(RADIATOR) PEAP/MSCHAPv2 Machine Authentication

Mike McCauley mikem at open.com.au
Tue Oct 4 05:54:35 CDT 2005 

Hi Matt,

We have been working on this issue all day. We have found that Radiator was 
not sending the right challenge to ntlm_auth when machine authentication is 
request.

Now, when the password is correct, we get from ntlm_auth:
Authentication-Error: No logon workstation trust account

this is Windows telling us that the username is a machine name, and cant be 
used for normal logon. We can deduce from this that the machine password is 
correct, but we cant get the session keys required for wireless encryption.

The bad news is that it turns out that winbindd (which does the actual DC 
communication) does not support machine authentication, and the only way to 
fix this is deep surgery inside the samba libraries (I dont think there are 
any domain controller flags that can change this. Anyone else know better?)

Cheers.


On Tuesday 04 October 2005 13:59, Matthew Alexander wrote:
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: "Matthew Alexander" <mra4d at virginia.edu>
> Cc: <radiator at open.com.au>
> Sent: Monday, October 03, 2005 11:48 PM
> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>
> > Hi Matt,
> >
> > On Tuesday 04 October 2005 13:25, Matthew Alexander wrote:
> >> Hi Mike,
> >> Installed latest patch.  I can now authenticate successfully after a
> >> failed
> >> attempt.  Thanks for getting that worked out.
> >
> > No problem.
> >
> >> The machine auth issue is still there, however.  Even though ntlm_auth
> >> is reporting the wrong password, I am sending it the correct password. 
> >> I can
> >> change the RADIUS server on my test switch to a production ACS/Win2k box
> >> and pass machine auth with the same PC 100% of the time.
> >
> > Hmmm, I though I saw in the logs you sent before some cases where machine
> > auth
> > succeeded?
>
> Maybe 1 out of every 20 attempts will result in a success, although I
> haven't seen it in a while.  And even if ntlm_auth reports a success, it
> looks as if the client doesn't like the authenticator and terminates the
> connection - from what you found below.  Thanks.
>
> >> Samba's ntlm_auth just isn't giving me a warm fuzzy feeling, even though
> >> it
> >> does work great for normal user auth.
> >>
> >> Thanks for your help.  Please let me know if you have any ideas.
> >
> > OK, we are still trying to reproduce this. Hope to have more later in our
> > day.
> > Cheers.
> >
> >> Matt Alexander
> >>
> >>
> >> ----- Original Message -----
> >> From: "Mike McCauley" <mikem at open.com.au>
> >> To: "Matthew Alexander" <mra4d at virginia.edu>
> >> Cc: <radiator at open.com.au>
> >> Sent: Monday, October 03, 2005 7:16 PM
> >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> >>
> >> > Hello Matthew,
> >> >
> >> > On Tuesday 04 October 2005 06:32, Matthew Alexander wrote:
> >> >> Thanks Mike,
> >> >>
> >> >> I have the latest patch installed, but am still seeing the issue.
> >> >> Please take a look at my config and traces.  The file
> >> >> second_machine_auth_failure
> >> >> was of particular interest to me because it looked like ntlm_auth
> >> >> came back
> >> >> with a successful authentication, but Radiator rejected it.  That is
> >> >> one
> >> >> of
> >> >> only three times I have seen that happen - most of the time auth
> >> >> fails completely with ntlm_auth reporting either unknown username or
> >> >> wrong password.  I made no mods to the config during any of these
> >> >> tests and have
> >> >> no idea why I am getting different results on subsequent attempts.  I
> >> >> noticed that after a failed machine auth, my user auth would fail as
> >> >> well.
> >> >> Once I restarted Radiator, user auth would succeed - until I tried a
> >> >> machine auth.  Then I would have to restart Radiator.
> >> >
> >> > Thanks for your note and logs.
> >> > Here are my observations:
> >> >
> >> > user_auth_fail_and_success
> >> > In this one the first user auth failed with unknown username and the
> >> > second
> >> > succeeded, but the first was for username mra4d and the second for
> >> > HSCDOM\mra4d. This indicates that you need a DefaultRealm in your
> >> > configuration file.
> >> >
> >> > first_machine_auth_failure
> >> > In this one the first auth is a mchine auth that gets rejected with a
> >> > wrong
> >> > password. The second one seems to receive no sensible reply from
> >> > ntlm_auth,
> >> > just a '.'. It turns out that this is broken behaviour in some
> >> > versions of ntlm_auth. We have now made a change to AuthBy NTLM to
> >> > avoid this problem. This would cause a failed authentication to
> >> > interfere with the following authentication, whether or not it was
> >> > correct. The fix is now in the latest
> >> > patch set.
> >> >
> >> > second_machine_auth_failure
> >> > In this one both NTLM machine authentications appear to succeed, but
> >> > the
> >> > client does not seem to like the authenticator and terminates the
> >> > authentication.
> >> > We are investigating this one now. I will keep you posted.
> >> >
> >> > Please try the latest patch set and report your findings.
> >> > Cheers.
> >> >
> >> >> Matt Alexander
> >> >>
> >> >> LogDir /var/log/radius/
> >> >>
> >> >> DbDir /etc/radiator/
> >> >>
> >> >> Trace 4
> >> >>
> >> >> AuthPort 1645,1812
> >> >>
> >> >> AcctPort 1646,1813
> >> >>
> >> >> <Client DEFAULT>
> >> >>
> >> >> Secret xxxxx
> >> >>
> >> >> DupInterval 0
> >> >>
> >> >> </Client>
> >> >>
> >> >> <Handler TunnelledByPEAP=1>
> >> >>
> >> >> <AuthBy NTLM>
> >> >>
> >> >> Domain HSCDOM
> >> >>
> >> >> DefaultDomain HSCDOM
> >> >>
> >> >> EAPType MSCHAP-V2
> >> >>
> >> >> </AuthBy>
> >> >>
> >> >> </Handler>
> >> >>
> >> >>
> >> >>
> >> >> <Handler>
> >> >>
> >> >> <AuthBy FILE>
> >> >>
> >> >> Filename %D/users
> >> >>
> >> >> EAPType PEAP
> >> >>
> >> >> EAPTLS_CAFile %D/certificates/cacert.pem
> >> >>
> >> >> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
> >> >>
> >> >> EAPTLS_CertificateType PEM
> >> >>
> >> >> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
> >> >>
> >> >> EAPTLS_PrivateKeyPassword whatever
> >> >>
> >> >> EAPTLS_MaxFragmentSize 1000
> >> >>
> >> >> AutoMPPEKeys
> >> >>
> >> >> SSLeayTrace 4
> >> >>
> >> >> EAPTLS_PEAPVersion 0
> >> >>
> >> >> </AuthBy>
> >> >>
> >> >> </Handler>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> ----- Original Message -----
> >> >> From: "Mike McCauley" <mikem at open.com.au>
> >> >> To: "Matthew Alexander" <mra4d at virginia.edu>
> >> >> Cc: <radiator at open.com.au>
> >> >> Sent: Sunday, October 02, 2005 11:10 PM
> >> >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> >> >>
> >> >> > Hello Matthew,
> >> >> >
> >> >> > On Monday 03 October 2005 12:47, Matthew Alexander wrote:
> >> >> >> Does anyone have any info about how to set up PEAP/MSCHAPv2
> >> >> >> Machine Authentication?  Is it possible with Radiator?  I have AD
> >> >> >> user authentication set up and it works great, but machine
> >> >> >> authentication
> >> >> >> fails
> >> >> >> every time.  I am trying to migrate from Cisco ACS where machine
> >> >> >> auth
> >> >> >> works
> >> >> >> fine, but I can't seem to get it to work with Radiator.  Maybe it
> >> >> >> is
> >> >> >> a limitation of ntlm_auth?
> >> >> >
> >> >> > I would expect AuthBy NTLM PEAP/MSCHAPV2 to work with machine auth
> >> >> > provided
> >> >> > your ntlm_auth does, but....
> >> >> >
> >> >> > Can you send to me a Radiator log file at trace level 4 showing
> >> >> > what happens
> >> >> > when you try this?
> >> >> > Also your Radiator configuration file (no secrets)?
> >> >> >
> >> >> > Cheers.
> >> >> >
> >> >> >> Thanks,
> >> >> >> Matt
> >> >> >
> >> >> > --
> >> >> > Mike McCauley                               mikem at open.com.au
> >> >> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
> >> >> > WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> >> > http://www.open.com.au
> >> >> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >> >> >
> >> >> > Radiator: the most portable, flexible and configurable RADIUS
> >> >> > server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
> >> >> > Emerald, Platypus, Freeside, TACACS+, PAM, external, Active
> >> >> > Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >> >> >
> >> >> > --
> >> >> > Archive at http://www.open.com.au/archives/radiator/
> >> >> > Announcements on radiator-announce at open.com.au
> >> >> > To unsubscribe, email 'majordomo at open.com.au' with
> >> >> > 'unsubscribe radiator' in the body of the message.
> >> >
> >> > --
> >> > Mike McCauley                               mikem at open.com.au
> >> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
> >> > WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> > http://www.open.com.au
> >> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >> >
> >> > Radiator: the most portable, flexible and configurable RADIUS server
> >> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> >> > TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >> >
> >> > --
> >> > Archive at http://www.open.com.au/archives/radiator/
> >> > Announcements on radiator-announce at open.com.au
> >> > To unsubscribe, email 'majordomo at open.com.au' with
> >> > 'unsubscribe radiator' in the body of the message.
> >
> > --
> > Mike McCauley                               mikem at open.com.au
> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP etc on Unix, Windows, MacOS etc.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list