MSCHAP failing on new 2.1.10 install
Gary Gatten
Ggatten at waddell.com
Wed May 11 23:07:23 CEST 2011
Here's a debug from the 2.1.6 that's working... Wait a sec.... I think I MAY have found something. I'm making backup copies of the files with a .org extension... I bet it's reading the .org files and overwriting my changes. Standby....
rad_recv: Access-Request packet from host 10.1.22.194 port 32794, id=125, length=219
NAS-IP-Address = 1.1.2.4
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "netengtest"
Calling-Station-Id = "000000000000"
Called-Station-Id = "000B8661BF34"
MS-CHAP-Challenge = 0x6dba078ee718725c618d84a1edce5d14
MS-CHAP2-Response = 0x0000bb4bb8bf5790e6f254f196e3dc59af970000000000000000f78d6e1108740133b7a6b5248401860d589fece32e60e83d
Service-Type = Login-User
Aruba-Location-Id = "N/A"
NAS-Identifier = "HQ"
Message-Authenticator = 0xe64a9afbb0da2f21d145e35dd4339e5f
+- entering group authorize {...}
[preprocess] expand: %{NAS-IP-Address} -> 1.1.2.4
[preprocess] expand: %{NAS-IP-Address} -> 1.1.2.4
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] expand: %{mschap:User-Name} -> netengtest
[mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=netengtest
[mschap] mschap2: 6d
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=22eb815d95193969
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=f78d6e1108740133b7a6b5248401860d589fece32e60e83d
Exec-Program output: NT_KEY: 2CB678F2CDDD71FC2F7E2E038A479AC4
Exec-Program-Wait: plaintext: NT_KEY: 2CB678F2CDDD71FC2F7E2E038A479AC4
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
Login OK: [netengtest] (from client port 0 cli 000000000000)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 125 to 1.1.2.4 port 32794
MS-CHAP2-Success = 0x00533d38394139443743353134443335433741333733434338353734334543323944414144443635443733
MS-MPPE-Recv-Key = 0xc0897c3ada77f45bda8b05c5814a2c1a
MS-MPPE-Send-Key = 0x113ca9198c618a90fabb20678030dee3
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 125 with timestamp +6
Ready to process requests.
-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Gary Gatten
Sent: Wednesday, May 11, 2011 3:43 PM
To: 'FreeRadius users mailing list'
Subject: RE: MSCHAP failing on new 2.1.10 install
I told it to use ntlm_auth, I guess it's not listening. I followed docs AND RTFM, guess I missed something....
I did notice the 2.1.10 includes a "module" called ntlm_auth where 2.1.6 did not. I'm looking into this now...
-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Wednesday, May 11, 2011 3:38 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: MSCHAP failing on new 2.1.10 install
On 05/11/2011 09:12 PM, Gary Gatten wrote:
> PAP works, MSCHAP fails - specifically MSCHAPv2.
>
> This is a fresh install of 2.1.10, built from source. I'm using
> ntlm_auth;
No, you're not:
>
> +- entering group MS-CHAP {...}
>
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
>
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
>
> [mschap] Creating challenge hash with username: netengtest
>
> [mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
>
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
>
> [mschap] FAILED: MS-CHAP2-Response is incorrect
See? No "ntlm_auth"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
More information about the Freeradius-Users
mailing list