MSCHAP issue - [mschap] FAILED: MS-CHAP2-Response is incorrect

jon michaels joniamasad at gmail.com
Thu Oct 7 07:52:46 CEST 2010 

Hi,

I am attempting to replicate a test setup into production and
somewhere along the way I must have forgotten something.

I have an NT-Password stored in a mysql database and currently get the
following response from freeradius upon authenticating:

rad_recv: Access-Request packet from host 127.0.0.1 port 58065,
id=224, length=130
	Service-Type = Framed-User
	Framed-Protocol = PPP
	User-Name = "jo"
	MS-CHAP-Challenge = 0x6bc832b0733a709ab358ab111e88da69
	MS-CHAP2-Response =
0x0d00f974435c9a9eb2abaa5f8350b8c4b30600000000000000000a9a21d7cb82b31bfbd804045063702431fa9ff46e928dd9
	NAS-IP-Address = xx.xx.xx.xx
	NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "jo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] 	expand: %{User-Name} -> jo
[sql] sql_set_user escaped user --> 'jo'
rlm_sql (sql): Reserving sql socket id: 1
[sql] 	expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = 'jo'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radcheck           WHERE username = 'jo'           ORDER BY
id
[sql] User found in radcheck table
[sql] 	expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = 'jo'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radreply           WHERE username = 'jo'           ORDER BY
id
[sql] 	expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= 'jo'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup
       WHERE username = 'jo'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv2 for jo with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> jo
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 224 to 127.0.0.1 port 58065
Waking up in 4.9 seconds.
Cleaning up request 6 ID 224 with timestamp +888
Ready to process requests.

I think I missed one option when documenting the test setup.
Unfortunately the test setup was accidentally deleted. Would anyone
know what I missed?

Thanks,

Jon.

More information about the Freeradius-Users mailing list