MSCHAP Auth fails

Weber, Felix Felix.Weber at
Wed Apr 4 13:59:53 CEST 2012

Hello out there,

I'm testing the FreeRADIUS Version 2.1.12 Modul with AD Integration
following the Guide.
Installed winbind and samba Version 3.6.3 and ntlm_auth tests are fine.
Now i'm testing with radtest while running radius in Debug mod.
The following line has been added to users: 
DEFAULT     Auth-Type = mschap

This is the output from radtest:
radtest -t mschap User001 USERPW localhost 0 s3cr3t
Sending Access-Request of id 61 to port 1812
        User-Name = "User001"
        NAS-IP-Address =
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
        MS-CHAP-Challenge = 0x7e9462ca7fbf5d20
        MS-CHAP-Response =
rad_recv: Access-Reject packet from host port 1812, id=61,
        MS-CHAP-Error = "\000E=691 R=1"

And this from radiusd  -X:
Ready to process requests.
rad_recv: Access-Request packet from host port 48471, id=105,
        User-Name = "User001"
        NAS-IP-Address =
        NAS-Port = 0
        Message-Authenticator = 0x5d1a20d2d2c7897d376d003f73153552
        MS-CHAP-Challenge = 0x28d302e62ccf7399
        MS-CHAP-Response =
server packetfence {
# Executing section authorize from file
+- entering group authorize {...}
[suffix] No '@' in User-Name = "User001", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair User-Name = User001
rlm_perl: Added pair MS-CHAP-Response =
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address =
rlm_perl: Added pair MS-CHAP-Challenge = 0x28d302e62ccf7399
rlm_perl: Added pair Message-Authenticator =
rlm_perl: Added pair Auth-Type = MSCHAP
++[packetfence] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]        expand: %{Stripped-User-Name} ->
[mschap]        ... expanding second conditional
[mschap]        expand: %{mschap:User-Name:-None} -> User001
[mschap]        expand:
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} ->
[mschap]  mschap1: 28
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
[mschap]        expand: #ntresponse=%{mschap:NT-Response:-00} ->
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Logon failure
(0xc000006d)): [User001] (from client port 0)

The ntlm_auth is well configured in mschap module (--ntresponse)!
Thanks for helping.

More information about the Freeradius-Users mailing list