = 10 - 4999
idmap config PERSONALE:base_rid = 500
idmap config PERSONALE:backend = rid
idmap config STUDENTI:default = yes
idmap config PERSONALE:default = no
winbind:forcesamlogon = True
[maybe the whole idmap could be removed, but better not to touch it once
it's working...]
No need to edit /etc/krb5.conf (interfacing to a native AD domain, so
DNS records are OK for auto-discovery of Kerberos servers.

Now it's Zeroshell's turn...

Tks for the patience.

BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[NdK]

Il 19/01/2012 13:01, Phil Mayers ha scritto:

 I'm not sure what the problem is then. From your original post, the
 authentication is failing at the *client*, in the inner EAP section.
 This normally means the final MSCHAP response is invalid, which only
 happens if some crypto has gone wrong somewhere.
But then it should fail immediately, not after a timeout!
And an immediate failure is the result when I *disable*
'with_ntdomain_hack=yes' line in mschap.

No changes even enabling ntdomain lines in 'default' and
'inner-tunnel' sites (IIUC those should only detect the domain,
regardless of it being prefix or suffix).

 Another problem I should fix is the fact that ZS's captive portal passes
 user@realm credentials instead of realm\user ... rewriting w/ a simple
 rule in hints file seems to block the rest, so I left it behind, for now.
 You can't alter usernames in EAP. They are usually mixed into the
 challenge/response data, and altering them in-flight means the
 challenge/response will fail.
Ok. I'm not going to change 'em.

 To be honest, there's too much going on in your setup; my advice would
 be to create a new server (running 2.1.12) and use the default setup.
 Test your EAP with eapol_test. Make small changes, storing the config
 into version control at each step. Identify exactly which point the
 failures start happening at.
That's exactly what I've done till now. The failures start when I enable
the auth I need. The problem w/ CP is just an issue scheduled for later
examination -- nothing configured yet to fix it.

That's my 'hg diff' output (w/o the certs part) from the base config
(from the tutorial):

diff -r 434b2b3ededc clients.conf
--- a/clients.conf  Mon Jan 16 15:17:07 2012 +0100
+++ b/clients.conf  Fri Jan 20 11:22:45 2012 +0100
@@ -232,3 +232,10 @@
 #  secret = testing123
 #}
 #}
+
+client 137.204.65.161 {
+   secret = testing123qaz
+}
+client 137.204.65.96 {
+   secret = testing123qaz
+}
diff -r 434b2b3ededc modules/mschap
--- a/modules/mschapMon Jan 16 15:17:07 2012 +0100
+++ b/modules/mschapFri Jan 20 11:22:45 2012 +0100
@@ -34,6 +34,7 @@
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no
+   #with_ntdomain_hack = yes

# The module can perform authentication itself, OR
# use a Windows Domain Controller.  This configuration
@@ -63,4 +64,7 @@
# the best user name for the request.
#
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
+   ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{User-Name:-None}}
--domain=%{%{mschap:NT-Domain}:-PERSONALE}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
+#  ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{Stripped-User-Name}:-%{User-Name}}
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
+#  ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}}
--password=%{User-Password} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
 }
diff -r 434b2b3ededc modules/ntlm_auth
--- a/modules/ntlm_auth Mon Jan 16 15:17:07 2012 +0100
+++ b/modules/ntlm_auth Fri Jan 20 11:22:45 2012 +0100
@@ -8,5 +8,6 @@
 #
 exec ntlm_auth {
wait = yes
-   program = /path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}
+#  program = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:-PERSONALE}
--username=%{mschap:User-Name} --password=%{User-Password}
+   program = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}}
--password=%{User-Password} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
 }
diff -r 434b2b3ededc sites-available/default
--- a/sites-available/default   Mon Jan 16 15:17:07 2012 +0100
+++ b/sites-available/default   Fri Jan 20 11:22:45 2012 +0100
@@ -116,7 +116,7 @@
#  the other styles won't be checked.
#
suffix
-#  ntdomain
+   ntdomain

#
#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
@@ -306,6 +306,8 @@
 #  handled  # override the updated code from
attr_filter
 #  }
 #  }
+
+#  ntlm_auth
 }


@@ -347,7 +349,7 @@
#  home server as authentication requests.
 #  IPASS
suffix
-#  ntdomain
+   ntdomain

#
#  Read the 'acct_users' file
diff -r 434b2b3ededc sites-available/inner-tunnel
--- a/sites-available/inner-tunnel  

Re: eapol_test giving up and win-like error?

