(RADIATOR) PEAP/MSCHAPv2 Machine Authentication

Mike McCauley mikem at open.com.au
Tue Oct 4 18:28:06 CDT 2005


Hi Matt,


On Wednesday 05 October 2005 08:59, Matthew Alexander wrote:
> Mike,
> YOU ARE THE MAN!  My machine auth is working now, and it is FAST.  Granted,
> it took me most of the day to get samba working again once I uninstalled
> the rpm and built the source with your mods.     Then I realized that there
> were two places I had to change the 0 to 0x800...

Well done!
It works well here too.
Where was the other place? In the other call to init_id_info2? Why was that 
necessary?

>
> Do you think the Samba people will add the fix to their distribution?

Hmmm, perhaps. They are in the throws of samba 4 now. You can try?
In the real world (and indeed what happens in the Windows API) is that the 
caller of cli_netlogon_sam_network_logon should be able to specify what flags 
to use, including the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flag (there are 
other interesting flags that control how usernames are authenticated)

So a real production quality fix would probably be a bit more extensive than 
just always enableing machine auth.

>
> But, and you are going to hate me, since I installed the latest radiator
> patch, normal user auth doesn't seem to work.  This problem existed before
> I made the changes to the samba code.  I'll attach my logfile.  You'll see
> my successful machine auth first, then a few user auths that show "Received
> attribute: Authenticate: Yes" but never complete.  It looks like it is
> almost there.
>
> I have not changed my radius.cfg, but attached it anyway.  I am now running
> Samba 3.0.20a with your mods.

Ooops: we broke user auth while fixing machine auth (different rules for 
calculating authenticators). Fixed in the latest patch set. Also fixed 
similar issues with AuthBy LSA and machine auth. So now you can choose 
whether to run AD auth for wireless on Windows or Unix.

Thanks for your patience.

Cheers.


>
> Thanks again,
> Matt
>
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: "Matthew Alexander" <mra4d at virginia.edu>
> Cc: <radiator at open.com.au>
> Sent: Tuesday, October 04, 2005 7:49 AM
> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>
> > Hi all,
> >
> > On Tuesday 04 October 2005 20:54, Mike McCauley wrote:
> >> Hi Matt,
> >>
> >> We have been working on this issue all day. We have found that Radiator
> >> was
> >> not sending the right challenge to ntlm_auth when machine authentication
> >> is
> >> request.
> >>
> >> Now, when the password is correct, we get from ntlm_auth:
> >> Authentication-Error: No logon workstation trust account
> >>
> >> this is Windows telling us that the username is a machine name, and cant
> >> be
> >> used for normal logon. We can deduce from this that the machine password
> >> is
> >> correct, but we cant get the session keys required for wireless
> >> encryption.
> >>
> >> The bad news is that it turns out that winbindd (which does the actual
> >> DC communication) does not support machine authentication, and the only
> >> way to
> >> fix this is deep surgery inside the samba libraries (I dont think there
> >> are
> >> any domain controller flags that can change this. Anyone else know
> >> better?)
> >
> > For real enthusiasts, a quick and dirty fix for winbindd is:
> >
> > in samba/source/rpc_client/cli_netlogon.c,
> > cli_netlogon_sam_network_logon() function
> > the param_ctrl flags passed to init_id_info2() are always set to 0 but
> > should be set to 0x800 (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)
> > to enable machine authentication.
> >
> > Cheers.
> >
> >> Cheers.
> >>
> >> On Tuesday 04 October 2005 13:59, Matthew Alexander wrote:
> >> > ----- Original Message -----
> >> > From: "Mike McCauley" <mikem at open.com.au>
> >> > To: "Matthew Alexander" <mra4d at virginia.edu>
> >> > Cc: <radiator at open.com.au>
> >> > Sent: Monday, October 03, 2005 11:48 PM
> >> > Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> >> >
> >> > > Hi Matt,
> >> > >
> >> > > On Tuesday 04 October 2005 13:25, Matthew Alexander wrote:
> >> > >> Hi Mike,
> >> > >> Installed latest patch.  I can now authenticate successfully after
> >> > >> a failed
> >> > >> attempt.  Thanks for getting that worked out.
> >> > >
> >> > > No problem.
> >> > >
> >> > >> The machine auth issue is still there, however.  Even though
> >> > >> ntlm_auth
> >> > >> is reporting the wrong password, I am sending it the correct
> >> > >> password.
> >> > >> I can
> >> > >> change the RADIUS server on my test switch to a production
> >> > >> ACS/Win2k box and pass machine auth with the same PC 100% of the
> >> > >> time.
> >> > >
> >> > > Hmmm, I though I saw in the logs you sent before some cases where
> >> > > machine auth
> >> > > succeeded?
> >> >
> >> > Maybe 1 out of every 20 attempts will result in a success, although I
> >> > haven't seen it in a while.  And even if ntlm_auth reports a success,
> >> > it
> >> > looks as if the client doesn't like the authenticator and terminates
> >> > the
> >> > connection - from what you found below.  Thanks.
> >> >
> >> > >> Samba's ntlm_auth just isn't giving me a warm fuzzy feeling, even
> >> > >> though it
> >> > >> does work great for normal user auth.
> >> > >>
> >> > >> Thanks for your help.  Please let me know if you have any ideas.
> >> > >
> >> > > OK, we are still trying to reproduce this. Hope to have more later
> >> > > in our day.
> >> > > Cheers.
> >> > >
> >> > >> Matt Alexander
> >> > >>
> >> > >>
> >> > >> ----- Original Message -----
> >> > >> From: "Mike McCauley" <mikem at open.com.au>
> >> > >> To: "Matthew Alexander" <mra4d at virginia.edu>
> >> > >> Cc: <radiator at open.com.au>
> >> > >> Sent: Monday, October 03, 2005 7:16 PM
> >> > >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> >> > >>
> >> > >> > Hello Matthew,
> >> > >> >
> >> > >> > On Tuesday 04 October 2005 06:32, Matthew Alexander wrote:
> >> > >> >> Thanks Mike,
> >> > >> >>
> >> > >> >> I have the latest patch installed, but am still seeing the
> >> > >> >> issue. Please take a look at my config and traces.  The file
> >> > >> >> second_machine_auth_failure
> >> > >> >> was of particular interest to me because it looked like
> >> > >> >> ntlm_auth came back
> >> > >> >> with a successful authentication, but Radiator rejected it. 
> >> > >> >> That is one
> >> > >> >> of
> >> > >> >> only three times I have seen that happen - most of the time auth
> >> > >> >> fails completely with ntlm_auth reporting either unknown
> >> > >> >> username or wrong password.  I made no mods to the config during
> >> > >> >> any of these tests and have
> >> > >> >> no idea why I am getting different results on subsequent
> >> > >> >> attempts.
> >> > >> >> I noticed that after a failed machine auth, my user auth would
> >> > >> >> fail
> >> > >> >> as well.
> >> > >> >> Once I restarted Radiator, user auth would succeed - until I
> >> > >> >> tried
> >> > >> >> a machine auth.  Then I would have to restart Radiator.
> >> > >> >
> >> > >> > Thanks for your note and logs.
> >> > >> > Here are my observations:
> >> > >> >
> >> > >> > user_auth_fail_and_success
> >> > >> > In this one the first user auth failed with unknown username and
> >> > >> > the
> >> > >> > second
> >> > >> > succeeded, but the first was for username mra4d and the second
> >> > >> > for HSCDOM\mra4d. This indicates that you need a DefaultRealm in
> >> > >> > your configuration file.
> >> > >> >
> >> > >> > first_machine_auth_failure
> >> > >> > In this one the first auth is a mchine auth that gets rejected
> >> > >> > with
> >> > >> > a wrong
> >> > >> > password. The second one seems to receive no sensible reply from
> >> > >> > ntlm_auth,
> >> > >> > just a '.'. It turns out that this is broken behaviour in some
> >> > >> > versions of ntlm_auth. We have now made a change to AuthBy NTLM
> >> > >> > to avoid this problem. This would cause a failed authentication
> >> > >> > to interfere with the following authentication, whether or not it
> >> > >> > was correct. The fix is now in the latest
> >> > >> > patch set.
> >> > >> >
> >> > >> > second_machine_auth_failure
