[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Trouble running ntlm_auth with mschap
From: Alan Buxey <alan.buxey () gmail ! com>
Date: 2017-08-21 12:22:47
Message-ID: CAOVYXj_2jD1yBHZzwTFDevsCmWqB7SSOf6nw2fK4pkBNBxQyNA () mail ! gmail ! com
[Download RAW message or body]
Correct. Commented out values are the defaults. The default is no.
Actually it's 2017 now so the default for that config should all be yes and
strong etc. That probably won't happen due to it maybe being a breaking
change for legacy sites but it should certainly be the defaults in v4 :)
alan
On 21 Aug 2017 7:08 am, "Dirk Bonenkamp - ProActive" <dirk@proactive.nl>
wrote:
> Thank you Alan,
>
> After some testing, it turns out that:
>
> use_mppe = yes
>
> Is not the same as
>
> #use_mppe = no
>
> But it works again now.
>
> Cheers,
>
> Dirk
>
> On 2017-08-19 18:38, Alan Buxey wrote:
>
>> Use eg eapol_test for testing and ensure you have all the options eg mppe
>> etc set to yes in mschap module
>>
>> alan
>>
>> On 18 Aug 2017 2:36 pm, "Dirk Bonenkamp - ProActive" <dirk@proactive.nl>
>> wrote:
>>
>> Hi All,
>>>
>>> I'm running Ubuntu 16.04 LTS, Samba 4.3.11 and Freeradius 3.0.15.
>>>
>>> I'm having trouble using mschap when authenticating against my AD using
>>> ntlm_auth. Testing with wbinfo or ntlm_auth from the command line works.
>>> Running NTLM_AUTH trough freeradius (configured by myself, which just
>>> calls
>>> ntlm_auth staight), works fine:
>>>
>>> radtest dirk MyPaSsWord localhost 0 testing123
>>>
>>> Ouput:
>>>
>>> (2) Found Auth-Type = NTLM_AUTH
>>> (2) # Executing group from file /etc/freeradius/sites-enabled/default
>>> (2) Auth-Type NTLM_AUTH {
>>> (2) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
>>> --domain=PROACTIVE --username=%{mschap:User-Name}
>>> --password=%{User-Password}:
>>> (2) ntlm_auth: EXPAND --username=%{mschap:User-Name}
>>> (2) ntlm_auth: --> --username=dirk
>>> (2) ntlm_auth: EXPAND --password=%{User-Password}
>>> (2) ntlm_auth: --> --password=MyPaSsWord
>>> (2) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK:
>>> Success
>>> (0x0)'
>>> (2) ntlm_auth: Program executed successfully
>>> (2) [ntlm_auth] = ok
>>> (2) } # Auth-Type NTLM_AUTH = ok
>>>
>>> But when running:
>>>
>>> radtest -t mschap dirk MyPaSsWord localhost 0 testing123
>>>
>>> I get:
>>>
>>> (0) Found Auth-Type = mschap
>>> (0) # Executing group from file /etc/freeradius/sites-enabled/default
>>> (0) authenticate {
>>> (0) mschap: Client is using MS-CHAPv1 with NT-Password
>>> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
>>> --domain=PROACTIVE --username=%{mschap:User-Name}
>>> --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re
>>> sponse}:-00}:
>>> (0) mschap: EXPAND --username=%{mschap:User-Name}
>>> (0) mschap: --> --username=dirk
>>> (0) mschap: mschap1: a2
>>> (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
>>> (0) mschap: --> --challenge=a2ecd01e5bdf0ef6
>>> (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
>>> (0) mschap: --> --nt-response=28c30e8ce6d1a2ec
>>> d6877be94a654d6336afa03527aace03
>>> (0) mschap: ERROR: Program returned code (1) and output 'Logon failure
>>> (0xc000006d)'
>>> (0) mschap: External script failed
>>> (0) mschap: ERROR: External script says: Logon failure (0xc000006d)
>>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>>> (0) [mschap] = reject
>>>
>>> I'm really puzzled here... I had this working on an Ubuntu 12.04 /
>>> freeradius 2.x setup, but I'm really stuck now.
>>>
>>> Any help or hints are highly appreciated. Thank you in advance, kind
>>> regards,
>>>
>>> Dirk
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic