[Samba] CISCO ISE vs Samba4 Problem

[Andrew Bartlett]

On Tue, 2015-01-20 at 13:33 +1300, Andrew Bartlett wrote:
> On Mon, 2015-01-19 at 10:59 +0330, Maryam Lahijani wrote:
> > Dear All
> > 
> > We have samba4 in our network as an domain controller.we have cisco ISE1.3
> > and our cisco team want to run IEEE802.1x in our network.The problem is
> > that ise use ms-rpc for sending MS-CHAP V2 to samba and it revived RPC
> > login failure  from samba.ISE 1.2 use kerberos for sending MS-CHAP V2 and
> > its ok but we have problem with ISE 1.3.any advise to solve this problem?
> 
> Can you give much more detail on exactly what fails, and how it fails?
> What is in the logs, etc?  Can you get me a network trace (and a
> description of what it contains, packet by failing packet) to clarify
> what is different between this and a test Microsoft AD domain?

Just some initial feedback, as I think you may be a little confused by
the protocols involved.  There isn't a way to validate an MS-CHAPv2
response over Kerberos, the relevant protocol is the SamLogon family of
functions over the NETLOGON DCE/RPC pipe which Samba has pretty
comprehensive support for.  So assuming it uses the normal calls here
(and I'll check the logs you sent privately), this is all expected to
work.  Do make sure to send me the matching level 10 Samba logs as
well. 

>From the logs you provided me privately, it gives STATUS_UNSUCCESSFUL,
and the network trace indicates a NDR fault.  This implies that the
client is sending a form of SamLogonEx that we can't decode.  Sadly this
part of the capture is encrypted.  Sadly I can't remember the smb.conf
magic setting required to dump the unencrypted packets out :-(

The other thing I note is that the username in your logs is
(null)\user at realm.com.  The (null)\ bit is very, very weird. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba