[RADIATOR] problem with peap using AuthBy NTLM, need help!

Ting, Michael michael.ting at nist.gov
Thu Apr 8 23:25:21 CDT 2010 

Dear All,

  I just couldn't figure out myself where the problem is. Any help or suggestion is greatly 
appreciated.

The problem
    Peap using AuthBy NTLM has been working for us for a long time with Samba 3.0.24 (see the
attached file peapntlm_3.0.24_logfile.02.19.2010)  However, its ntlm_auth would not work 
when the windows domain controller wad upgraded to w2k8r2 from w2k3. So, we upgraded the 
Samba to 3.4.2  and its ntlm_auth(see the attached file  ntlm_auth_3.4.2.txt) appears to work again. 
But, radius AuthBy NTLM failed to come up  with 'AuthBy NTLM result: ACCEPT,' so it repeats
this step repeatedly like in a loop. All the peap client sees is 'validating the user' forever. 
  For all tests, no changes on the  peap-mschapv2 pwd client or the authenticator - a Cisco wireless 
lan controller.
  

The full log file (peapntlm_3.4.2_logfile.03.23.2010 ) for the failed AuthBy NTLM is attached.
Parts of it are displayed below to highlight my points.

--------- ntlm_auth  --helper-protocol=ntlm-server-1 appears working fine-----------------
Tue Mar 23 09:10:18 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
Tue Mar 23 09:10:18 2010: DEBUG:  Deleting session for anonymous, 132.163.128.57, 29
Tue Mar 23 09:10:18 2010: DEBUG: Handling with Radius::AuthNTLM: authby_ntlm
Tue Mar 23 09:10:18 2010: DEBUG: Handling with EAP: code 2, 12, 60, 26
Tue Mar 23 09:10:18 2010: DEBUG: Response type 26
Tue Mar 23 09:10:18 2010: DEBUG: Radius::AuthNTLM looks for match with sting [anonymous]
Tue Mar 23 09:10:18 2010: DEBUG: Radius::AuthNTLM ACCEPT: : sting [anonymous]
Tue Mar 23 09:10:18 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes
Tue Mar 23 09:10:18 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
Tue Mar 23 09:10:18 2010: DEBUG: Passing attribute LANMAN-Challenge: 0f71822678f440f9
Tue Mar 23 09:10:18 2010: DEBUG: Passing attribute NT-Response: f4332a6176bec037678ba387f8e3a06f754d9efa9856fbc9
Tue Mar 23 09:10:18 2010: DEBUG: Passing attribute NT-Domain:: RkxBVElST05T
Tue Mar 23 09:10:18 2010: DEBUG: Passing attribute Username:: c3Rpbmc=
Tue Mar 23 09:10:18 2010: DEBUG: Received attribute: Authenticated: Yes
Tue Mar 23 09:10:18 2010: DEBUG: Received attribute: LANMAN-Session-Key: 56879A7A9DAAF17F
Tue Mar 23 09:10:18 2010: DEBUG: Received attribute: User-Session-Key: E5CDB18A840255C825EFAC8B40EB8C0E
Tue Mar 23 09:10:18 2010: DEBUG: Received attribute: .
Tue Mar 23 09:10:18 2010: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Tue Mar 23 09:10:18 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Tue Mar 23 09:10:18 2010: DEBUG: Access challenged for anonymous: EAP MSCHAP V2 Challenge: Success
Tue Mar 23 09:10:18 2010: DEBUG: Returned PEAP tunnelled packet dump:

-------grep 'NTLM result' peapntlm_3.4.2_logfile.03.23.2010 - in a loop when user/pwd correct----------
Tue Mar 23 09:08:45 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2 Challenge
Tue Mar 23 09:08:45 2010: DEBUG: AuthBy NTLM result: REJECT, EAP MSCHAP-V2 Authentication failure
Tue Mar 23 09:09:43 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2 Challenge
Tue Mar 23 09:09:44 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Tue Mar 23 09:10:18 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2 Challenge
Tue Mar 23 09:10:18 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Tue Mar 23 09:10:52 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2 Challenge
Tue Mar 23 09:10:52 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success

-------grep 'NTLM result' peapntlm_3.0.24_logfile.02.19.2010 - ends quickly with AuthBy NTLM result: ACCEPT-----
Fri Feb 19 12:14:39 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP-V2 Challenge
Fri Feb 19 12:14:39 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Fri Feb 19 12:14:39 2010: DEBUG: AuthBy NTLM result: ACCEPT,

  Thanks in advance!

Michael Ting

Note: two log files mentioned above are not attached since this posting was rejected by the moderator probably due to
Message body is too big: 210265 bytes with a limit of 40 KB
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ntlm_auth_3.4.2.txt
Url: http://www.open.com.au/pipermail/radiator/attachments/20100409/2763ec41/attachment-0001.txt 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: peapntlm_3.4.2.cfg
Type: application/octet-stream
Size: 2554 bytes
Desc: peapntlm_3.4.2.cfg
Url : http://www.open.com.au/pipermail/radiator/attachments/20100409/2763ec41/attachment-0001.obj

More information about the radiator mailing list