Re: AW: freeradius and ntlm_auth howto
I finally managed to filter out the last issues with my setup. When i have more time i will post a small howto that worked for me. Although people on the list told me that there are plenty guides already, i couldn't find one that worked. Thanks everyone for all hints that helped me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 11/06/2006 04:36:25 PM: > Actually this is the exact same problem I have. I need to type my > credentials in for authentication to work. If I let windows do it, I > won't get in. > > If any of you could please help us out with this issue, that'd be great > > Cheers > > Héctor > > > > Von: [EMAIL PROTECTED] > freeradius.org [mailto:freeradius-users-bounces+hector. > [EMAIL PROTECTED] Im Auftrag von Stieven. > [EMAIL PROTECTED] > Gesendet: Montag, 6. November 2006 16:17 > An: King, Michael > Cc: freeradius-users@lists.freeradius.org > Betreff: RE: freeradius and ntlm_auth howto > > michael, > The configuration works when i type in my username as > '[EMAIL PROTECTED]', when i let windows fill it in i don't get in. > My password gets locked after 3 attempts, and the wifi retries > several times. If you look higher in the file you will see another > error:(logon failure) > > It works with the standard certs, so for finding a good working > configuration this is ok for now. Obviously i will change this for production. > > Stieven Struyf > M.I.S. Division - System Operations > Komatsu Europe International NV > Mechelsesteenweg 586 > B-1800 Vilvoorde > [EMAIL PROTECTED] > Tel. +32 (0)2 2552551 > > > "King, Michael" <[EMAIL PROTECTED]> > 11/06/2006 04:04 PM > > To > > <[EMAIL PROTECTED]>, "FreeRadius users mailing list" > > > cc > > Subject > > RE: freeradius and ntlm_auth howto > > > > > Some things I've noticed from your attached files > > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = yes > mschap: require_strong = yes > > I've never enabled these before, I'm unaware what affect they will have > > > tls: pem_file_type = yes > tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" > tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" > tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" > tls: private_key_password = "whatever" > tls: dh_file = "/etc/raddb/certs/dh" > tls: random_file = "/etc/raddb/certs/random" > > Did you generate your OWN certs... They one's that ship with the > server ARE NOT vailid. You have to generate your own. > > rlm_eap: Loaded and initialized type peap > mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 > > That doesn't look right > > > > BUT YOUR FINAL ANSWER: > > > xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf > --challenge=b9ee04ca891c7b7d --nt- > response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0 > Exec-Program output: Account locked out (0xc234) > Exec-Program-Wait: plaintext: Account locked out (0xc234) > Exec-Program: returned: 1 > rlm_mschap: External script failed. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > > > Your account in the domain is not correct. > > Looks like it's been disabled or something. > > Fix that first before you change anymore config files. > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, November 06, 2006 3:16 AM > To: King, Michael > Subject: Fw: freeradius and ntlm_auth howto > > > Michael, > I sent my reply already to the list, but due to the size(larger than > 100k) it had to be reviewed by the admin and after a week it was rejected. > Below you can find the mail. Thanks for helping me. > > Stieven Struyf > M.I.S. Division - System Operations > Komatsu Europe International NV > Mechelsesteenweg 586 > B-1800 Vilvoorde > [EMAIL PROTECTED] > Tel. +32 (0)2 2552551 > - Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM - > > Stieven Struyf/KEISA/BE/KOMEUR > 11/02/2006 08:55 AM > > To > > FreeRadius users mailing list > > cc > > Subject > > RE: freeradius and ntlm_auth howtoLink > > > > > > > I added the debuglog as attachment(as it is a little large to paste here). > This is the mschap config: > mschap { >authtype = MS
AW: freeradius and ntlm_auth howto
Actually this is the exact same problem I have. I need to type my credentials in for authentication to work. If I let windows do it, I won't get in. If any of you could please help us out with this issue, that'd be great Cheers Héctor Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED]Gesendet: Montag, 6. November 2006 16:17An: King, MichaelCc: freeradius-users@lists.freeradius.orgBetreff: RE: freeradius and ntlm_auth howto michael, The configuration works when i type in my username as '[EMAIL PROTECTED]', when i let windows fill it in i don't get in. My password gets locked after 3 attempts, and the wifi retries several times. If you look higher in the file you will see another error:(logon failure) It works with the standard certs, so for finding a good working configuration this is ok for now. Obviously i will change this for production. Stieven StruyfM.I.S. Division - System Operations Komatsu Europe International NVMechelsesteenweg 586B-1800 Vilvoorde[EMAIL PROTECTED]Tel. +32 (0)2 2552551 "King, Michael" <[EMAIL PROTECTED]> 11/06/2006 04:04 PM To <[EMAIL PROTECTED]>, "FreeRadius users mailing list" cc Subject RE: freeradius and ntlm_auth howto Some things I've