Hi, I have been following David Zych's recent work with interest:
https://www.mail-archive.com/radiator@open.com.au/msg18963.html and wanted to implement something similar here, but I've hit a stumbling block that I cannot get past. Maybe it will be blindingly obvious to someone else ... Essentially, I currently have a monolithic Radiator process that I want to split out and proxy to more backend authentications processes. To that end, I configured up a backend Radiator process with the NTLM bits, and in the front-end added some clauses to proxy certain queries (those with my username). I'm testing with eapol_test, and against the real monolithic Radiator servers it is fine. The inner authentication bits look like this: <AuthBy GROUP> # There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge Identifier ITSAuthEAPInner AuthBy ITSAuthEAPInnerNTLM </AuthBy> <AuthBy NTLM> Identifier ITSAuthEAPInnerNTLM NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1 DefaultDomain DS.STRATH.AC.UK EAPType MSCHAP-V2 UsernameMatchesWithoutRealm </AuthBy> However, if I change it (on the same host) to look like this in the front-end, modelled after David's examples: <AuthBy GROUP> # There used to be other things here, and an AuthbyPolicy ContinueUntilAcceptOrChallenge Identifier ITSAuthEAPInnerJRB AuthBy BackendProxy </AuthBy> <AuthBy ROUNDROBIN> Identifier BackendProxy Include %D/secret.backend.conf RetryTimeout 3 Retries 0 MaxTargetHosts 2 FailureBackoffTime 1 StripFromRequest X-Proxy-Timestamp,X-Proxy-Timeout AddToRequest X-Proxy-Timestamp=%t,X-Proxy-Timeout=3 ReplyTimeoutHook file:"%D/hooks/replytimeout" <Host 127.0.0.1> AuthPort %{GlobalVar:Backendworker1Port} </Host> IgnoreAccounting </AuthBy> and then in the backend: <Handler Client-Identifier=frontend> Identifier frontend AuthBy ITSAuthEAPInnerNTLMbackend </Handler> <AuthBy NTLM> Identifier ITSAuthEAPInnerNTLMbackend NtlmAuthProg /usr/local/bin/ntlm_auth -s /usr/local/etc/smb.conf --helper-protocol=ntlm-server-1 DefaultDomain DS.STRATH.AC.UK EAPType MSCHAP-V2 UsernameMatchesWithoutRealm </AuthBy> I always get a password failure from ntlm_auth when going through Radiator. I can run ntlm_auth OK at the command line and do plain authentication on the same host: ntlm_auth --username=ras99101 password: NT_STATUS_OK: Success (0x0) I can also run David's script in http://www.open.com.au/pipermail/radiator/2011-November/017709.html and get successful ntlm authentication: ./radius-test Invoking ntlm_auth --helper-protocol=ntlm-server-1 < ntlmtest.query -- Contents of query file -- Username: ras99101 NT-Domain: DS.STRATH.AC.UK LANMAN-Challenge: 0000000000000000 NT-Response: d4be0aa521b02f12d066fcdfe2d88c04f9b7bbc19cf05df0 . -- Output -- Authenticated: Yes . -- Done -- Here are debug logs showing the two transactions, interspersed with some winbindd debugging (I've slightly mangled Challenge/Response/LANMAN output). This one was OK via the old monolithic route: Wed Oct 29 16:50:46 2014: DEBUG: Handling request with Handler 'TunnelledByPEAP=1 ', Identifier 'eap-inner-peap' Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101 Wed Oct 29 16:50:46 2014: DEBUG: Rewrote user name to ras99101 Wed Oct 29 16:50:46 2014: DEBUG: Deleting session for ras99101, , Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthGROUP: ITSAuthEAPInner Wed Oct 29 16:50:46 2014: DEBUG: Handling with Radius::AuthNTLM: ITSAuthEAPInnerNTLM Wed Oct 29 16:50:46 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26 Wed Oct 29 16:50:46 2014: DEBUG: Response type 26 Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM looks for match with ras99101 [ras99101] Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthNTLM ACCEPT: : ras99101 [ras99101] Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Request-User-Session-Key: Yes Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute LANMAN-Challenge: bda8fa68138ee574 Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Response: 