problems authenticating

Alan DeKok aland at ox.org
Mon Jul 11 23:26:54 CEST 2005


jck-freeradius at southwestern.edu wrote:
>   rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

  That's pretty definitive.

> My thoughts are that SQL and MSCHAP should be in the authorization section,
> and MSCHAP and EAP should be in authentication.

  "eap" should be in the "authorize" section, too.  That's the way the
server comnes configured.

> I am storing NTLM passwords in my SQL server.
...
> | 1490 | johnk    | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 |

  No, you're not.

  You're telling the server that the clear-text password is a hex
string, which it's not.

  If you want to store the NT-hashed passwords in SQL, use the
"NT-Password" attribute, and ensure that the value is 32 bytes of hex
data.

  But before you do that, I would STRONGLY suggest storing a simple
clear-text password in SQL, like "test".  Verify that it works, and
THEN start storing NT password.

  By trying to configure 3 things at the same time, you guarantee that
you can't possible figure out which one of the three is failing.

  Alan DeKok.



More information about the Freeradius-Users mailing list