> >> > >> > In this one both NTLM machine authentications appear to succeed,
> >> > >> > but
> >> > >> > the
> >> > >> > client does not seem to like the authenticator and terminates the
> >> > >> > authentication.
> >> > >> > We are investigating this one now. I will keep you posted.
> >> > >> >
> >> > >> > Please try the latest patch set and report your findings.
> >> > >> > Cheers.
> >> > >> >
> >> > >> >> Matt Alexander
> >> > >> >>
> >> > >> >> LogDir /var/log/radius/
> >> > >> >>
> >> > >> >> DbDir /etc/radiator/
> >> > >> >>
> >> > >> >> Trace 4
> >> > >> >>
> >> > >> >> AuthPort 1645,1812
> >> > >> >>
> >> > >> >> AcctPort 1646,1813
> >> > >> >>
> >> > >> >> <Client DEFAULT>
> >> > >> >>
> >> > >> >> Secret xxxxx
> >> > >> >>
> >> > >> >> DupInterval 0
> >> > >> >>
> >> > >> >> </Client>
> >> > >> >>
> >> > >> >> <Handler TunnelledByPEAP=1>
> >> > >> >>
> >> > >> >> <AuthBy NTLM>
> >> > >> >>
> >> > >> >> Domain HSCDOM
> >> > >> >>
> >> > >> >> DefaultDomain HSCDOM
> >> > >> >>
> >> > >> >> EAPType MSCHAP-V2
> >> > >> >>
> >> > >> >> </AuthBy>
> >> > >> >>
> >> > >> >> </Handler>
> >> > >> >>
> >> > >> >>
> >> > >> >>
> >> > >> >> <Handler>
> >> > >> >>
> >> > >> >> <AuthBy FILE>
> >> > >> >>
> >> > >> >> Filename %D/users
> >> > >> >>
> >> > >> >> EAPType PEAP
> >> > >> >>
> >> > >> >> EAPTLS_CAFile %D/certificates/cacert.pem
> >> > >> >>
> >> > >> >> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
> >> > >> >>
> >> > >> >> EAPTLS_CertificateType PEM
> >> > >> >>
> >> > >> >> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
> >> > >> >>
> >> > >> >> EAPTLS_PrivateKeyPassword whatever
> >> > >> >>
> >> > >> >> EAPTLS_MaxFragmentSize 1000
> >> > >> >>
> >> > >> >> AutoMPPEKeys
> >> > >> >>
> >> > >> >> SSLeayTrace 4
> >> > >> >>
> >> > >> >> EAPTLS_PEAPVersion 0
> >> > >> >>
> >> > >> >> </AuthBy>
> >> > >> >>
> >> > >> >> </Handler>
> >> > >> >>
> >> > >> >>
> >> > >> >>
> >> > >> >>
> >> > >> >>
> >> > >> >> ----- Original Message -----
> >> > >> >> From: "Mike McCauley" <mikem at open.com.au>
> >> > >> >> To: "Matthew Alexander" <mra4d at virginia.edu>
> >> > >> >> Cc: <radiator at open.com.au>
> >> > >> >> Sent: Sunday, October 02, 2005 11:10 PM
> >> > >> >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> >> > >> >>
> >> > >> >> > Hello Matthew,
> >> > >> >> >
> >> > >> >> > On Monday 03 October 2005 12:47, Matthew Alexander wrote:
> >> > >> >> >> Does anyone have any info about how to set up PEAP/MSCHAPv2
> >> > >> >> >> Machine Authentication?  Is it possible with Radiator?  I
> >> > >> >> >> have AD user authentication set up and it works great, but
> >> > >> >> >> machine authentication
> >> > >> >> >> fails
> >> > >> >> >> every time.  I am trying to migrate from Cisco ACS where
> >> > >> >> >> machine
> >> > >> >> >> auth
> >> > >> >> >> works
> >> > >> >> >> fine, but I can't seem to get it to work with Radiator. 
> >> > >> >> >> Maybe it is
> >> > >> >> >> a limitation of ntlm_auth?
> >> > >> >> >
> >> > >> >> > I would expect AuthBy NTLM PEAP/MSCHAPV2 to work with machine
> >> > >> >> > auth provided
> >> > >> >> > your ntlm_auth does, but....
> >> > >> >> >
> >> > >> >> > Can you send to me a Radiator log file at trace level 4
> >> > >> >> > showing what happens
> >> > >> >> > when you try this?
> >> > >> >> > Also your Radiator configuration file (no secrets)?
> >> > >> >> >
> >> > >> >> > Cheers.
> >> > >> >> >
> >> > >> >> >> Thanks,
> >> > >> >> >> Matt
> >> > >> >> >
> >> > >> >> > --
> >> > >> >> > Mike McCauley                               mikem at open.com.au
> >> > >> >> > Open System Consultants Pty. Ltd            Unix, Perl, Motif,
> >> > >> >> > C++, WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> > >> >> > http://www.open.com.au
> >> > >> >> > Phone +61 7 5598-7474                       Fax   +61 7
> >> > >> >> > 5598-7070
> >> > >> >> >
> >> > >> >> > Radiator: the most portable, flexible and configurable RADIUS
> >> > >> >> > server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password,
> >> > >> >> > NT, Emerald, Platypus, Freeside, TACACS+, PAM, external,
> >> > >> >> > Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows,
> >> > >> >> > MacOS etc.
> >> > >> >> >
> >> > >> >> > --
> >> > >> >> > Archive at http://www.open.com.au/archives/radiator/
> >> > >> >> > Announcements on radiator-announce at open.com.au
> >> > >> >> > To unsubscribe, email 'majordomo at open.com.au' with
> >> > >> >> > 'unsubscribe radiator' in the body of the message.
> >> > >> >
> >> > >> > --
> >> > >> > Mike McCauley                               mikem at open.com.au
> >> > >> > Open System Consultants Pty. Ltd            Unix, Perl, Motif,
> >> > >> > C++,
> >> > >> > WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> > >> > http://www.open.com.au
> >> > >> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >> > >> >
> >> > >> > Radiator: the most portable, flexible and configurable RADIUS
> >> > >> > server
> >> > >> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
> >> > >> > Emerald,
> >> > >> > Platypus, Freeside, TACACS+, PAM, external, Active Directory,
> >> > >> > EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >> > >> >
> >> > >> > --
> >> > >> > Archive at http://www.open.com.au/archives/radiator/
> >> > >> > Announcements on radiator-announce at open.com.au
> >> > >> > To unsubscribe, email 'majordomo at open.com.au' with
> >> > >> > 'unsubscribe radiator' in the body of the message.
> >> > >
> >> > > --
> >> > > Mike McCauley                               mikem at open.com.au
> >> > > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
> >> > > WWW
> >> > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> >> > > http://www.open.com.au
> >> > > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >> > >
> >> > > Radiator: the most portable, flexible and configurable RADIUS server
> >> > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> >> > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> >> > > TLS,
> >> > > TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >
> > --
> > Mike McCauley                               mikem at open.com.au
> > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list