Get fail [MS-CHAP2-Response is incorrect] while proxy the mschapv2 between two Freeradius 2.1.4

Jacky Chan jackyc at wkg1.umac.mo
Wed Mar 25 09:30:26 CET 2009


Hi all,

I installed two freeradius, one for home server(x.x.x.239/24) and one for
proxy purpose, the home server is working normally with LEAP with mschapv1,
WPA2 and PEAP with mschapv2.

For other purpose, I need to established one more freeradius and work as
proxy radius server(x.x.x.238/24) to proxy all request to other home radius
that including the existing home freeradius server mention above, but after
test, PAP and LEAP are proxyed successfully but PEAP/WPA2 with mschapv2
always get fail, the following is the debug log from these two freeradius
2.1.4

Freeradius (home server) x.x.x.239
rad_recv: Access-Request packet from host x.x.x.238 port 1814, id=58,
length=179
        NAS-IP-Address = x.x.x.21  (NAS for testing)
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        User-Name = "test33"
        Calling-Station-Id = "000000000000"
        Called-Station-Id = "000B86611110"
        MS-CHAP-Challenge = 0x09a864e7160039f4a3947f3b856feb68
        MS-CHAP2-Response =
0x00004b0a36e235cca75db5e5d5664eae3cde0000000000000000f2b3d55d43419bcb905569ef7e9c5ea6467e4633eeb10993
        Service-Type = Login-User
        Aruba-Location-Id = "N/A"
        Proxy-State = 0x3134
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test33", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry test33 at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for test33 with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [test33/<via Auth-Type = mschap>] (from client fd-1 port 0
cli 000000000000)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test33
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 58 to x.x.x.238 port 1814
        Proxy-State = 0x3134
Waking up in 4.9 seconds.
Cleaning up request 0 ID 58 with timestamp +13
Ready to process requests. 


Freeradius (proxy server) x.x.x.238
rad_recv: Access-Request packet from host x.x.x.21 port 32846, id=14,
length=191
        NAS-IP-Address = x.x.x.21
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        User-Name = "test33 at aaa.com"
        Calling-Station-Id = "000000000000"
        Called-Station-Id = "000B86611110"
        MS-CHAP-Challenge = 0x09a864e7160039f4a3947f3b856feb68
        MS-CHAP2-Response =
0x00004b0a36e235cca75db5e5d5664eae3cde0000000000000000f2b3d55d43419bcb905569ef7e9c5ea6467e4633eeb10993
        Service-Type = Login-User
        Aruba-Location-Id = "N/A"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] Looking up realm "aaa.com" for User-Name = "test33 at aaa.com"
[suffix] Found realm "aaa.com"
[suffix] Adding Stripped-User-Name = "test33"
[suffix] Adding Realm = "aaa.com"
[suffix] Proxying request from user test33 to realm aaa.com
[suffix] Preparing to proxy authentication request to realm "aaa.com" 
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 58 to x.x.x.239 port 1812
        NAS-IP-Address = x.x.x.21
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        User-Name = "test33"
        Calling-Station-Id = "000000000000"
        Called-Station-Id = "000B86611110"
        MS-CHAP-Challenge = 0x09a864e7160039f4a3947f3b856feb68
        MS-CHAP2-Response =
0x00004b0a36e235cca75db5e5d5664eae3cde0000000000000000f2b3d55d43419bcb905569ef7e9c5ea6467e4633eeb10993
        Service-Type = Login-User
        Aruba-Location-Id = "N/A"
        Proxy-State = 0x3134
Proxying request 10 to home server x.x.x.239 port 1812
Sending Access-Request of id 58 to x.x.x.239 port 1812
        NAS-IP-Address = x.x.x.21
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        User-Name = "test33"
        Calling-Station-Id = "000000000000"
        Called-Station-Id = "000B86611110"
        MS-CHAP-Challenge = 0x09a864e7160039f4a3947f3b856feb68
        MS-CHAP2-Response =
0x00004b0a36e235cca75db5e5d5664eae3cde0000000000000000f2b3d55d43419bcb905569ef7e9c5ea6467e4633eeb10993
        Service-Type = Login-User
        Aruba-Location-Id = "N/A"
        Proxy-State = 0x3134
Going to the next request
Waking up in 0.9 seconds.
Waking up in 18.9 seconds.
rad_recv: Access-Reject packet from host x.x.x.239 port 1812, id=58,
length=24
        Proxy-State = 0x3134
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Login incorrect (Home Server says so): [test33 at aaa.com/<via Auth-Type =
mschap>] (from client Controller-1 port 0 cli 000000000000)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test33 at aaa.com
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 14 to x.x.x.21 port 32846
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 14 with timestamp +9947
Waking up in 17.2 seconds.
Sending Status-Server of id 70 to 127.0.0.1 port 1812
        Message-Authenticator := 0x00000000000000000000000000000000
        NAS-Identifier := "Status Check. Are you alive?"



You can see that the MS-CHAP-Challenge and the MS-CHAP2-Response are same
within two server, but why home server said that the password is wrong? Can
anyone help me to check whether there are something wrong in my
configuration, thanks.

The following is the EAP and the mschap module of these two server:
  mschap {
        use_mppe = no
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
  }
  eap {
        default_eap_type = "mschapv2"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
-- 
View this message in context: http://www.nabble.com/Get-fail--MS-CHAP2-Response-is-incorrect--while-proxy-the-mschapv2-between-two-Freeradius-2.1.4-tp22697072p22697072.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list