Yet Another PEAP-MSCHAPV2 problem

Matthew Newton mcn4 at leicester.ac.uk
Mon Sep 21 22:16:04 CEST 2015


On Mon, Sep 21, 2015 at 02:57:07PM -0500, Alex Moen wrote:
> (12)   User-Name = "debio at ndtel.com"
...
> rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (7)
> (19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (19) ldap:    --> (uid=debio)
> (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
> (19) ldap: Waiting for search result...
> (19) ldap: Search returned no results

^^^ this ^^^

Your LDAP search is failing for user debio...


...
> (19) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (19) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
> (19) mschap: Creating challenge hash with username: debio at ndtel.com
> (19) mschap: Client is using MS-CHAPv2
> (19) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication

> (21)   User-Name = "alexm at ndtel.com"
...
> rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (10)
> (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (28) ldap:    --> (uid=alexm)
> (28) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub"
> (28) ldap: Waiting for search result...
> (28) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc"
> (28) ldap: Processing user attributes
> (28) ldap:   control:Password-With-Header += 'ose55m1'

...but fine for alexm.

...
> (28) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
> (28) pap: Removing &control:Password-With-Header
...
> (28) mschap: Found Cleartext-Password, hashing to create NT-Password
> (28) mschap: Found Cleartext-Password, hashing to create LM-Password
> (28) mschap: Creating challenge hash with username: alexm at ndtel.com
> (28) mschap: Client is using MS-CHAPv2
> (28) mschap: Adding MS-CHAPv2 MPPE keys
> (28)     [mschap] = ok


So FreeRADIUS can't get a password, hence mschap fails.

When you bind as the same account FR binds as and do a search as
below, does it find anything?

> (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list