MSCHAP using multiple domains

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

MSCHAP using multiple domains

Klemen forneci
Hello.
I know this may not be strictly radius related, but my google-fu is
all used up (not much on the subject). Now to the problem:
I'm using freeradius 3.13 on centos7 (Upgrading from v2 on centos6).
In the modules i have 2 mschap configuration based on user domain
(windows domain):

mschap mschap_thor {
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = yes

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-THOR}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
}

mschap mschap_loki {

        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = yes

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-LOKI}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"

}

In the sitens-enabled/default:

   Auth-Type MS-CHAP {
      if(Realm == "um.si") {
          mschap_thor
      }
     elsif(Realm == "guest.um.si") {
         mschap_thor
      }
      elsif(Realm == "student.um.si") {
          mschap_loki
      }
   }

When I use mschap_thor everything works. When I try mschap_loki, I get
the following error:
(2) mschap_loki: ERROR: Program returned code (1) and output 'Logon
Failure: The machine you are logging onto is protected by an
authentication firewall. The specified account is not allowed to
authenticate to the machine. (0xc0000413)'
(2) mschap_loki: External script failed
(2) mschap_loki: ERROR: External script says: Logon Failure: The
machine you are logging onto is protected by an authentication
firewall. The specified account is not allowed to authenticate to the
machine. (0xc0000413)
(2) mschap_loki: ERROR: MS-CHAP2-Response is incorrect

I've tried adding the radiusd server to the LOKI domain (net ads
join), but the error remains. Are there any more settings in
freeradius that i've missed or anywhere else. The whole project is on
a standstill because of this :/

Thank you and best regards,
Klemen
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAP using multiple domains

Matthew Newton-3


On 21/07/2020 17:01, Klemen forneci wrote:

> When I use mschap_thor everything works. When I try mschap_loki, I get
> the following error:
> (2) mschap_loki: ERROR: Program returned code (1) and output 'Logon
> Failure: The machine you are logging onto is protected by an
> authentication firewall. The specified account is not allowed to
> authenticate to the machine. (0xc0000413)'
> (2) mschap_loki: External script failed
> (2) mschap_loki: ERROR: External script says: Logon Failure: The
> machine you are logging onto is protected by an authentication
> firewall. The specified account is not allowed to authenticate to the
> machine. (0xc0000413)
> (2) mschap_loki: ERROR: MS-CHAP2-Response is incorrect
>
> I've tried adding the radiusd server to the LOKI domain (net ads
> join), but the error remains. Are there any more settings in
> freeradius that i've missed or anywhere else. The whole project is on
> a standstill because of this :/

As you realise already I think - it's nothing to do with FreeRADIUS,
which just runs the ntlm_auth binary and uses the result.

You need to run ntlm_auth manually with the same args, reproduce it
there, and then debug back up through Samba.

Once ntlm_auth works, FreeRADIUS should work, too.

 From what I recall, you would normally link the domains together and
then just join the FreeRADIUS server to one domain, the DC it sends its
request to should forward to the other domain based on the --domain arg.

If you want to join to two distinct domains simultaneously I believe
you'll need to have two separate isolated instances of Samba running
(this may have changed since I looked last though).

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MSCHAP using multiple domains

Klemen forneci
Yes, I know that this is not radius related. I can reproduce the error in samba.
I was hoping someone had a similar issue and would give me some hints.
As for dual instances, I checked on the old server and there is a
single domain join. So there must be something on the windows side
that's giving me issues.

Best regards,
Klemen

V V tor., 21. jul. 2020 ob 18:12 je oseba Matthew Newton
<[hidden email]> napisala:

>
>
>
> On 21/07/2020 17:01, Klemen forneci wrote:
>
> > When I use mschap_thor everything works. When I try mschap_loki, I get
> > the following error:
> > (2) mschap_loki: ERROR: Program returned code (1) and output 'Logon
> > Failure: The machine you are logging onto is protected by an
> > authentication firewall. The specified account is not allowed to
> > authenticate to the machine. (0xc0000413)'
> > (2) mschap_loki: External script failed
> > (2) mschap_loki: ERROR: External script says: Logon Failure: The
> > machine you are logging onto is protected by an authentication
> > firewall. The specified account is not allowed to authenticate to the
> > machine. (0xc0000413)
> > (2) mschap_loki: ERROR: MS-CHAP2-Response is incorrect
> >
> > I've tried adding the radiusd server to the LOKI domain (net ads
> > join), but the error remains. Are there any more settings in
> > freeradius that i've missed or anywhere else. The whole project is on
> > a standstill because of this :/
>
> As you realise already I think - it's nothing to do with FreeRADIUS,
> which just runs the ntlm_auth binary and uses the result.
>
> You need to run ntlm_auth manually with the same args, reproduce it
> there, and then debug back up through Samba.
>
> Once ntlm_auth works, FreeRADIUS should work, too.
>
>  From what I recall, you would normally link the domains together and
> then just join the FreeRADIUS server to one domain, the DC it sends its
> request to should forward to the other domain based on the --domain arg.
>
> If you want to join to two distinct domains simultaneously I believe
> you'll need to have two separate isolated instances of Samba running
> (this may have changed since I looked last though).
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html