'Re: [EXTERNAL] Re: Computer/Machine Authentication almost working..'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: [EXTERNAL] Re: Computer/Machine Authentication almost working..
From:       Tim ODriscoll <tim.odriscoll () lambrookschool ! co ! uk>
Date:       2023-04-03 15:43:44
Message-ID: AM6PR10MB2568DD8E5CBDF13F476C9C33D6929 () AM6PR10MB2568 ! EURPRD10 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]

> *  Also read the top of sites-available/inner-tunnel and test it via radclient, \
> using MS-CHAP.

Thank you, Alan - I hadn't tried that yet:

It seems my ldap authentication is working, but not the mschap:
# radtest tim.odriscoll MYPASSWD localhost 10 testing123
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
rlm_ldap (ldap): Reserved connection (2)
(0) ldap: Login attempt by "tim.odriscoll"
(0) ldap: Using user DN from request \
"CN=tim.odriscoll,CN=Users,DC=MYDOMAIN,DC=co,DC=uk" (0) ldap: Waiting for bind \
result... (0) ldap: Bind successful
(0) ldap: Bind as user "CN=tim.odriscoll,CN=Users,DC=MYDOMAIN,DC=co,DC=uk" was \
successful rlm_ldap (ldap): Released connection (2)
(0)     [ldap] = ok
(0)   } # authenticate = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && \
(reply:User-Name == request:User-Name)) { (0)     if (session-state:User-Name && \
reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> \
FALSE (0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 138 from 127.0.0.1:1812 to 127.0.0.1:41829 length 36
(0)   Tunnel-Type = VLAN
(0)   Tunnel-Medium-Type = IEEE-802
(0)   Tunnel-Private-Group-Id = "30"
(0) Finished request

And with mschap:
radtest -t mschap tim.odriscoll MYPASSWD localhost 10 testing123
(1)   authenticate {
(1) mschap: Client is using MS-CHAPv1 with NT-Password
(1) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key \
--username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=MYDOMAIN \
--challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: \
(1) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (1) mschap:    --> \
--username=tim.odriscoll (1) mschap: mschap1: 84
(1) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(1) mschap:    --> --challenge=84b5ae5ac964eb2c
(1) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(1) mschap:    --> --nt-response=da7a0095a13df2402e71c6c167eef1f1ae48514b721fa091
(1) mschap: ERROR: Program returned code (1) and output 'The attempted logon is \
invalid. This is either due to a bad username or authentication information. \
(0xc000006d)' (1) mschap: External script failed
(1) mschap: ERROR: External script says: The attempted logon is invalid. This is \
either due to a bad username or authentication information. (0xc000006d) (1) mschap: \
ERROR: MS-CHAP2-Response is incorrect (1)     [mschap] = reject

I will try and dig out the samba logs..

Many thanks,
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic