(RADIATOR) PEAP/MSCHAPv2 Machine Authentication
Matthew Alexander
mra4d at virginia.edu
Wed Oct 5 15:29:32 CDT 2005
----- Original Message -----
From: "Mike McCauley" <mikem at open.com.au>
To: "Matthew Alexander" <mra4d at virginia.edu>
Cc: <radiator at open.com.au>
Sent: Tuesday, October 04, 2005 7:28 PM
Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
> Hi Matt,
>
>
> On Wednesday 05 October 2005 08:59, Matthew Alexander wrote:
>> Mike,
>> YOU ARE THE MAN! My machine auth is working now, and it is FAST.
>> Granted,
>> it took me most of the day to get samba working again once I uninstalled
>> the rpm and built the source with your mods. Then I realized that
>> there
>> were two places I had to change the 0 to 0x800...
>
> Well done!
> It works well here too.
> Where was the other place? In the other call to init_id_info2? Why was
> that
> necessary?
You are right, I had modified the wrong call first, so it didn't start
working until I had modified both. I removed the first mod and it still
works. Thanks.
>
>>
>> Do you think the Samba people will add the fix to their distribution?
>
> Hmmm, perhaps. They are in the throws of samba 4 now. You can try?
> In the real world (and indeed what happens in the Windows API) is that the
> caller of cli_netlogon_sam_network_logon should be able to specify what
> flags
> to use, including the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flag (there
> are
> other interesting flags that control how usernames are authenticated)
>
> So a real production quality fix would probably be a bit more extensive
> than
> just always enableing machine auth.
>
>>
>> But, and you are going to hate me, since I installed the latest radiator
>> patch, normal user auth doesn't seem to work. This problem existed
>> before
>> I made the changes to the samba code. I'll attach my logfile. You'll
>> see
>> my successful machine auth first, then a few user auths that show
>> "Received
>> attribute: Authenticate: Yes" but never complete. It looks like it is
>> almost there.
>>
>> I have not changed my radius.cfg, but attached it anyway. I am now
>> running
>> Samba 3.0.20a with your mods.
>
> Ooops: we broke user auth while fixing machine auth (different rules for
> calculating authenticators). Fixed in the latest patch set. Also fixed
> similar issues with AuthBy LSA and machine auth. So now you can choose
> whether to run AD auth for wireless on Windows or Unix.
>
> Thanks for your patience.
>
> Cheers.
>
>
>>
>> Thanks again,
>> Matt
>>
>> ----- Original Message -----
>> From: "Mike McCauley" <mikem at open.com.au>
>> To: "Matthew Alexander" <mra4d at virginia.edu>
>> Cc: <radiator at open.com.au>
>> Sent: Tuesday, October 04, 2005 7:49 AM
>> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>>
>> > Hi all,
>> >
>> > On Tuesday 04 October 2005 20:54, Mike McCauley wrote:
>> >> Hi Matt,
>> >>
>> >> We have been working on this issue all day. We have found that
>> >> Radiator
>> >> was
>> >> not sending the right challenge to ntlm_auth when machine
>> >> authentication
>> >> is
>> >> request.
>> >>
>> >> Now, when the password is correct, we get from ntlm_auth:
>> >> Authentication-Error: No logon workstation trust account
>> >>
>> >> this is Windows telling us that the username is a machine name, and
>> >> cant
>> >> be
>> >> used for normal logon. We can deduce from this that the machine
>> >> password
>> >> is
>> >> correct, but we cant get the session keys required for wireless
>> >> encryption.
>> >>
>> >> The bad news is that it turns out that winbindd (which does the actual
>> >> DC communication) does not support machine authentication, and the
>> >> only
>> >> way to
>> >> fix this is deep surgery inside the samba libraries (I dont think
>> >> there
>> >> are
>> >> any domain controller flags that can change this. Anyone else know
>> >> better?)
>> >
>> > For real enthusiasts, a quick and dirty fix for winbindd is:
>> >
>> > in samba/source/rpc_client/cli_netlogon.c,
>> > cli_netlogon_sam_network_logon() function
>> > the param_ctrl flags passed to init_id_info2() are always set to 0 but
>> > should be set to 0x800 (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)
>> > to enable machine authentication.
>> >
>> > Cheers.
>> >
>> >> Cheers.
>> >>
>> >> On Tuesday 04 October 2005 13:59, Matthew Alexander wrote:
>> >> > ----- Original Message -----
>> >> > From: "Mike McCauley" <mikem at open.com.au>
>> >> > To: "Matthew Alexander" <mra4d at virginia.edu>
>> >> > Cc: <radiator at open.com.au>
>> >> > Sent: Monday, October 03, 2005 11:48 PM
>> >> > Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>> >> >
>> >> > > Hi Matt,
>> >> > >
>> >> > > On Tuesday 04 October 2005 13:25, Matthew Alexander wrote:
>> >> > >> Hi Mike,
>> >> > >> Installed latest patch. I can now authenticate successfully
>> >> > >> after
>> >> > >> a failed
>> >> > >> attempt. Thanks for getting that worked out.
>> >> > >
>> >> > > No problem.
>> >> > >
>> >> > >> The machine auth issue is still there, however. Even though
>> >> > >> ntlm_auth
>> >> > >> is reporting the wrong password, I am sending it the correct
>> >> > >> password.
>> >> > >> I can
>> >> > >> change the RADIUS server on my test switch to a production
>> >> > >> ACS/Win2k box and pass machine auth with the same PC 100% of the
>> >> > >> time.
>> >> > >
>> >> > > Hmmm, I though I saw in the logs you sent before some cases where
>> >> > > machine auth
>> >> > > succeeded?
>> >> >
>> >> > Maybe 1 out of every 20 attempts will result in a success, although
>> >> > I
>> >> > haven't seen it in a while. And even if ntlm_auth reports a
>> >> > success,
>> >> > it
>> >> > looks as if the client doesn't like the authenticator and terminates
>> >> > the
>> >> > connection - from what you found below. Thanks.
>> >> >
>> >> > >> Samba's ntlm_auth just isn't giving me a warm fuzzy feeling, even
>> >> > >> though it
>> >> > >> does work great for normal user auth.
>> >> > >>
>> >> > >> Thanks for your help. Please let me know if you have any ideas.
>> >> > >
>> >> > > OK, we are still trying to reproduce this. Hope to have more later
>> >> > > in our day.
>> >> > > Cheers.
>> >> > >
>> >> > >> Matt Alexander
>> >> > >>
>> >> > >>
>> >> > >> ----- Original Message -----
>> >> > >> From: "Mike McCauley" <mikem at open.com.au>
>> >> > >> To: "Matthew Alexander" <mra4d at virginia.edu>
>> >> > >> Cc: <radiator at open.com.au>
>> >> > >> Sent: Monday, October 03, 2005 7:16 PM
>> >> > >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>> >> > >>
>> >> > >> > Hello Matthew,
>> >> > >> >
>> >> > >> > On Tuesday 04 October 2005 06:32, Matthew Alexander wrote:
>> >> > >> >> Thanks Mike,
>> >> > >> >>
>> >> > >> >> I have the latest patch installed, but am still seeing the
>> >> > >> >> issue. Please take a look at my config and traces. The file
>> >> > >> >> second_machine_auth_failure
>> >> > >> >> was of particular interest to me because it looked like
>> >> > >> >> ntlm_auth came back
>> >> > >> >> with a successful authentication, but Radiator rejected it.
>> >> > >> >> That is one
>> >> > >> >> of
>> >> > >> >> only three times I have seen that happen - most of the time
>> >> > >> >> auth
>> >> > >> >> fails completely with ntlm_auth reporting either unknown
>> >> > >> >> username or wrong password. I made no mods to the config
>> >> > >> >> during
>> >> > >> >> any of these tests and have
>> >> > >> >> no idea why I am getting different results on subsequent
>> >> > >> >> attempts.
>> >> > >> >> I noticed that after a failed machine auth, my user auth would
>> >> > >> >> fail
>> >> > >> >> as well.
>> >> > >> >> Once I restarted Radiator, user auth would succeed - until I
>> >> > >> >> tried
>> >> > >> >> a machine auth. Then I would have to restart Radiator.
>> >> > >> >
>> >> > >> > Thanks for your note and logs.
>> >> > >> > Here are my observations:
>> >> > >> >
>> >> > >> > user_auth_fail_and_success
>> >> > >> > In this one the first user auth failed with unknown username
>> >> > >> > and
>> >> > >> > the
>> >> > >> > second
>> >> > >> > succeeded, but the first was for username mra4d and the second
>> >> > >> > for HSCDOM\mra4d. This indicates that you need a DefaultRealm
>> >> > >> > in
>> >> > >> > your configuration file.