[Phil Mayers]

On 01/20/2012 10:30 AM, NdK wrote:

Il 19/01/2012 13:01, Phil Mayers ha scritto:


I'm not sure what the problem is then. From your original post, the
authentication is failing at the *client*, in the inner EAP section.
This normally means the final MSCHAP response is invalid, which only
happens if some crypto has gone wrong somewhere.

But then it should fail immediately, not after a timeout!


Not so.


And an immediate failure is the result when I *disable*
'with_ntdomain_hack=yes' line in mschap.


That's a different failure mode.

EAP/MS-CHAP works as follows:

server: send random challenge bytes to client
client: send response=crypto(password,challenge) to server
server: send crypto(response,password) to client

If validation of the 2nd item fails, you'll see an immediate failure at 
the FreeRADIUS end, because FreeRADIUS is doing the validation.


If validation of the 3rd item fails, the client just stops - it gives 
up, and sends no further packets, because it thinks the server is fake / 
impersonating.


That's why there's a timeout at the FreeRADIUS end.



That's exactly what I've done till now. The failures start when I enable
the auth I need. The problem w/ CP is just an issue scheduled for later
examination -- nothing configured yet to fix it.

That's my 'hg diff' output (w/o the certs part) from the base config
(from the tutorial):


If that's really all you've changed, there must be something wrong with 
Samba; it's getting the final crypto blob wrong, and the client is 
dropping the packets. You'll need to investigate and fix this.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[Phil Mayers]

EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
MPPE keys OK: 0  mismatch: 1
FAILURE


Hmm. I see from your original email that Samba  ntlm_auth are succeeding.

There are a couple of buggy version of Samba out there that return 
invalid response values, and generate these symptoms. Which version of 
Samba are you running, and on what OS?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[NdK]

Il 19/01/2012 10:03, Phil Mayers ha scritto:

 EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
 MPPE keys OK: 0  mismatch: 1
 FAILURE
These (plus the timeout one) are the lines printed after FR have already
cloded session.

 Hmm. I see from your original email that Samba  ntlm_auth are succeeding.
Yup. I'm quite used to joining machines to AD... Already have about 100
clients and 5 servers, and this one is the one giving me troubles :(

 There are a couple of buggy version of Samba out there that return
 invalid response values, and generate these symptoms. Which version of
 Samba are you running, and on what OS?
Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working,
I'll have to move the config to a ZeroShell box with Samba 3.5.10.

Another problem I should fix is the fact that ZS's captive portal passes
user@realm credentials instead of realm\user ... rewriting w/ a simple
rule in hints file seems to block the rest, so I left it behind, for now.

Tks,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[Phil Mayers]

On 19/01/12 11:07, NdK wrote:

Il 19/01/2012 10:03, Phil Mayers ha scritto:


EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

These (plus the timeout one) are the lines printed after FR have already
cloded session.


Yes.




Hmm. I see from your original email that Samba  ntlm_auth are succeeding.

Yup. I'm quite used to joining machines to AD... Already have about 100
clients and 5 servers, and this one is the one giving me troubles :(


There are a couple of buggy version of Samba out there that return
invalid response values, and generate these symptoms. Which version of
Samba are you running, and on what OS?

Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working,
I'll have to move the config to a ZeroShell box with Samba 3.5.10.


That version should be ok; we're on 3.5.4

I'm not sure what the problem is then. From your original post, the 
authentication is failing at the *client*, in the inner EAP section. 
This normally means the final MSCHAP response is invalid, which only 
happens if some crypto has gone wrong somewhere.




Another problem I should fix is the fact that ZS's captive portal passes
user@realm credentials instead of realm\user ... rewriting w/ a simple
rule in hints file seems to block the rest, so I left it behind, for now.


You can't alter usernames in EAP. They are usually mixed into the 
challenge/response data, and altering them in-flight means the 
challenge/response will fail.


To be honest, there's too much going on in your setup; my advice would 
be to create a new server (running 2.1.12) and use the default setup. 
Test your EAP with eapol_test. Make small changes, storing the config 
into version control at each step. Identify exactly which point the 
failures start happening at.


