OpenVPN, ProxyRADIUS MS-CHAP and Windows AD

Question

Trying to set up VPN authentication against different realms/windows domains. I'm using OpenVPN Access Server which directs all authentication requests (username in the form of user@domain) to FreeRADIUS server (3.0.15) with required proxy.conf and realms config so that forwards (proxies) the access-request to home server. The OpenVPN is configured to use MS-CHAPv2. The home server is also a freeRADIUS, same version. Home server is a member of windows domain (samba 4.6) and its clients.conf file includes the proxyRADIUS server as "NAS'....etc. No issues on home server, when it comes to samba/winbind checks, etc. As a matter of facts, if I send requests from OpenVPN directly to it (without proxy), using username = sAMAccountName, authentication and group membership checks via LDAP work as expected. However, if the request is proxied, the mschap module in home server reports: (0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: Logon failure (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect

(Outout above from radiusd in debug mode)

Just as a way of testing there was no issue with proxying the requests I enabled NPS on the domain controller and started proxying requests towards it and authentication worked with no issues, so, for whatever the reason, when home server tries to authenticate a proxied request the NT-Response (or at least as managed by mschap module) doesn't seem right. I know there was a bug in an old version of samba about NT-Response, but I don't think that's the issue here, I think it got fixed a few years ago. Has anyone come across a similar issue? Thanks! PS: Proxy and home RADIUS run in BSD 10.3

OpenVPN, ProxyRADIUS MS-CHAP and Windows AD

Answers (1)

Related Questions