Yet Another PEAP-MSCHAPV2 problem

Isaac Boukris iboukris at gmail.com
Mon Sep 21 22:53:47 CEST 2015 

On Mon, Sep 21, 2015 at 11:34 PM, Alex Moen <alexm at ndtel.com> wrote:
> On 09/21/2015 03:16 PM, Matthew Newton wrote:
>>
>> On Mon, Sep 21, 2015 at 02:57:07PM -0500, Alex Moen wrote:
>>>
>>> (12)   User-Name = "debio at ndtel.com"
>>
>> ...
>>>
>>> rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
>>> rlm_ldap (ldap): Waiting for bind result...
>>> rlm_ldap (ldap): Bind successful
>>> rlm_ldap (ldap): Reserved connection (7)
>>> (19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>>> (19) ldap:    --> (uid=debio)
>>> (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope
>>> "sub"
>>> (19) ldap: Waiting for search result...
>>> (19) ldap: Search returned no results
>>
>>
>> ^^^ this ^^^
>>
>> Your LDAP search is failing for user debio...
>>
>>
>> ...
>>>
>>> (19) mschap: WARNING: No Cleartext-Password configured.  Cannot create
>>> NT-Password
>>> (19) mschap: WARNING: No Cleartext-Password configured.  Cannot create
>>> LM-Password
>>> (19) mschap: Creating challenge hash with username: debio at ndtel.com
>>> (19) mschap: Client is using MS-CHAPv2
>>> (19) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
>>> authentication
>>
>>
>>> (21)   User-Name = "alexm at ndtel.com"
>>
>> ...
>>>
>>> rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
>>> rlm_ldap (ldap): Waiting for bind result...
>>> rlm_ldap (ldap): Bind successful
>>> rlm_ldap (ldap): Reserved connection (10)
>>> (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>>> (28) ldap:    --> (uid=alexm)
>>> (28) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope
>>> "sub"
>>> (28) ldap: Waiting for search result...
>>> (28) ldap: User object found at DN
>>> "uid=alexm,ou=ndtcadministration,o=ndtc"
>>> (28) ldap: Processing user attributes
>>> (28) ldap:   control:Password-With-Header += 'ose55m1'
>>
>>
>> ...but fine for alexm.
>>
>> ...
>>>
>>> (28) pap: No {...} in Password-With-Header, re-writing to
>>> Cleartext-Password
>>> (28) pap: Removing &control:Password-With-Header
>>
>> ...
>>>
>>> (28) mschap: Found Cleartext-Password, hashing to create NT-Password
>>> (28) mschap: Found Cleartext-Password, hashing to create LM-Password
>>> (28) mschap: Creating challenge hash with username: alexm at ndtel.com
>>> (28) mschap: Client is using MS-CHAPv2
>>> (28) mschap: Adding MS-CHAPv2 MPPE keys
>>> (28)     [mschap] = ok
>>
>>
>>
>> So FreeRADIUS can't get a password, hence mschap fails.
>>
>> When you bind as the same account FR binds as and do a search as
>> below, does it find anything?
>>
>>> (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope
>>> "sub"
>>
>>
>> Matthew
>>
>>
>
> In a word, yes.  Here's a copy of the output from the server running
> FreeRADIUS:

In two words - no.
u != u at d

> [root at ndtc-fs]# ldapsearch -x -H ldap://66.163.129.140 -D 'cn=admin,o=ndtc'
> -W -b 'uid=debio at ndtel.com,ou=ndtel,o=ndtc' -s sub
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <uid=debio at ndtel.com,ou=ndtel,o=ndtc> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # debio at ndtel.com, ndtel, ndtc
> dn: uid=debio at ndtel.com,ou=ndtel,o=ndtc
> uid: debio at ndtel.com
> cn: Debi
> sn: O
> mail: debio at ndtel.com
> uidNumber: 640
> homeDirectory: /cust/ndtel/users/debio
> gecos: Debi Ohma,,
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> objectClass: mailUser
> loginShell: /bin/bash
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaSID: S-1-5-21-3311107553-3899660464-2674327009-2280
> sambaHomeDrive: F:
> sambaHomePath: \\ndtc-fs\cust\ndtel\users
> gidNumber: 500
> sambaPrimaryGroupSID: S-1-5-21-3311107553-3899660464-2674327009-2001
> shadowExpire: -1
> sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE
> sambaAcctFlags: [U]
> sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE
> sambaPwdLastSet: 1390515443
> sambaPwdMustChange: 1394403443
> shadowLastChange: 16093
> shadowMax: 99999
> userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> --
> Alex Moen
> NSTII
> North Dakota Telephone Company
> 701-662-6481
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list