Most people don't see this problem, so it's something specific to your 
setup.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[Alan DeKok]

NdK wrote:
 I think I'm near to correctly configure my server... but I incur in a
 situation that IIUC should be related to win clients only: I get
...
 message and *eapol_test* (run from a *linux* machine!) gives up after
 about 10 seconds.

  Then read the error messages from eapol_test.  Why does it stop?  It
should say.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eapol_test giving up and win-like error?

[NdK]

Il 18/01/2012 15:25, Alan DeKok ha scritto:
 NdK wrote:
 I think I'm near to correctly configure my server... but I incur in a
 situation that IIUC should be related to win clients only: I get
 ...
 message and *eapol_test* (run from a *linux* machine!) gives up after
 about 10 seconds.
 
   Then read the error messages from eapol_test.  Why does it stop?  It
 should say.
That's eapol_test output. I changed my AD pass to 'testing123' just for
the time needed to test, so the values are the real ones.
I can't see any error, just a timeout...
There's a short delay before EAPOL: startWhen -- 0 and a long one
just after.
If needed, I logged output of freeradius -X for this run, too (not
posted to avoid spamming the list too much -- nothing changed in its
config).

# eapol_test -c /home/ndk/Scaricati/peap-mschapv2.conf -s testing123qaz
-a 137.204.65.163
Reading configuration file '/home/ndk/Scaricati/peap-mschapv2.conf'
Line: 4 - start of a new network block
key_mgmt: 0xd
proto: 0x3
group: 0x18
scan_ssid=1 (0x1)
mode=0 (0x0)
ssid - hexdump_ascii(len=8):
 41 4c 4d 41 57 49 46 49   ALMAWIFI
pairwise: 0x18
eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00
00 00
password - hexdump_ascii(len=10):
 74 65 73 74 69 6e 67 31 32 33 testing123
identity - hexdump_ascii(len=23):
 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e   PERSONALE\diego.
 7a 75 63 63 61 74 6f  zuccato
phase2 - hexdump_ascii(len=15):
 70 68 61 73 65 32 3d 4d 53 43 48 41 50 56 32  phase2=MSCHAPV2
ca_cert - hexdump_ascii(len=61):
 2f 68 6f 6d 65 2f 6e 64 6b 2f 44 6f 63 75 6d 65   /home/ndk/Docume
 6e 74 69 2f 55 66 66 69 63 69 6f 2f 43 41 2f 63   nti/Ufficio/CA/c
 65 72 74 73 2f 41 73 74 72 6f 6e 6f 6d 69 61 20   erts/Astronomia
 2d 20 52 6f 6f 74 20 43 41 2e 63 72 74- Root CA.crt
Priority group 0
   id=0 ssid='ALMAWIFI'
Authentication server 137.204.65.163:1812
RADIUS local address: 137.204.65.96:45959
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=23):
 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e   PERSONALE\diego.
 7a 75 63 63 61 74 6f  zuccato
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=28)
TX EAP - RADIUS - hexdump(len=28): 02 00 00 1c 01 50 45 52 53 4f 4e 41
4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=23): 50 45 52
53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=154
   Attribute 1 (User-Name) length=25
  Value: 'PERSONALE\diego.zuccato'
   Attribute 4 (NAS-IP-Address) length=6
  Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
  Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
  Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
  Value: 19
   Attribute 77 (Connect-Info) length=24
  Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=30
  Value: 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f
2e 7a 75 63 63 61 74 6f
   Attribute 80 (Message-Authenticator) length=18
  Value: bd 07 f8 80 77 2d 48 51 d9 90 ce fe 5b e2 8f 35
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 80 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
   Attribute 79 (EAP-Message) length=24
  Value: 01 01 00 16 04 10 8e 95 2b d6 0d 0e cf cb ea cf a7 f0 f1 2e
1b 55
   Attribute 80 (Message-Authenticator) length=18
  Value: 75 9e 8f 62 48 3d 24 33 f9 ba cc ac 8c d3 cc 90
   Attribute 24 (State) length=18
  Value: 0e 7a a9 3e 0e 7b ad 56 82 24 1d fb 53 ea 51 8c
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec

RADIUS