MS-CHAP2 Failure

Mike Diggins mike.diggins at mcmaster.ca
Tue Mar 17 17:41:19 CET 2009


I've made no progress in finding a solution to my MSCHAP problem. To 
summarize, Winbind and FreeRadius authenticate via PAP fine on both 
servers (RedHat V5), but MSCHAP fails on one of the two (see below). I 
tried tar'ing up the entire /etc/raddb directory and copied it to the 
other machine, but it still fails. I also rejoined the Windows domain, but 
nothing is working. Does MSCHAP have any other dependency on the system, 
that PAP doesn't? I don't know where else to look.

-Mike

On Mon, 16 Mar 2009, Mike Diggins wrote:

>
> I configured what I thought were two identical FreeRadus 2.1.3 servers. I'm 
> attempting to do MS-CHAP2 authentication on both, one is working, the other 
> is not. For the life of me I can't find any difference in their 
> configuration.
>
> On my client, I switch the host name between the two servers, everything else 
> stays the same. One works, one fails, and I don't know why. Below is the 
> debug output for both the failure and success. PAP authentication works fine 
> on both with the same id. What the heck have I missed?
>
> This is the one that fails:
>
> rad_recv: Access-Request packet from host 192.168.2.15 port 2357, id=26, 
> length=127
>         NAS-Identifier = "test-cam1"
>         NAS-IP-Address = 192.168.2.15
>         MS-CHAP-Challenge = 0xbd4261d677c0d793ee781d7a032218df
>         MS-CHAP2-Response = 
> 0xa300ac9567587df3e83b3799dc49a53f433000000000000000007e0e6320a093349fbd0afc94436ed32e1258e26c5463147b
>         User-Name = "test26"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> [suffix] No '@' in User-Name = "test26", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 5
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication 
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for test26 with NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> Failed to authenticate the user.
> Login incorrect: [test26] (from client 192.168.2.15 port 0)
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> test26
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 7 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 7
> Sending Access-Reject of id 26 to 192.168.2.15 port 2357
> Waking up in 4.9 seconds.
> Cleaning up request 7 ID 26 with timestamp +1885
> Ready to process requests.
>
>
> This one works:
>
> rad_recv: Access-Request packet from host 192.168.2.15 port 2358, id=115, 
> length=127
>         NAS-Identifier = "test-cam1"
>         NAS-IP-Address = 192.168.2.15
>         MS-CHAP-Challenge = 0xfdd0ccd7059225f80093cea2929eb415
>         MS-CHAP2-Response = 
> 0x780017ff811e7761fc6bd332fb45f4f6b3f50000000000000000b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
>         User-Name = "test26"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> [suffix] No '@' in User-Name = "test26", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 5
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication 
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for test26 with NT-Password
> [mschap]        expand: --username=%{mschap:User-Name:-None} -> 
> --username=test26
> [mschap] No NT-Domain was found in the User-Name.
> [mschap]        expand: --domain=%{mschap:NT-Domain:-ap1} -> --domain=ap1
> [mschap]  mschap2: fd
> [mschap]        expand: --challenge=%{mschap:Challenge:-00} -> 
> --challenge=cc26ba941d6d9678
> [mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> 
> --nt-response=b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
> Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
> Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
> Exec-Program: returned: 0
> ++[mschap] returns ok
> Login OK: [test26] (from client 192.168.2.15 port 0)
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 115 to 192.168.2.15 port 2358
>         MS-CHAP2-Success = 
> 0x78533d41453631324635393130344535373132364133414234374339463844443541453538384142453943
> Finished request 5.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 5 ID 115 with timestamp +1773
> Ready to process requests.
>
> -Mike
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list