noticed from your attached files Module: Loaded MS-CHAP mschap: use_mppe = yesmschap: require_encryption = yesmschap: require_strong = yes I've never enabled these before, I'm unaware what affect they will have tls: pem_file_type = yestls: private_key_file = "/etc/raddb/certs/cert-srv.pem"tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"tls: private_key_password = "whatever"tls: dh_file = "/etc/raddb/certs/dh"tls: random_file = "/etc/raddb/certs/random" Did you generate your OWN certs... They one's that ship with the server ARE NOT vailid. You have to generate your own. rlm_eap: Loaded and initialized type peapmschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2 That doesn't look right BUT YOUR FINAL ANSWER: xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0Exec-Program output: Account locked out (0xc234) Exec-Program-Wait: plaintext: Account locked out (0xc234) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your account in the domain is not correct. Looks like it's been disabled or something. Fix that first before you change anymore config files. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 06, 2006 3:16 AMTo: King, MichaelSubject: Fw: freeradius and ntlm_auth howtoMichael, I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was rejected. Below you can find the mail. Thanks for helping me. Stieven StruyfM.I.S. Division - System Operations Komatsu Europe International NVMechelsesteenweg 586B-1800 Vilvoorde[EMAIL PROTECTED]Tel. +32 (0)2 2552551 - Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM - Stieven Struyf/KEISA/BE/KOMEUR 11/02/2006 08:55 AM To FreeRadius users mailing list cc Subject RE: freeradius and ntlm_auth howtoLink I added the debuglog as attachment(as it is a little large to paste here). This is the mschap config: mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } Stieven StruyfM.I.S. Division - System Operations Komatsu Europe International NVMechelsesteenweg 586B-1800 Vilvoorde[EMAIL PROTECTED]Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 10/27/2006 04:36:00 PM:> Let's see if we can get this solved... > > > -Original Message-> > Here's the full log: > > Waking up in 6 seconds... > > rad_recv: Access-Request packet from host 10.104.254.73:1645
RE: freeradius and ntlm_auth howto
michael, The configuration works when i type in my username as '[EMAIL PROTECTED]', when i let windows fill it in i don't get in. My password gets locked after 3 attempts, and the wifi retries several times. If you look higher in the file you will see another error:(logon failure) It works with the standard certs, so for finding a good working configuration this is ok for now. Obviously i will change this for production. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 "King, Michael" <[EMAIL PROTECTED]> 11/06/2006 04:04 PM To <[EMAIL PROTECTED]>, "FreeRadius users mailing list" cc Subject RE: freeradius and ntlm_auth howto Some things I've noticed from your attached files Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes I've never enabled these before, I'm unaware what affect they will have tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" Did you generate your OWN certs... They one's that ship with the server ARE NOT vailid. You have to generate your own. rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 That doesn't look right BUT YOUR FINAL ANSWER: xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0 Exec-Program output: Account locked out (0xc234) Exec-Program-Wait: plaintext: Account locked out (0xc234) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your account in the domain is not correct. Looks like it's been disabled or something. Fix that first before you change anymore config files. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 06, 2006 3:16 AM To: King, Michael Subject: Fw: freeradius and ntlm_auth howto Michael, I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was rejected. Below you can find the mail. Thanks for helping me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 - Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM - Stieven Struyf/KEISA/BE/KOMEUR 11/02/2006 08:55 AM To FreeRadius users mailing list cc Subject RE: freeradius and ntlm_auth howtoLink I added the debuglog as attachment(as it is a little large to paste here). This is the mschap config: mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 10/27/2006 04:36:00 PM: > Let's see if we can get this solved... > > > -Original Message- > > Here's the full log: > > Waking up in 6 seconds... > > rad_recv: Access-Request packet from host 10.104.254.73:1645, > > This is NOT the full log. The full log would have started with the line > /path/to/radiusd -X > > Some important stuff is printed out there, it helps us help you. > > > > rlm_mschap: NT Domain delimeter found, should we have > > enabled with_ntdomain_hack? > > rlm_mschap: NT Domain delimeter found, should we have > > enabled with_ntdomain_hack? > > Did you enable Ntdomain Hack in the MSCHAP module? (See below) > > > Including your radius.conf file would help. > > > > > HOWEVER, first you may want to check your mschap module definition: > > > > > > modules { > > > mschap { > > > ntlm_auth = "/usr/bin/ntlm_auth \ > > > --request-nt-key \ > > > --username=%{mschap:User-Name:-None} \ > > > --domain=%{mschap:NT-Domain:-None} \ > > > --challenge=%{mschap:Challenge:
RE: freeradius and ntlm_auth howto
Some things I've noticed from your attached files Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes I've never enabled these before, I'm unaware what affect they will have tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" Did you generate your OWN certs... They one's that ship with the server ARE NOT vailid. You have to generate your own. rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2 That doesn't look right BUT YOUR FINAL ANSWER: xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0Exec-Program output: Account locked out (0xc234) Exec-Program-Wait: plaintext: Account locked out (0xc234) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Your account in the domain is not correct. Looks like it's been disabled or something. Fix that first before you change anymore config files. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 06, 2006 3:16 AMTo: King, MichaelSubject: Fw: freeradius and ntlm_auth howto Michael, I sent my reply already to the list, but due to the size(larger than 100k) it had to be reviewed by the admin and after a week it was rejected. Below you can find the mail. Thanks for helping me. Stieven StruyfM.I.S. Division - System Operations Komatsu Europe International NVMechelsesteenweg 586B-1800 Vilvoorde[EMAIL PROTECTED]Tel. +32 (0)2 2552551 - Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM - Stieven Struyf/KEISA/BE/KOMEUR 11/02/2006 08:55 AM To FreeRadius users mailing list cc Subject RE: freeradius and ntlm_auth howtoLink I added the debuglog as attachment(as it is a little large to paste here). This is the mschap config: mschap { authtype = MS-CHAP use_mppe = yes require_strong = yes with_ntdomain_hack = yes require_encryption = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } Stieven StruyfM.I.S. Division - System Operations Komatsu Europe International NVMechelsesteenweg 586B-1800 Vilvoorde[EMAIL PROTECTED]Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 10/27/2006 04:36:00 PM:> Let's see if we can get this solved... > > > -Original Message-> > Here's the full log: > > Waking up in 6 seconds... > > rad_recv: Access-Request packet from host 10.104.254.73:1645, > > This is NOT the full log. The full log would have started with the line> /path/to/radiusd -X> > Some important stuff is printed out there, it helps us help you. > > > > rlm_mschap: NT Domain delimeter found, should we have > > enabled with_ntdomain_hack? > > rlm_mschap: NT Domain delimeter found, should we have > > enabled with_ntdomain_hack? > > Did you enable Ntdomain Hack in the MSCHAP module? (See below)> > > Including your radius.conf file would help.> > > > > HOWEVER, first you may want to check your mschap module definition:> > > > > > modules {> > > mschap {> > > ntlm_auth = "/usr/bin/ntlm_auth \> > > --request-nt-key \> > > --username=%{mschap:User-Name:-None} \> > > --domain=%{mschap:NT-Domain:-None} \> > > --challenge=%{mschap:Challenge:-00} \> > > --nt-response=%{mschap:NT-Response:-00}"> > > > > > ...all on one line of course. Note the use of the > > "mschap:User-Name" > > > and "mschap:NT-Domain" values.> > Mine radiusd.conf file's mschap section looks like this:> NOTE that I do NOT have the :-00 and the :-None statements, and I DO> have with_ntdomain_hack=yes> > >
RE: freeradius and ntlm_auth howto
Let's see if we can get this solved... > -Original Message- > Here's the full log: > Waking up in 6 seconds... > rad_recv: Access-Request packet from host 10.104.254.73:1645, This is NOT the full log. The full log would have started with the line /path/to/radiusd -X Some important stuff is printed out there, it helps us help you. > rlm_mschap: NT Domain delimeter found, should we have > enabled with_ntdomain_hack? > rlm_mschap: NT Domain delimeter found, should we have > enabled with_ntdomain_hack? Did you enable Ntdomain Hack in the MSCHAP module? (See below) Including your radius.conf file would help. > > HOWEVER, first you may want to check your mschap module definition: > > > > modules { > >mschap { > > ntlm_auth = "/usr/bin/ntlm_auth \ > > --request-nt-key \ > > --username=%{mschap:User-Name:-None} \ > > --domain=%{mschap:NT-Domain:-None} \ > > --challenge=%{mschap:Challenge:-00} \ > > --nt-response=%{mschap:NT-Response:-00}" > > > > ...all on one line of course. Note the use of the > "mschap:User-Name" > > and "mschap:NT-Domain" values. Mine radiusd.conf file's mschap section looks like this: NOTE that I do NOT have the :-00 and the :-None statements, and I DO have with_ntdomain_hack=yes # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge} \ --nt-response=%{mschap:NT-Response} } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote on 10/27/2006 02:54:52 PM: > Did you notice the response from ntlm_auth: > > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf > --challenge=decc4450c3b83d2c --nt- > response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345 > Exec-Program output: Logon failure (0xc06d) > > This indicates an invalid username or password. Try running > “/usr/bin/ntlm_auth --username=sstruyf” and entering the same > password you used in your previous test when prompted. Is the > username correct? Is samba going to the correct domain by default? > Did you enter the correct password? If you can’t authenticate from > the command line, you won’t be able to do so from freeradius either.- > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html from the commandline everything is working, and the same username/realm works if i enter pass it as [EMAIL PROTECTED] instead of realm\username. So i am absolutely sure the user is ok. I will check with our AD admin if he sees something in his logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
Did you notice the response from ntlm_auth: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=decc4450c3b83d2c --nt-response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345 Exec-Program output: Logon failure (0xc06d) This indicates an invalid username or password. Try running “/usr/bin/ntlm_auth --username=sstruyf” and entering the same password you used in your previous test when prompted. Is the username correct? Is samba going to the correct domain by default? Did you enter the correct password? If you can’t authenticate from the command line, you won’t be able to do so from freeradius either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645, id=67, length=259 User-Name = "KMT-EU.KMTG.NET\\sstruyf" Framed-MTU = 1400 Called-Station-Id = "0016.469b.7cd0" Calling-Station-Id = "0011.851a.cc37" Service-Type = Login-User Message-Authenticator = 0xfeb711c4400f8f34b9fef7c2be7f77bc EAP-Message = 0x020900691900170301005e5971fff2b46b2f81e88ed248772a59c1860abf0ebe40379c9e20c0ac6edd9cb19abe8ebfe82595c54bc12a979c51182f9b58d130708870f1b6bb17c1cd8249a64ddae5750e9411d4e337bd0876f393e83f2015b4c783ee35db02041bad3 NAS-Port-Type = Wireless-802.11 NAS-Port = 2936 State = 0x5d8298849858ea61aec0380c81af200d NAS-IP-Address = 10.104.254.73 NAS-Identifier = "WAP07KE" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 105 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f13681af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with 46 61 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f13681af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "KMT-EU.KMTG.NET\\sstruyf" State = 0x4661e4398678b434bf08ae113a631207 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter
Re: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote: All, I finally got it working, but not yet as i want. The trick that made it work is settings auth-type := MSCHAPv2 for the You should not do that, and should not *have* to do that. Most likely you have not put the mschap module in the authorize section, *or* you have put another module higher up that it setting the auth-type first e.g. LDAP. You should have: authorize { preprocess mschap # other modules, maybe files? } authenticate { Auth-Type MS-CHAP { mschap } } user(s) and i also started radiusd as root(changed the rights without success to radiusd, but once everything is working i will try to run again with radiusd user) That's probably permissions on the winbind socket - see [EMAIL PROTECTED] var]$ ls -ld /var/cache/samba/winbindd_privileged/ drwxr-x--- 2 root root 4096 Jul 24 21:36 /var/cache/samba/winbindd_privileged/ ...radius will need to be able to get into that directory and access the unix socket inside. Many distributions have the unix group "squid" setup to be able to read it for the purposes of Squid+ntlm. If so, just add the "radiusd" user to the "squid" group. Or, create an "ntlmauth" group and set permissions appropriately. If you are on an SELinux distribution, watch for that. If i connect my user(s)s with [EMAIL PROTECTED] it works, but if i use realm\userame the realm is found but no ntlm is used(and authentication fails). Below you find an extract from the debug where you can see that the An extract is no use. Please show the full debug output for a failing session. HOWEVER, first you may want to check your mschap module definition: modules { mschap { ntlm_auth = "/usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name:-None} \ --domain=%{mschap:NT-Domain:-None} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}" ...all on one line of course. Note the use of the "mschap:User-Name" and "mschap:NT-Domain" values. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
All, I finally got it working, but not yet as i want. The trick that made it work is settings auth-type := MSCHAPv2 for the user(s) and i also started radiusd as root(changed the rights without success to radiusd, but once everything is working i will try to run again with radiusd user) If i connect my user(s)s with [EMAIL PROTECTED] it works, but if i use realm\userame the realm is found but no ntlm is used(and authentication fails). Below you find an extract from the debug where you can see that the correct realm is found. Do i need some options? (btw i need this to work because automatic logon to the wifi from windows xp with windows credentials is in this format) modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 69 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 10/26/2006 05:05:44 PM: > [EMAIL PROTECTED] wrote: > > I am trying to authenticate my wifi users via our AD. I'm finding bits and > > pieces on the internet to configure things, but no completely usable > > howto. > > What's missing from any of the HOWTO's? There's some on the Wiki, > and one on my site. > > > Exec-Program-Wait: plaintext: winbind client not authorized to use > > winbindd_pam_auth_crap. Ensure permissions on > > /var/cache/samba/winbindd_privileged are set correctly. (0xc022) > > You're running the server as non-root, and the programs it executes > don't run as root, so they don't have permissions to read that > directory. Make the server run as root, or fix the permissions. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote: > I am trying to authenticate my wifi users via our AD. I'm finding bits and > pieces on the internet to configure things, but no completely usable > howto. What's missing from any of the HOWTO's? There's some on the Wiki, and one on my site. > Exec-Program-Wait: plaintext: winbind client not authorized to use > winbindd_pam_auth_crap. Ensure permissions on > /var/cache/samba/winbindd_privileged are set correctly. (0xc022) You're running the server as non-root, and the programs it executes don't run as root, so they don't have permissions to read that directory. Make the server run as root, or fix the permissions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The debugging output is exactly saying whats wrong Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) This dir should be readable by freeradius AND winbind. I thought 750 would work J. - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 > -Oorspronkelijk bericht- > Van: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] Namens > [EMAIL PROTECTED] > Verzonden: donderdag 26 oktober 2006 16:24 > Aan: freeradius-users@lists.freeradius.org > Onderwerp: freeradius and ntlm_auth howto > > > All, > I am trying to authenticate my wifi users via our AD. I'm finding bits and > pieces on the internet to configure things, but no completely usable > howto. > Can someone of the users look at the ouput below and point me to the > correct solution/howto? > > I setup smb.conf,krb5.conf and freeradius. I joined the server to the > domain and tested the connection with ntlm_auth: > [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf > --domain=KMT-EU.KMTG.NET > password: > NT_STATUS_OK: Success (0x0) > [EMAIL PROTECTED] ~]# > > rights of the winbind pipe: > ls -l /var/cache/samba/winbindd_privileged > total 0 > srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe > > below is the debug output of freeradius > > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > eaptls_verify returned 7 > rlm_eap_tls: Done initial handshake > eaptls_process returned 7 > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_peap: EAP type mschapv2 > rlm_eap_peap: Tunneled data is valid. > PEAP: Got tunneled EAP-Message > EAP-Message = > 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 > 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 > 2e4b4d54472e4e45545c73737472757966 > PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf > PEAP: Adding old state with a4 c3 > PEAP: Sending tunneled request > EAP-Message = > 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 > 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 > 2e4b4d54472e4e45545c73737472757966 > FreeRADIUS-Proxied-To = 127.0.0.1 > User-Name = "KMT-EU.KMTG.NET\\sstruyf" > State = 0xa4c337a92357e8d90a5f8c64b37d2df1 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 7 > modcall[authorize]: module "preprocess" returns ok for request 7 > modcall[authorize]: module "mschap" returns noop for request 7 > rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up > realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 > rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT- > EU.KMTG.NET\sstruyf" > rlm_realm: Found realm "KMT-EU.KMTG.NET" > rlm_realm: Adding Stripped-User-Name = "sstruyf" > rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET > rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "ntdomain" returns noop for request 7 > rlm_eap: EAP packet type response id 9 length 82 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 7 > users: Matched sstruyf at 98 > modcall[authorize]: module "files" returns ok for request 7 > modcall: group authorize returns updated for request 7 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 7 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: N
freeradius and ntlm_auth howto
All, I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto. Can someone of the users look at the ouput below and point me to the correct solution/howto? I setup smb.conf,krb5.conf and freeradius. I joined the server to the domain and tested the connection with ntlm_auth: [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --domain=KMT-EU.KMTG.NET password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] ~]# rights of the winbind pipe: ls -l /var/cache/samba/winbindd_privileged total 0 srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe below is the debug output of freeradius Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with a4 c3 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "KMT-EU.KMTG.NET\\sstruyf" State = 0xa4c337a92357e8d90a5f8c64b37d2df1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 95 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challeng e=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972 Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: