'Re: problem with radtest and freeradius 3.0.26'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: problem with radtest and freeradius 3.0.26
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2024-01-31 12:15:35
Message-ID: 7E82E452-03FF-479D-B4DF-D051A7D174E7 () deployingradius ! com
[Download RAW message or body]

On Jan 30, 2024, at 10:11 PM, Dean Guenther <deanrguenther@gmail.com> wrote:
> I've followed your suggestion on debugging. I still am unable to get a
> successful authentication. I can see "what" is failing, (the
> autentication). But I don't see the "why".

  The "why" is buried somewhere in a log file in Active Directory.  Pretty much the \
only thing it's returning to FreeRADIUS is "failed".

> 4) I also ran
> ntlm_auth --username=deang --password=******* --domain=TESTDOMAIN
> and that works. I also did
> ntlm_auth --username=deang --password=*******
> without the --domain and that also works.
> NOTE: per your explanation I now understand that this execution does
> not actually call mschap

  Yes.

  You can *also* run radtest, and tell it to send MS-CHAP data to the server.  i.e. \
you give radtest a clear-text password, and it does the MS-CHAP calculations for you.

  That should work.  If it doesn't, then something weird is going on.

  If it does work, then you know that the other device creating the MS-CHAP data is \
doing it wrong.  And so the only way to fix it is to fix the other device.

> 5) My endgame is I want to authenticate a wireless access point through
> this freeradius server. But when I couldn't get that to initially work is
> when I
> decided to try radtest. So now my most recent test is going through the
> access point which uses WPA2 Enterprise.
> 6) It asks for the name and password.
> 7) In the freeradius log (attached) it shows that it successfully passes
> the username "deang" to mschap.
> 8) But then it says it
> (7) mschap: ERROR: Program returned code (1) and output 'The
> attempted logon is invalid.
> This is either due to a bad username or authentication
> information. (0xc000006d)'

  Because Active Directory doesn't like "something" about the MS-CHAP data.

  What doesn't it like?  No idea.  That information is buried in the Active Directory \
logs.

> 9) In your new mschap documentation it mentioned trying ntlm_auth from the
> command line using the mschap:Challenge and mschap:NT-Response.
> I couldn't get that to work. Not sure what I entered wrong here:
> # ntlm_auth --request-nt-key --allow-mschapv2 --username=deang
> --challenge=878e648b0127ef34
> 
> --nt-response=cea5231c4fe1a9d111433e9473010416e8ca426578904d35
> --domain=TESTDOMAIN
> The attempted logon is invalid. This is either due to a bad
> username or authentication information. (0xc000006d)

  The challenge is a random field.  The nt-response is calculated from a hash of the \
username and challenge.  So the point is to test small variations of the username to \
see what works.

  i.e. the other device may be doing the MS-CHAP calculations with username \
"deang@testdomain", but then instead of sending that to FreeRADIUS, sends a username \
of "deang".  But still sends the MS-CHAP data calculated with "deang@testdomain".

  So it will *never* work.

  The purpose of running ntlm_auth from the command line is to see if the device sent \
you one format for the username, but secretly calculated the MS-CHAP data with a \
different username,  So try different variations of the username, and maybe one will \
work.

> 10) in the mschap documentation it says another option is to comment out
> ntlm_auth and uncomment "winbind_username" and
> "winbind_domain" in mschap. I tried this but it still failed. I did
> not include a log of that attempt.

  That won't work if the MS-CHAP data sent by the device is wrong.

> One more question, so I can learn more about this process. The password is
> never shown in the mschap debug log. Is the password when entered on the
> wireless access point somehow hashed into a combination of the challenge
> and nt-response? Just trying to understand how they fit together.

  Yes.

  My $0.02 is to try radtest:

$ radtest -t mschap deang my-password localhost

  And then also different variations of the username...

$ radtest -t mschap deang@testdomain.com my-password localhost

  My guess is that one of them will work.  If not, then something in your local \
changes are mangling the username and/or the MS-CHAP data.

  Most people get this working pretty quickly.  So either the device is broken, or \
your local RADIUS configuration is broken.  There isn't much else which can go wrong.

  If this is still a mystery after a few more tests, then it's time to start over.  \
Wipe the entire configuration, and start with the default configuration.

  Then, follow my Active Directory guide:  \
http://deployingradius.com/documents/configuration/active_directory.html

  It has a step-by-step approach.  It works.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic