(RADIATOR) PEAP/MSCHAPv2 Machine Authentication

Mike McCauley mikem at open.com.au
Tue Oct 4 06:49:27 CDT 2005


Hi all,


On Tuesday 04 October 2005 20:54, Mike McCauley wrote:
> Hi Matt,
>
> We have been working on this issue all day. We have found that Radiator was
> not sending the right challenge to ntlm_auth when machine authentication is
> request.
>
> Now, when the password is correct, we get from ntlm_auth:
> Authentication-Error: No logon workstation trust account
>
> this is Windows telling us that the username is a machine name, and cant be
> used for normal logon. We can deduce from this that the machine password is
> correct, but we cant get the session keys required for wireless encryption.
>
> The bad news is that it turns out that winbindd (which does the actual DC
> communication) does not support machine authentication, and the only way to
> fix this is deep surgery inside the samba libraries (I dont think there are
> any domain controller flags that can change this. Anyone else know better?)

For real enthusiasts, a quick and dirty fix for winbindd is:

in samba/source/rpc_client/cli_netlogon.c, 
cli_netlogon_sam_network_logon() function
the param_ctrl flags passed to init_id_info2() are always set to 0 but
should be set to 0x800 (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) 
to enable machine authentication.

Cheers.

>
> Cheers.
>
> On Tuesday 04 October 2005 13:59, Matthew Alexander wrote:
> > ----- Original Message -----
> > From: "Mike McCauley" <mikem at open.com.au>
> > To: "Matthew Alexander" <mra4d at virginia.edu>
> > Cc: <radiator at open.com.au>
> > Sent: Monday, October 03, 2005 11:48 PM
> > Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> >
> > > Hi Matt,
> > >
> > > On Tuesday 04 October 2005 13:25, Matthew Alexander wrote:
> > >> Hi Mike,
> > >> Installed latest patch.  I can now authenticate successfully after a
> > >> failed
> > >> attempt.  Thanks for getting that worked out.
> > >
> > > No problem.
> > >
> > >> The machine auth issue is still there, however.  Even though ntlm_auth
> > >> is reporting the wrong password, I am sending it the correct password.
> > >> I can
> > >> change the RADIUS server on my test switch to a production ACS/Win2k
> > >> box and pass machine auth with the same PC 100% of the time.
> > >
> > > Hmmm, I though I saw in the logs you sent before some cases where
> > > machine auth
> > > succeeded?
> >
> > Maybe 1 out of every 20 attempts will result in a success, although I
> > haven't seen it in a while.  And even if ntlm_auth reports a success, it
> > looks as if the client doesn't like the authenticator and terminates the
> > connection - from what you found below.  Thanks.
> >
> > >> Samba's ntlm_auth just isn't giving me a warm fuzzy feeling, even
> > >> though it
> > >> does work great for normal user auth.
> > >>
> > >> Thanks for your help.  Please let me know if you have any ideas.
> > >
> > > OK, we are still trying to reproduce this. Hope to have more later in
> > > our day.
> > > Cheers.
> > >
> > >> Matt Alexander
> > >>
> > >>
> > >> ----- Original Message -----
> > >> From: "Mike McCauley" <mikem at open.com.au>
> > >> To: "Matthew Alexander" <mra4d at virginia.edu>
> > >> Cc: <radiator at open.com.au>
> > >> Sent: Monday, October 03, 2005 7:16 PM
> > >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> > >>
> > >> > Hello Matthew,
> > >> >
> > >> > On Tuesday 04 October 2005 06:32, Matthew Alexander wrote:
> > >> >> Thanks Mike,
> > >> >>
> > >> >> I have the latest patch installed, but am still seeing the issue.
> > >> >> Please take a look at my config and traces.  The file
> > >> >> second_machine_auth_failure
> > >> >> was of particular interest to me because it looked like ntlm_auth
> > >> >> came back
> > >> >> with a successful authentication, but Radiator rejected it.  That
> > >> >> is one
> > >> >> of
> > >> >> only three times I have seen that happen - most of the time auth
> > >> >> fails completely with ntlm_auth reporting either unknown username
> > >> >> or wrong password.  I made no mods to the config during any of
> > >> >> these tests and have
> > >> >> no idea why I am getting different results on subsequent attempts. 
> > >> >> I noticed that after a failed machine auth, my user auth would fail
> > >> >> as well.
> > >> >> Once I restarted Radiator, user auth would succeed - until I tried
> > >> >> a machine auth.  Then I would have to restart Radiator.
> > >> >
> > >> > Thanks for your note and logs.
> > >> > Here are my observations:
> > >> >
> > >> > user_auth_fail_and_success
> > >> > In this one the first user auth failed with unknown username and the
> > >> > second
> > >> > succeeded, but the first was for username mra4d and the second for
> > >> > HSCDOM\mra4d. This indicates that you need a DefaultRealm in your
> > >> > configuration file.
> > >> >
> > >> > first_machine_auth_failure
> > >> > In this one the first auth is a mchine auth that gets rejected with
> > >> > a wrong
> > >> > password. The second one seems to receive no sensible reply from
> > >> > ntlm_auth,
> > >> > just a '.'. It turns out that this is broken behaviour in some
> > >> > versions of ntlm_auth. We have now made a change to AuthBy NTLM to
> > >> > avoid this problem. This would cause a failed authentication to
> > >> > interfere with the following authentication, whether or not it was
> > >> > correct. The fix is now in the latest
> > >> > patch set.
> > >> >
> > >> > second_machine_auth_failure
> > >> > In this one both NTLM machine authentications appear to succeed, but
> > >> > the
> > >> > client does not seem to like the authenticator and terminates the
> > >> > authentication.
> > >> > We are investigating this one now. I will keep you posted.
> > >> >
> > >> > Please try the latest patch set and report your findings.
> > >> > Cheers.
> > >> >
> > >> >> Matt Alexander
> > >> >>
> > >> >> LogDir /var/log/radius/
> > >> >>
> > >> >> DbDir /etc/radiator/
> > >> >>
> > >> >> Trace 4
> > >> >>
> > >> >> AuthPort 1645,1812
> > >> >>
> > >> >> AcctPort 1646,1813
> > >> >>
> > >> >> <Client DEFAULT>
> > >> >>
> > >> >> Secret xxxxx
> > >> >>
> > >> >> DupInterval 0
> > >> >>
> > >> >> </Client>
> > >> >>
> > >> >> <Handler TunnelledByPEAP=1>
> > >> >>
> > >> >> <AuthBy NTLM>
> > >> >>
> > >> >> Domain HSCDOM
> > >> >>
> > >> >> DefaultDomain HSCDOM
> > >> >>
> > >> >> EAPType MSCHAP-V2
> > >> >>
> > >> >> </AuthBy>
> > >> >>
> > >> >> </Handler>
> > >> >>
> > >> >>
> > >> >>
> > >> >> <Handler>
> > >> >>
> > >> >> <AuthBy FILE>
> > >> >>
> > >> >> Filename %D/users
> > >> >>
> > >> >> EAPType PEAP
> > >> >>
> > >> >> EAPTLS_CAFile %D/certificates/cacert.pem
> > >> >>
> > >> >> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
> > >> >>
> > >> >> EAPTLS_CertificateType PEM
> > >> >>
> > >> >> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
> > >> >>
> > >> >> EAPTLS_PrivateKeyPassword whatever
> > >> >>
> > >> >> EAPTLS_MaxFragmentSize 1000
> > >> >>
> > >> >> AutoMPPEKeys
> > >> >>
> > >> >> SSLeayTrace 4
> > >> >>
> > >> >> EAPTLS_PEAPVersion 0
> > >> >>
> > >> >> </AuthBy>
> > >> >>
> > >> >> </Handler>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >> ----- Original Message -----
> > >> >> From: "Mike McCauley" <mikem at open.com.au>
> > >> >> To: "Matthew Alexander" <mra4d at virginia.edu>
> > >> >> Cc: <radiator at open.com.au>
> > >> >> Sent: Sunday, October 02, 2005 11:10 PM
> > >> >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> > >> >>
> > >> >> > Hello Matthew,
> > >> >> >
> > >> >> > On Monday 03 October 2005 12:47, Matthew Alexander wrote:
> > >> >> >> Does anyone have any info about how to set up PEAP/MSCHAPv2
> > >> >> >> Machine Authentication?  Is it possible with Radiator?  I have
> > >> >> >> AD user authentication set up and it works great, but machine
> > >> >> >> authentication
> > >> >> >> fails
> > >> >> >> every time.  I am trying to migrate from Cisco ACS where machine
> > >> >> >> auth
> > >> >> >> works
> > >> >> >> fine, but I can't seem to get it to work with Radiator.  Maybe
> > >> >> >> it is
> > >> >> >> a limitation of ntlm_auth?
> > >> >> >
> > >> >> > I would expect AuthBy NTLM PEAP/MSCHAPV2 to work with machine
> > >> >> > auth provided
> > >> >> > your ntlm_auth does, but....
> > >> >> >
> > >> >> > Can you send to me a Radiator log file at trace level 4 showing
> > >> >> > what happens
> > >> >> > when you try this?
> > >> >> > Also your Radiator configuration file (no secrets)?
> > >> >> >
> > >> >> > Cheers.
> > >> >> >
> > >> >> >> Thanks,
> > >> >> >> Matt
> > >> >> >
> > >> >> > --
> > >> >> > Mike McCauley                               mikem at open.com.au
> > >> >> > Open System Consultants Pty. Ltd            Unix, Perl, Motif,
> > >> >> > C++, WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > >> >> > http://www.open.com.au
> > >> >> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> > >> >> >
> > >> >> > Radiator: the most portable, flexible and configurable RADIUS
> > >> >> > server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password,
> > >> >> > NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active
> > >> >> > Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
> > >> >> >
> > >> >> > --
> > >> >> > Archive at http://www.open.com.au/archives/radiator/
> > >> >> > Announcements on radiator-announce at open.com.au
> > >> >> > To unsubscribe, email 'majordomo at open.com.au' with
> > >> >> > 'unsubscribe radiator' in the body of the message.
> > >> >
> > >> > --
> > >> > Mike McCauley                               mikem at open.com.au
> > >> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
> > >> > WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > >> > http://www.open.com.au
> > >> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> > >> >
> > >> > Radiator: the most portable, flexible and configurable RADIUS server
> > >> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > >> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> > >> > TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
> > >> >
> > >> > --
> > >> > Archive at http://www.open.com.au/archives/radiator/
> > >> > Announcements on radiator-announce at open.com.au
> > >> > To unsubscribe, email 'majordomo at open.com.au' with
> > >> > 'unsubscribe radiator' in the body of the message.
> > >
> > > --
> > > Mike McCauley                               mikem at open.com.au
> > > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > > http://www.open.com.au
> > > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> > >
> > > Radiator: the most portable, flexible and configurable RADIUS server
> > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > > TTLS, PEAP etc on Unix, Windows, MacOS etc.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list