8d04f4250f887d8fb72e1d4c9451f36926f0bb3f2a8178fe Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute NT-Domain:: RFMuU1RSQVRILkFDLlVL Wed Oct 29 16:50:46 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE= [2014/10/29 16:50:46.190790, 3, pid=76290] [80304]: pam auth crap domain: [DS.STRATH.AC.UK] user: ras99101 [2014/10/29 16:50:46.190965, 4, pid=76291] child daemon request 14 [2014/10/29 16:50:46.191041, 3, pid=76291] [76290]: pam auth crap domain: DS.STRATH.AC.UK user: ras99101 [2014/10/29 16:50:46.198343, 5, pid=76291] NTLM CRAP authentication for user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_OK (PAM: 0) [2014/10/29 16:50:46.198426, 4, pid=76291] Finished processing child request 14 Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: Authenticated: Yes Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: LANMAN-Session-Key: B7BF79EA25BFD6F0 Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: User-Session-Key: 8B7FEA71FF24E1ECDAA6433999F42FEE Wed Oct 29 16:50:46 2014: DEBUG: Received attribute: . Wed Oct 29 16:50:46 2014: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success Wed Oct 29 16:50:46 2014: DEBUG: Radius::AuthGROUP:ITSAuthEAPInner ITSAuthEAPInnerNTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success Wed Oct 29 16:50:46 2014: DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP V2 Challenge: Success Wed Oct 29 16:50:46 2014: DEBUG: Access challenged for ras99101: EAP MSCHAP V2 Challenge: Success This one was a failure via the backend proxy: Wed Oct 29 16:51:53 2014: DEBUG: Handling request with Handler 'Client-Identifier=frontend', Identifier 'frontend' Wed Oct 29 16:51:53 2014: DEBUG: Deleting session for ras99101, 127.0.0.1, Wed Oct 29 16:51:53 2014: DEBUG: Handling with Radius::AuthNTLM: ITSAuthEAPInnerNTLMbackend Wed Oct 29 16:51:53 2014: DEBUG: Handling with EAP: code 2, 8, 63, 26 Wed Oct 29 16:51:53 2014: DEBUG: Response type 26 Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM looks for match with [ras99101] Wed Oct 29 16:51:53 2014: DEBUG: Radius::AuthNTLM ACCEPT: : [ras99101] Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Request-User-Session-Key: Yes Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute LANMAN-Challenge: 499d16055416b67b Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Response: acedbcb10e6427538561caa910fd1299d0f5f9d8e289846e Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute NT-Domain:: RFMuU1RSQVRILkFDLlVL Wed Oct 29 16:51:53 2014: DEBUG: Passing attribute Username:: cmFzOTkxMDE= Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: . [2014/10/29 16:51:53.895378, 3, pid=76290] [76149]: pam auth crap domain: [DS.STRATH.AC.UK] user: ras99101 [2014/10/29 16:51:53.895832, 4, pid=76291] child daemon request 14 [2014/10/29 16:51:53.895957, 3, pid=76291] [76290]: pam auth crap domain: DS.STRATH.AC.UK user: ras99101 [2014/10/29 16:51:53.922474, 2, pid=76291] NTLM CRAP authentication for user [DS.STRATH.AC.UK]\[ras99101] returned NT_STATUS_WRONG_PASSWORD (PAM: 9) [2014/10/29 16:51:53.922547, 4, pid=76291] Finished processing child request 14 Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authenticated: No Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: Authentication-Error: Wrong Password Wed Oct 29 16:51:53 2014: DEBUG: Received attribute: . Wed Oct 29 16:51:53 2014: WARNING: NTLM Could not authenticate user 'ras99101': Wrong Password Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508 Wed Oct 29 16:51:53 2014: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure Wed Oct 29 16:51:53 2014: DEBUG: AuthBy NTLM result: REJECT, EAP MSCHAP-V2 Authentication failure Wed Oct 29 16:51:53 2014: INFO: Access rejected for ras99101: EAP MSCHAP-V2 Authentication failure Radiator-4.13 in all instances. The only thing I can see anomalous is: Wed Oct 29 16:51:53 2014: DEBUG: EAP Failure, elapsed time -1414601513.92508 Anyone any ideas? Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