>> >> > >> >
>> >> > >> > first_machine_auth_failure
>> >> > >> > In this one the first auth is a mchine auth that gets rejected
>> >> > >> > with
>> >> > >> > a wrong
>> >> > >> > password. The second one seems to receive no sensible reply
>> >> > >> > from
>> >> > >> > ntlm_auth,
>> >> > >> > just a '.'. It turns out that this is broken behaviour in some
>> >> > >> > versions of ntlm_auth. We have now made a change to AuthBy NTLM
>> >> > >> > to avoid this problem. This would cause a failed authentication
>> >> > >> > to interfere with the following authentication, whether or not
>> >> > >> > it
>> >> > >> > was correct. The fix is now in the latest
>> >> > >> > patch set.
>> >> > >> >
>> >> > >> > second_machine_auth_failure
>> >> > >> > In this one both NTLM machine authentications appear to
>> >> > >> > succeed,
>> >> > >> > but
>> >> > >> > the
>> >> > >> > client does not seem to like the authenticator and terminates
>> >> > >> > the
>> >> > >> > authentication.
>> >> > >> > We are investigating this one now. I will keep you posted.
>> >> > >> >
>> >> > >> > Please try the latest patch set and report your findings.
>> >> > >> > Cheers.
>> >> > >> >
>> >> > >> >> Matt Alexander
>> >> > >> >>
>> >> > >> >> LogDir /var/log/radius/
>> >> > >> >>
>> >> > >> >> DbDir /etc/radiator/
>> >> > >> >>
>> >> > >> >> Trace 4
>> >> > >> >>
>> >> > >> >> AuthPort 1645,1812
>> >> > >> >>
>> >> > >> >> AcctPort 1646,1813
>> >> > >> >>
>> >> > >> >> <Client DEFAULT>
>> >> > >> >>
>> >> > >> >> Secret xxxxx
>> >> > >> >>
>> >> > >> >> DupInterval 0
>> >> > >> >>
>> >> > >> >> </Client>
>> >> > >> >>
>> >> > >> >> <Handler TunnelledByPEAP=1>
>> >> > >> >>
>> >> > >> >> <AuthBy NTLM>
>> >> > >> >>
>> >> > >> >> Domain HSCDOM
>> >> > >> >>
>> >> > >> >> DefaultDomain HSCDOM
>> >> > >> >>
>> >> > >> >> EAPType MSCHAP-V2
>> >> > >> >>
>> >> > >> >> </AuthBy>
>> >> > >> >>
>> >> > >> >> </Handler>
>> >> > >> >>
>> >> > >> >>
>> >> > >> >>
>> >> > >> >> <Handler>
>> >> > >> >>
>> >> > >> >> <AuthBy FILE>
>> >> > >> >>
>> >> > >> >> Filename %D/users
>> >> > >> >>
>> >> > >> >> EAPType PEAP
>> >> > >> >>
>> >> > >> >> EAPTLS_CAFile %D/certificates/cacert.pem
>> >> > >> >>
>> >> > >> >> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
>> >> > >> >>
>> >> > >> >> EAPTLS_CertificateType PEM
>> >> > >> >>
>> >> > >> >> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
>> >> > >> >>
>> >> > >> >> EAPTLS_PrivateKeyPassword whatever
>> >> > >> >>
>> >> > >> >> EAPTLS_MaxFragmentSize 1000
>> >> > >> >>
>> >> > >> >> AutoMPPEKeys
>> >> > >> >>
>> >> > >> >> SSLeayTrace 4
>> >> > >> >>
>> >> > >> >> EAPTLS_PEAPVersion 0
>> >> > >> >>
>> >> > >> >> </AuthBy>
>> >> > >> >>
>> >> > >> >> </Handler>
>> >> > >> >>
>> >> > >> >>
>> >> > >> >>
>> >> > >> >>
>> >> > >> >>
>> >> > >> >> ----- Original Message -----
>> >> > >> >> From: "Mike McCauley" <mikem at open.com.au>
>> >> > >> >> To: "Matthew Alexander" <mra4d at virginia.edu>
>> >> > >> >> Cc: <radiator at open.com.au>
>> >> > >> >> Sent: Sunday, October 02, 2005 11:10 PM
>> >> > >> >> Subject: Re: (RADIATOR) PEAP/MSCHAPv2 Machine Authentication
>> >> > >> >>
>> >> > >> >> > Hello Matthew,
>> >> > >> >> >
>> >> > >> >> > On Monday 03 October 2005 12:47, Matthew Alexander wrote:
>> >> > >> >> >> Does anyone have any info about how to set up PEAP/MSCHAPv2
>> >> > >> >> >> Machine Authentication? Is it possible with Radiator? I
>> >> > >> >> >> have AD user authentication set up and it works great, but
>> >> > >> >> >> machine authentication
>> >> > >> >> >> fails
>> >> > >> >> >> every time. I am trying to migrate from Cisco ACS where
>> >> > >> >> >> machine
>> >> > >> >> >> auth
>> >> > >> >> >> works
>> >> > >> >> >> fine, but I can't seem to get it to work with Radiator.
