[RADIATOR] Troubles trying to proxy NTLM

Jethro R Binks jethro.binks at strath.ac.uk
Wed Oct 29 12:05:23 CDT 2014


Hi,

I have been following David Zych's recent work with interest:

  https://www.mail-archive.com/radiator@open.com.au/msg18963.html

and wanted to implement something similar here, but I've hit a stumbling
block that I cannot get past.  Maybe it will be blindingly obvious to someone 
else ...

Essentially, I currently have a monolithic Radiator process that I want
to split out and proxy to more backend authentications processes.  To that
end, I configured up a backend Radiator process with the NTLM bits, and in
the front-end added some clauses to proxy certain queries (those with my 
username).

I'm testing with eapol_test, and against the real monolithic Radiator 
servers it is fine.  The inner authentication bits look like this:

<AuthBy GROUP>
  # There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge
  Identifier      ITSAuthEAPInner
  AuthBy          ITSAuthEAPInnerNTLM
</AuthBy>

<AuthBy NTLM>
  Identifier      ITSAuthEAPInnerNTLM
  NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1
  DefaultDomain DS.STRATH.AC.UK
  EAPType MSCHAP-V2
  UsernameMatchesWithoutRealm
</AuthBy>

However, if I change it (on the same host) to look like this in the front-end, modelled
after David's examples:

<AuthBy GROUP>
  # There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge
  Identifier      ITSAuthEAPInnerJRB
  AuthBy          BackendProxy
</AuthBy>

<AuthBy ROUNDROBIN>
  Identifier BackendProxy
  Include %D/secret.backend.conf
  RetryTimeout 3
  Retries 0
  MaxTargetHosts 2
  FailureBackoffTime 1
  StripFromRequest X-Proxy-Timestamp,X-Proxy-Timeout
  AddToRequest X-Proxy-Timestamp=%t,X-Proxy-Timeout=3
  ReplyTimeoutHook file:"%D/hooks/replytimeout"
  <Host 127.0.0.1>
    AuthPort %{GlobalVar:Backendworker1Port}
  </Host>
  IgnoreAccounting
</AuthBy>

and then in the backend:

<Handler Client-Identifier=frontend>
  Identifier frontend
  AuthBy ITSAuthEAPInnerNTLMbackend
</Handler>

<AuthBy NTLM>
  Identifier      ITSAuthEAPInnerNTLMbackend
  NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1
  DefaultDomain DS.STRATH.AC.UK
  EAPType MSCHAP-V2
  UsernameMatchesWithoutRealm
</AuthBy>

I always get a password failure from ntlm_auth when going through Radiator.

I can run ntlm_auth OK at the command line and do plain authentication on the same host:

ntlm_auth --username=ras99101
password: 
NT_STATUS_OK: Success (0x0)

I can also run David's script in
http://www.open.com.au/pipermail/radiator/2011-November/017709.html
and get successful ntlm authentication:

./radius-test
Invoking ntlm_auth --helper-protocol=ntlm-server-1 < ntlmtest.query

-- Contents of query file --
Username: ras99101
NT-Domain: DS.STRATH.AC.UK
LANMAN-Challenge: 0000000000000000
NT-Response: d4be0aa521b02f12d066fcdfe2d88c04f9b7bbc19cf05df0
.
-- Output --
Authenticated: Yes
.
-- Done --


Here are debug logs showing the two transactions, interspersed with some 
winbindd debugging (I've slightly mangled Challenge/Response/LANMAN output).

