Yet Another PEAP-MSCHAPV2 problem

Mon Sep 21 22:34:19 CEST 2015

On 09/21/2015 03:16 PM, Matthew Newton wrote:
> On Mon, Sep 21, 2015 at 02:57:07PM -0500, Alex Moen wrote:
>> (12)   User-Name = "debio at ndtel.com"
> ...
>> rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
>> rlm_ldap (ldap): Waiting for bind result...
>> rlm_ldap (ldap): Bind successful
>> rlm_ldap (ldap): Reserved connection (7)
>> (19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>> (19) ldap:    --> (uid=debio)
>> (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
>> (19) ldap: Waiting for search result...
>> (19) ldap: Search returned no results
>
> ^^^ this ^^^
>
> Your LDAP search is failing for user debio...
>
>
> ...
>> (19) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>> (19) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
>> (19) mschap: Creating challenge hash with username: debio at ndtel.com
>> (19) mschap: Client is using MS-CHAPv2
>> (19) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
>
>> (21)   User-Name = "alexm at ndtel.com"
> ...
>> rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
>> rlm_ldap (ldap): Waiting for bind result...
>> rlm_ldap (ldap): Bind successful
>> rlm_ldap (ldap): Reserved connection (10)
>> (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>> (28) ldap:    --> (uid=alexm)
>> (28) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub"
>> (28) ldap: Waiting for search result...
>> (28) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc"
>> (28) ldap: Processing user attributes
>> (28) ldap:   control:Password-With-Header += 'ose55m1'
>
> ...but fine for alexm.
>
> ...
>> (28) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
>> (28) pap: Removing &control:Password-With-Header
> ...
>> (28) mschap: Found Cleartext-Password, hashing to create NT-Password
>> (28) mschap: Found Cleartext-Password, hashing to create LM-Password
>> (28) mschap: Creating challenge hash with username: alexm at ndtel.com
>> (28) mschap: Client is using MS-CHAPv2
>> (28) mschap: Adding MS-CHAPv2 MPPE keys
>> (28)     [mschap] = ok
>
>
> So FreeRADIUS can't get a password, hence mschap fails.
>
> When you bind as the same account FR binds as and do a search as
> below, does it find anything?
>
>> (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
>
> Matthew
>
>

In a word, yes.  Here's a copy of the output from the server running 
FreeRADIUS:

[root at ndtc-fs]# ldapsearch -x -H ldap://66.163.129.140 -D 
'cn=admin,o=ndtc' -W -b 'uid=debio at ndtel.com,ou=ndtel,o=ndtc' -s sub
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=debio at ndtel.com,ou=ndtel,o=ndtc> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# debio at ndtel.com, ndtel, ndtc
dn: uid=debio at ndtel.com,ou=ndtel,o=ndtc
uid: debio at ndtel.com
cn: Debi
sn: O
mail: debio at ndtel.com
uidNumber: 640
homeDirectory: /cust/ndtel/users/debio
gecos: Debi Ohma,,
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: mailUser
loginShell: /bin/bash
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaSID: S-1-5-21-3311107553-3899660464-2674327009-2280
sambaHomeDrive: F:
sambaHomePath: \\ndtc-fs\cust\ndtel\users
gidNumber: 500
sambaPrimaryGroupSID: S-1-5-21-3311107553-3899660464-2674327009-2001
shadowExpire: -1
sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE
sambaAcctFlags: [U]
sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE
sambaPwdLastSet: 1390515443
sambaPwdMustChange: 1394403443
shadowLastChange: 16093
shadowMax: 99999
userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

-- 
Alex Moen
NSTII
North Dakota Telephone Company
701-662-6481