[RADIATOR] Problems with ntlm_auth for EAP inner auth after upgrade
Heikki Vatiainen
hvn at open.com.au
Thu Aug 15 14:16:09 UTC 2024
On 31.7.2024 22.56, Jethro Binks via radiator wrote:
> or via an mschap_test perl script that generates the challenge stuff and
> feeds to helper-protocol=ntlm-server-1:
>
> $ ./mschap-test -c
> Enter AD account username (no domain or realm) to probe: testuser
> Enter domain: mydomain
> Enter password for mydomain\testuser:
> Invoking ntlm_auth --configfile=/usr/local/etc/smb4.conf --allow-
> mschapv2 --helper-protocol=ntlm-server-1 --option='log level=0' <
> ntlmtest.query
The script adds '--allow-mschapv2' to ntlm_auth parameters. I'd first
check that ntlm_auth that Radiator launches uses the same flag.
There's more about the flag here:
https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#Domain_AuthByNTLM-3
> Now perhaps my use of eapol_test is wrong, it's been a long time, but I
> seem to get the same result if I let some real user traffic in. If the
> supplicant is configured with a realm on the inner auth, then they fail
> auth, and for the rare ones who have no realm specified there, it works
> (I think - it's hard to do this for long as it is disruptive).
The username that ntlm_auth sends should be one that allows the AD to
find the user record.
Maybe you could try without DefaultDomain AuthBy NTLM parameter or set
the Windows domain directly with Domain to something that works.
But I'd do that after --allows-mschapv2 flag to see that's not a
problem. This flag and Domain and DefaultDomain are for different
reasons, but I'd change just one thing at the time.
Thanks,
Heikki
More information about the radiator
mailing list