This one was OK via the old monolithic route:

Wed Oct 29 16:50:46 2014: DEBUG: Handling request with Handler 'TunnelledByPEAP=1 ', Identifier 'eap-inner-peap'
Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101
Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101
Wed Oct 29 16:50:46 2014: DEBUG:  Deleting session for ras99101, , 
Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthGROUP: ITSAuthEAPInner
Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthNTLM: ITSAuthEAPInnerNTLM
Wed Oct 29 16:50:46 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26
Wed Oct 29 16:50:46 2014: DEBUG: Response type 26
Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM looks for match with ras99101 [ras99101]
Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM ACCEPT: : ras99101 [ras99101]
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Request-User-Session-Key: Yes
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute LANMAN-Challenge: bda8fa68138ee574
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Response: 8d04f4250f887d8fb72e1d4c9451f36926f0bb3f2a8178fe
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Domain:: RFMuU1RSQVRILkFDLlVL
Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE=
[2014/10/29 16:50:46.190790,  3, pid=76290]   [80304]: pam auth crap domain: [DS.STRATH.AC.UK] user: ras99101
[2014/10/29 16:50:46.190965,  4, pid=76291]   child daemon request 14
[2014/10/29 16:50:46.191041,  3, pid=76291]   [76290]: pam auth crap domain: DS.STRATH.AC.UK user: ras99101
[2014/10/29 16:50:46.198343,  5, pid=76291]   NTLM CRAP authentication for user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_OK (PAM: 0)
[2014/10/29 16:50:46.198426,  4, pid=76291]   Finished processing child request 14
Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: Authenticated: Yes
Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: LANMAN-Session-Key: B7BF79EA25BFD6F0
Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: User-Session-Key: 8B7FEA71FF24E1ECDAA6433999F42FEE
Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: .
Wed Oct 29 16:50:46 2014: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthGROUP:ITSAuthEAPInner ITSAuthEAPInnerNTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Wed Oct 29 16:50:46 2014: DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Wed Oct 29 16:50:46 2014: DEBUG: Access challenged for ras99101: EAP MSCHAP V2 Challenge: Success



This one was a failure via the backend proxy:

Wed Oct 29 16:51:53 2014: DEBUG: Handling request with Handler 'Client-Identifier=frontend', Identifier 'frontend'
Wed Oct 29 16:51:53 2014: DEBUG:  Deleting session for ras99101, 127.0.0.1, 
Wed Oct 29 16:51:53 2014: DEBUG: Handling with Radius::AuthNTLM: ITSAuthEAPInnerNTLMbackend
Wed Oct 29 16:51:53 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26
Wed Oct 29 16:51:53 2014: DEBUG: Response type 26
Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM looks for match with  [ras99101]
Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM ACCEPT: :  [ras99101]
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Request-User-Session-Key: Yes
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute LANMAN-Challenge: 499d16055416b67b
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Response: acedbcb10e6427538561caa910fd1299d0f5f9d8e289846e
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Domain:: RFMuU1RSQVRILkFDLlVL
Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE=
Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: .
[2014/10/29 16:51:53.895378,  3, pid=76290]   [76149]: pam auth crap domain: [DS.STRATH.AC.UK] user: ras99101
[2014/10/29 16:51:53.895832,  4, pid=76291]   child daemon request 14
[2014/10/29 16:51:53.895957,  3, pid=76291]   [76290]: pam auth crap domain: DS.STRATH.AC.UK user: ras99101
[2014/10/29 16:51:53.922474,  2, pid=76291]   NTLM CRAP authentication for user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_WRONG_PASSWORD (PAM: 9)
[2014/10/29 16:51:53.922547,  4, pid=76291]   Finished processing child request 14
Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authenticated: No
Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authentication-Error: Wrong Password
Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: .
Wed Oct 29 16:51:53 2014: WARNING: NTLM Could not authenticate user 'ras99101': Wrong Password
Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508
Wed Oct 29 16:51:53 2014: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Wed Oct 29 16:51:53 2014: DEBUG: AuthBy NTLM result: REJECT, EAP MSCHAP-V2 Authentication failure
Wed Oct 29 16:51:53 2014: INFO: Access rejected for ras99101: EAP MSCHAP-V2 Authentication failure

Radiator-4.13 in all instances.

The only thing I can see anomalous is:

Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508

Anyone any ideas?

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.


More information about the radiator mailing list