FR 3.0.4: MS-CHAP2-Response is incorrect

Khapare Joshi khapare77 at gmail.com
Tue Dec 2 11:27:17 CET 2014 

On Tue, Dec 2, 2014 at 9:52 AM, Heiko O <puettagoras at gmail.com> wrote:

> Hello all,
>
> i have two question on realms:
>
> Authenication works fine when Users only enter "username",but i want
> the users to login with something like "username at thedomain.net". But
> when doing this i get
>
>

> (0)  preprocess :    --> testuser
> (0)   [preprocess] = ok
> (0)   [chap] = noop
> (0)  mschap : Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> (0)   [mschap] = ok
> (0)   [digest] = noop
> (0)  suffix : Checking for suffix after "@"
> (0)  suffix : No '@' in User-Name = "testuser", looking up realm NULL
> (0)  suffix : No such realm "NULL"
> (0)   [suffix] = noop
> (0)  eap : No EAP-Message, not doing EAP
> (0)   [eap] = noop
> (0)  sql : EXPAND %{User-Name}
> (0)  sql :    --> testuser
> (0)  sql : SQL-User-Name set to 'testuser'
> rlm_sql (sql): Reserved connection (4)
> (0)  sql : EXPAND SELECT id, UserName, Attribute, Value, Op FROM
> radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
> (0)  sql :    --> SELECT id, UserName, Attribute, Value, Op FROM
> radcheck WHERE Username = 'testuser' ORDER BY id
> rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute,
> Value, Op FROM radcheck WHERE Username = 'testuser' ORDER BY id'
> rlm_sql_postgresql: Status: PGRES_TUPLES_OK
> rlm_sql_postgresql: query affected rows = 1 , fields = 5
> (0)  sql : User found in radcheck table
> (0)  sql : Check items matched
> (0)  sql : EXPAND SELECT id, UserName, Attribute, Value, Op FROM
> radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
> (0)  sql :    --> SELECT id, UserName, Attribute, Value, Op FROM
> radreply WHERE Username = 'testuser' ORDER BY id
> rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute,
> Value, Op FROM radreply WHERE Username = 'testuser' ORDER BY id'
> rlm_sql_postgresql: Status: PGRES_TUPLES_OK
> rlm_sql_postgresql: query affected rows = 2 , fields = 5
> (0)  sql : User found in radreply table
> (0)  sql : EXPAND SELECT GroupName FROM radusergroup WHERE
> UserName='%{SQL-User-Name}' ORDER BY priority
> (0)  sql :    --> SELECT GroupName FROM radusergroup WHERE
> UserName='testuser' ORDER BY priority
> rlm_sql (sql): Executing query: 'SELECT GroupName FROM radusergroup
> WHERE UserName='testuser' ORDER BY priority'
> rlm_sql_postgresql: Status: PGRES_TUPLES_OK
> rlm_sql_postgresql: query affected rows = 0 , fields = 1
> (0)  sql : User not found in any groups
> rlm_sql (sql): Released connection (4)
> (0)   [sql] = ok
> (0)   [expiration] = noop
> (0)   [logintime] = noop
> (0)  } #  authorize = ok
> (0) Found Auth-Type = MSCHAP
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)  Auth-Type MS-CHAP {
> (0)  mschap : Found Cleartext-Password, hashing to create LM-Password
> (0)  mschap : Found Cleartext-Password, hashing to create NT-Password
> (0)  mschap : Creating challenge hash with username: testuser
> (0)  mschap : Client is using MS-CHAPv2
> (0)  ERROR: mschap : MS-CHAP2-Response is incorrect
> (0)   [mschap] = reject
> (0)  } # Auth-Type MS-CHAP = reject
> (0) Failed to authenticate the user
>
> I did a lot of try-and-error with suffix ans Strip and configuring,
> but i can't get mschap to work.
> How can I teach mschap to work with "user at thedomain.net"?
> BTW: The radcheck-table contains simply "username" with no realms, and
> that cannot be changed.
>
> all my users must provide whatever at domain.com, and this is working fine.
I don't use SQL but my backend password server is AD

I have this regex in my site-enabled/default authorized section
if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) {

So if user do not supply whatever at domain.com I just simply reject, there
are number of discussion on this.


> The second question is about proxying. Since the is only one
> RADIUS-Server, proxying is not needed. I wonder if i really have to
> add a realm and proxy the request to localhost.
> Is there a way to say "Hey, just answer all queries with
> @thedomain.org and don't proxy it to yourself"?
>
> similarly, you can achieve this with regex as well.

if ( Realm == "thedomain.org") {
        update control {
             Proxy-To-Realm := LOCAL
       }

else {
...
reject
}






> Thanks for your help and suggestions.
> Heiko
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141202/58d96fea/attachment.html>

More information about the Freeradius-Users mailing list