Problem with MSCHAP

[Phil Mayers]

On 08/10/10 14:24, Mark Holmes wrote:

> and I see the server returns Access-Accept.

Firstly, don't set Auth-Type. It's almost always the wrong thing to do.

Secondly, this is just testing PAP i.e. plain username/password auth. 
Wireless typically uses 802.1x via EAP.

>
> I then configure MS-CHAP, removing the DEFAULT Auth-Type from users
> and editing modules/mschap as follows
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"


That looks about right.

>
> Output from radius -X at the bottom of this message.  The bit that
> looks relevant to me is
>
> ++[mschap] returns noop

No, you're misreading it - see below.

> [suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name =
> "firstname.lastname at mydomain.ox.ac.uk" [suffix] No such realm
> "mydomain.ox.ac.uk"
>
> However I'm not sure I need to worry about that bit - at the moment
> this is just a single, stand alone RADIUS server so I'm not sure I
> need to worry about realms or do I?....

Not for the moment.

>
> Not sure where to go from here - are there some basic things I should
> check?  I haven't included my conf files in this post but happy to do
> so if required.

Don't post the config files. The *full* debug output (from start to 
failure) is what's needed. Something like:

/usr/sbin/radiusd -X | tee thelog.txt

EAP is a multi-pass protocol; there will be 4-8 requests, and the actual 
MS-CHAP failure will be somewhere in the middle, after the EAP-PEAP TLS 
tunnel is established, but before the failure is sent.

> Output from -X

That's just the final packet.

>
 > [peap]  Had sent TLV failure.  User was rejected earlier in this session.
 > [eap] Handler failed in EAP/peap

This is an EAP-PEAP, not MS-CHAP request (hence the noop) The failure 
occurred in an earlier packet; please post the full debug output.