On 03-04-2023 17:08, Tim ODriscoll wrote:> > I guess we have to look at the conf files then, first these two:
>
> Thank you for the config file snippets. I can confirm mine were almost
> identical, so I've tweaked them so that they are now exactly the same
> as yours except for the
> "--require-membership-of=example\authorization_groupname" line in
> ntlm_auth.
>
> Unfortunately it's still erroring out:
> (7) mschap: Creating challenge hash with username:
> host/SL-6S4BBS3.MYDOMAIN.co.uk
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{mschap:User-Name}:-00} --allow-mschapv2
> --domain=MYDOMAIN --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (7) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
> (7) mschap: ? ?--> --username=SL-6S4BBS3$
> (7) mschap: Creating challenge hash with username:
> host/SL-6S4BBS3.MYDOMAIN.co.uk
> (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (7) mschap: ? ?--> --challenge=b45bc6ef86e0331a
> (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (7) mschap: ? ?-->
> --nt-response=a3748d3de88efabcf966a1740cb27a279d8923ebfac30d89
> (7) mschap: ERROR: Program returned code (1) and output 'The attempted
> logon is invalid. This is either due to a bad username or
> authentication information. (0xc000006d)'
> (7) mschap: External script failed
> (7) mschap: ERROR: External script says: The attempted logon is
> invalid. This is either due to a bad username or authentication
> information. (0xc000006d)
> (7) mschap: ERROR: MS-CHAP2-Response is incorrect
>
> Did you have to change any other config files?
Sure, there are more, but they are getting longer...
mod-enabled/eap:
eap {
??????? default_eap_type = md5
??????? timer_expire = 60
??????? ignore_unknown_eap_types = no
??????? cisco_accounting_username_bug = no
??????? max_sessions = ${max_requests}
??????? md5 {
??????? }
??????? leap {
??????? }
??????? gtc {
??????????????? auth_type = PAP
??????? }
??????? tls-config tls-common {
??????????????? #private_key_password = whatever
??????????????? private_key_file = /etc/ssl/private/SERVER_CERT.key
??????????????? certificate_file = /etc/ssl/certs/SERVER_CERT.crt
??????????????? ca_file = /etc/freeradius/3.0/ca_and_crl.pem? # see
note below
??????????????? dh_file = ${certdir}/dh
??????????????? ca_path = ${cadir}
??????????????? check_crl = yes
??????????????? cipher_list = "DEFAULT"
??????????????? cipher_server_preference = no
??????????????? tls_min_version = "1.2"? # tune these 2 to your needs
??????????????? tls_max_version = "1.3"
??????????????? ecdh_curve = "prime256v1"
??????????????? cache {
??????????????????????? enable = no
??????????????????????? store {
??????????????????????????????? Tunnel-Private-Group-Id
??????????????????????? }
??????????????? }
??????????????? verify {
??????????????? }
??????????????? ocsp {
??????????????????????? enable = no
??????????????????????? override_cert_url = yes
??????????????????????? url = "http://127.0.0.1/ocsp/"
??????????????? }
??????? }
??????? tls {
??????????????? tls = tls-common
??????? }
??????? ttls {
??????????????? tls = tls-common
??????????????? default_eap_type = md5
??????????????? copy_request_to_tunnel = no
??????????????? use_tunneled_reply = no
??????????????? virtual_server = "inner-tunnel"
??????? }
??????? peap {
??????????????? tls = tls-common
??????????????? default_eap_type = mschapv2
??????????????? copy_request_to_tunnel = no
??????????????? use_tunneled_reply = no
??????????????? virtual_server = "inner-tunnel"
??????? }
??????? mschapv2 {
??????? }
}
In order to support the CRL you have to combine the ca cert with the
crl, like this:
cat /etc/ssl/certs/ca.pem /etc/ssl/certs/crl.pem >
/etc/freeradius/3.0/ca_and_crl.pem
For no crl checking set: "check_crl = no"
sites-enabled/samba_default:
server default {
???listen {
???????type = auth
???????ipaddr = *
???????port = 1812
???????limit {
?????????????max_connections = 16
?????????????lifetime = 0
?????????????idle_timeout = 30
???????}
???}
???listen {
???????ipaddr = *
???????port = 1813
???????type = acct
???????limit {
?????????????max_connections = 16
?????????????lifetime = 0
?????????????idle_timeout = 30
???????}
???}
?? listen {
???????type = auth
???????ipv6addr = :: ?# any
???????port = 1812
???????limit {
?????????????max_connections = 16
?????????????lifetime = 0
?????????????idle_timeout = 30
???????}
???}
???listen {
???????ipv6addr = ::
???????port = 1813
???????type = acct
???????limit {
?????????????max_connections = 16
?????????????lifetime = 0
?????????????idle_timeout = 30
???????}
???}
???authorize {
???????filter_username
???????preprocess
???????eap {
???????????ok = return
?????? }
???????expiration
???????logintime
???}
???authenticate {
???????eap
???}
???preacct {
???????preprocess
???????acct_unique
???}
???accounting {
???????detail
???????attr_filter.accounting_response
???}
???post-auth {
???????update {
???????????&reply: += &session-state:
???????}
???????# For Exec-Program and Exec-Program-Wait
???????exec
???????# ?Remove reply message if the response contains an EAP-Message
???????remove_reply_message_if_eap
???????Post-Auth-Type REJECT {
???????????attr_filter.access_reject
???????????# Insert EAP-Failure message if the request was rejected by
policy instead of because of an authentica
tion failure
???????????eap
???????????# ?Remove reply message if the response contains an EAP-Message
???????????remove_reply_message_if_eap
???????}
???}
???post-proxy {
?????? eap
???}
}
sites-enabled/samba_inner-tunnel:
server inner-tunnel {
???listen {
??????????ipaddr = 127.0.0.1
??????????port = 18120
??????????type = auth
???}
???authorize {
???????filter_username
???????mschap
???????update control {
???????????&Proxy-To-Realm := LOCAL
???????}
???????eap {
???????????ok = return
???????}
???????expiration
???????logintime
???????pap
???}
???authenticate {
???????ntlm_auth
???????Auth-Type PAP {
???????????pap
???????}
???????Auth-Type MS-CHAP {
???????????mschap
???????}
???????mschap
???????eap
???}
???session {
???????radutmp
???}
???post-auth {
???????# ?Instead of "use_tunneled_reply", change this "if
(0)" to an
"if (1)".
???????if (0) {
???????????# ?These attributes are for the inner-tunnel only, and MUST
NOT be copied to the outer reply.
???????????update reply {
???????????????User-Name !* ANY
???????????????Message-Authenticator !* ANY
???????????????EAP-Message !* ANY
???????????????Proxy-State !* ANY
???????????????MS-MPPE-Encryption-Types !* ANY
???????????????MS-MPPE-Encryption-Policy !* ANY
???????????????MS-MPPE-Send-Key !* ANY
???????????????MS-MPPE-Recv-Key !* ANY
???????????}
???????????# ?Copy the inner reply attributes to the outer
session-state list. ?The post-auth policy will take
???????????# ?care of copying the outer session-state list to the outer
reply.
???????????update {
???????????????&outer.session-state: += &reply:
???????????}
???????}
???????Post-Auth-Type REJECT {
???????????attr_filter.access_reject
???????????update outer.session-state {
???????????????&Module-Failure-Message :=
&request:Module-Failure-Message
???????????}
???????}
???}
???post-proxy {
???????eap
???}
}
proxy.conf
proxy server {
???????default_fallback = no
}
home_server localhost {
???????type = auth
???????ipaddr = 127.0.0.1
???????port = 1812
???????secret = MY_TEST_SECRET
???????response_window = 20
???????zombie_period = 40
???????revive_interval = 120
???????status_check = status-server
???????check_interval = 30
???????check_timeout = 4
???????num_answers_to_alive = 3
???????max_outstanding = 65536
???????coa {
???????????????irt = 2
???????????????mrt = 16
???????????????mrc = 5
???????????????mrd = 30
???????}
???????limit {
?????????????max_connections = 16
?????????????max_requests = 0
?????????????lifetime = 0
?????????????idle_timeout = 0
???????}
}
home_server_pool samba_auth_failover {
???????type = fail-over
???????home_server = localhost
}
realm exmaple.com {????? # YOUR DOMAIN HERE
???????auth_pool = samba_auth_failover
}
realm LOCAL {
}
And then there is clients.conf but I guess yours is working otherwise
you would not get to this point.
- Kees.
>
> Thank you,
> Tim