MS-CHAP2 Failure
Mike Diggins
mike.diggins at mcmaster.ca
Tue Mar 17 17:41:19 CET 2009
I've made no progress in finding a solution to my MSCHAP problem. To
summarize, Winbind and FreeRadius authenticate via PAP fine on both
servers (RedHat V5), but MSCHAP fails on one of the two (see below). I
tried tar'ing up the entire /etc/raddb directory and copied it to the
other machine, but it still fails. I also rejoined the Windows domain, but
nothing is working. Does MSCHAP have any other dependency on the system,
that PAP doesn't? I don't know where else to look.
-Mike
On Mon, 16 Mar 2009, Mike Diggins wrote:
>
> I configured what I thought were two identical FreeRadus 2.1.3 servers. I'm
> attempting to do MS-CHAP2 authentication on both, one is working, the other
> is not. For the life of me I can't find any difference in their
> configuration.
>
> On my client, I switch the host name between the two servers, everything else
> stays the same. One works, one fails, and I don't know why. Below is the
> debug output for both the failure and success. PAP authentication works fine
> on both with the same id. What the heck have I missed?
>
> This is the one that fails:
>
> rad_recv: Access-Request packet from host 192.168.2.15 port 2357, id=26,
> length=127
> NAS-Identifier = "test-cam1"
> NAS-IP-Address = 192.168.2.15
> MS-CHAP-Challenge = 0xbd4261d677c0d793ee781d7a032218df
> MS-CHAP2-Response =
> 0xa300ac9567587df3e83b3799dc49a53f433000000000000000007e0e6320a093349fbd0afc94436ed32e1258e26c5463147b
> User-Name = "test26"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> ++[mschap] returns ok
> [suffix] No '@' in User-Name = "test26", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 5
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for test26 with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> Failed to authenticate the user.
> Login incorrect: [test26] (from client 192.168.2.15 port 0)
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> test26
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 7 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 7
> Sending Access-Reject of id 26 to 192.168.2.15 port 2357
> Waking up in 4.9 seconds.
> Cleaning up request 7 ID 26 with timestamp +1885
> Ready to process requests.
>
>
> This one works:
>
> rad_recv: Access-Request packet from host 192.168.2.15 port 2358, id=115,
> length=127
> NAS-Identifier = "test-cam1"
> NAS-IP-Address = 192.168.2.15
> MS-CHAP-Challenge = 0xfdd0ccd7059225f80093cea2929eb415
> MS-CHAP2-Response =
> 0x780017ff811e7761fc6bd332fb45f4f6b3f50000000000000000b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
> User-Name = "test26"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> ++[mschap] returns ok
> [suffix] No '@' in User-Name = "test26", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 5
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for test26 with NT-Password
> [mschap] expand: --username=%{mschap:User-Name:-None} ->
> --username=test26
> [mschap] No NT-Domain was found in the User-Name.
> [mschap] expand: --domain=%{mschap:NT-Domain:-ap1} -> --domain=ap1
> [mschap] mschap2: fd
> [mschap] expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=cc26ba941d6d9678
> [mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
> Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
> Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
> Exec-Program: returned: 0
> ++[mschap] returns ok
> Login OK: [test26] (from client 192.168.2.15 port 0)
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 115 to 192.168.2.15 port 2358
> MS-CHAP2-Success =
> 0x78533d41453631324635393130344535373132364133414234374339463844443541453538384142453943
> Finished request 5.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 5 ID 115 with timestamp +1773
> Ready to process requests.
>
> -Mike
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list