mschap : NT-Password has not been normalized by the 'pap' module.

Mohamed Lrhazi Mohamed.Lrhazi at georgetown.edu
Tue Mar 10 02:05:39 CET 2015


Thanks Arran. My error changed, which is good sign :)

I believe I had this before:

update {
        control:Password-With-Header    += 'userPassword'
        control:NT-Password     := 'gunthash'
}

which I changed to this:

update {
        control:Password-With-Header    += 'gunthash'
}

Not the log looks like:

(8) ldap : User object found at DN
"uid=ml623,ou=People,dc=georgetown,dc=edu"
(8) ldap : Processing user attributes
(8) ldap :      control:Password-With-Header += ''{MD4}6DDDAFA<and so on>''
rlm_ldap (ldap): Released connection (4)
(8)   [ldap] = ok
(8)    if ((ok || updated) && User-Password)
(8)    if ((ok || updated) && User-Password)  -> FALSE
(8)   [expiration] = noop
(8)   [logintime] = noop
(8) WARNING: pap : Found unknown header {{MD4}}: Not doing anything
(8) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(8) WARNING: pap : Auth-Type already set.  Not setting to PAP
(8)   [pap] = noop
(8)  } #  authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap : Expiring EAP session with state 0x118e6e5211867494
(8) eap : Finished EAP session with state 0x118e6e5211867494
(8) eap : Previous EAP request found for state 0x118e6e5211867494, released
from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2 :  Auth-Type MS-CHAP {
(8) mschap : Found Cleartext-Password, hashing to create LM-Password
(8) mschap : Found Cleartext-Password, hashing to create NT-Password
(8) mschap : Creating challenge hash with username: ml623
(8) mschap : Client is using MS-CHAPv2
(8) ERROR: mschap : MS-CHAP2-Response is incorrect
(8)   [mschap] = reject




On Mon, Mar 9, 2015 at 3:48 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
> > On 9 Mar 2015, at 15:42, Mohamed Lrhazi <Mohamed.Lrhazi at georgetown.edu>
> wrote:
> >
> > Hello,
> >
> > Trying to get freeradius working for tls and mschap and ldap based
> > authentication... seems the password is found correctly in LDAP, but
> fails
> > to be decoded maybe?
> >
> > the passwords in LDAP look like: {MD4}6DDDA<an so on..>
>
> Map the LDAP attribute to control:Password-With-Header instead of
> control:NT-Password,
> the PAP module should then normalise the NT Password string, by stripping
> off the header,
> converting the hex to binary, and copying it to control:NT-Password.
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS development team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list