>> >> > >> >> >> Maybe it is
>> >> > >> >> >> a limitation of ntlm_auth?
>> >> > >> >> >
>> >> > >> >> > I would expect AuthBy NTLM PEAP/MSCHAPV2 to work with
>> >> > >> >> > machine
>> >> > >> >> > auth provided
>> >> > >> >> > your ntlm_auth does, but....
>> >> > >> >> >
>> >> > >> >> > Can you send to me a Radiator log file at trace level 4
>> >> > >> >> > showing what happens
>> >> > >> >> > when you try this?
>> >> > >> >> > Also your Radiator configuration file (no secrets)?
>> >> > >> >> >
>> >> > >> >> > Cheers.
>> >> > >> >> >
>> >> > >> >> >> Thanks,
>> >> > >> >> >> Matt
>> >> > >> >> >
>> >> > >> >> > --
>> >> > >> >> > Mike McCauley
>> >> > >> >> > mikem at open.com.au
>> >> > >> >> > Open System Consultants Pty. Ltd Unix, Perl,
>> >> > >> >> > Motif,
>> >> > >> >> > C++, WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> >> > >> >> > http://www.open.com.au
>> >> > >> >> > Phone +61 7 5598-7474 Fax +61 7
>> >> > >> >> > 5598-7070
>> >> > >> >> >
>> >> > >> >> > Radiator: the most portable, flexible and configurable
>> >> > >> >> > RADIUS
>> >> > >> >> > server anywhere. SQL, proxy, DBM, files, LDAP, NIS+,
>> >> > >> >> > password,
>> >> > >> >> > NT, Emerald, Platypus, Freeside, TACACS+, PAM, external,
>> >> > >> >> > Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows,
>> >> > >> >> > MacOS etc.
>> >> > >> >> >
>> >> > >> >> > --
>> >> > >> >> > Archive at http://www.open.com.au/archives/radiator/
>> >> > >> >> > Announcements on radiator-announce at open.com.au
>> >> > >> >> > To unsubscribe, email 'majordomo at open.com.au' with
>> >> > >> >> > 'unsubscribe radiator' in the body of the message.
>> >> > >> >
>> >> > >> > --
>> >> > >> > Mike McCauley mikem at open.com.au
>> >> > >> > Open System Consultants Pty. Ltd Unix, Perl, Motif,
>> >> > >> > C++,
>> >> > >> > WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> >> > >> > http://www.open.com.au
>> >> > >> > Phone +61 7 5598-7474 Fax +61 7
>> >> > >> > 5598-7070
>> >> > >> >
>> >> > >> > Radiator: the most portable, flexible and configurable RADIUS
>> >> > >> > server
>> >> > >> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>> >> > >> > Emerald,
>> >> > >> > Platypus, Freeside, TACACS+, PAM, external, Active Directory,
>> >> > >> > EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
>> >> > >> >
>> >> > >> > --
>> >> > >> > Archive at http://www.open.com.au/archives/radiator/
>> >> > >> > Announcements on radiator-announce at open.com.au
>> >> > >> > To unsubscribe, email 'majordomo at open.com.au' with
>> >> > >> > 'unsubscribe radiator' in the body of the message.
>> >> > >
>> >> > > --
>> >> > > Mike McCauley mikem at open.com.au
>> >> > > Open System Consultants Pty. Ltd Unix, Perl, Motif,
>> >> > > C++,
>> >> > > WWW
>> >> > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> >> > > http://www.open.com.au
>> >> > > Phone +61 7 5598-7474 Fax +61 7 5598-7070
>> >> > >
>> >> > > Radiator: the most portable, flexible and configurable RADIUS
>> >> > > server
>> >> > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
>> >> > > Emerald,
>> >> > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>> >> > > TLS,
>> >> > > TTLS, PEAP etc on Unix, Windows, MacOS etc.
>> >
>> > --
>> > Mike McCauley mikem at open.com.au
>> > Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
>> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> > http://www.open.com.au
>> > Phone +61 7 5598-7474 Fax +61 7 5598-7070
>> >
>> > Radiator: the most portable, flexible and configurable RADIUS server
>> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> > TTLS, PEAP etc on Unix, Windows, MacOS etc.
>> >
>> > --
>> > Archive at http://www.open.com.au/archives/radiator/
>> > Announcements on radiator-announce at open.com.au
>> > To unsubscribe, email 'majordomo at open.com.au' with
>> > 'unsubscribe radiator' in the body of the message.
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list