AW: LDAP / mschap Error

Andreas Zwinzscher andreas.zwinzscher at bod-datennetze.de
Thu Aug 25 12:17:18 CEST 2016


Hi alan,

thanks for the hint with "mschap:User-Name". I will try this.

What I'am wondering about: On my other freeradius setup (older version) everything works well. Were there some changes within the mschap - module that causes this problem?

Andreas



-----Urspr√ľngliche Nachricht-----
Von: Freeradius-Users [mailto:freeradius-users-bounces+andreas.zwinzscher=bod-datennetze.de at lists.freeradius.org] Im Auftrag von Alan Buxey
Gesendet: Donnerstag, 25. August 2016 11:45
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: LDAP / mschap Error

hi,

ignoring the object not found LDAP error...... (as obviously, if using local windows login names you may have issues with what their local name is and what your AD/LDAP names are...) your main problem is obviously here:

[mschap]        expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=CORNET\\Administrator
[mschap] Creating challenge hash with username: Administrator
[mschap]        expand: %{mschap:Challenge} -> 4adcd405e7337023
[mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4adcd405e7337023
[mschap]        expand: %{mschap:NT-Response} -> 47dddb601f337b40cbedc92fe89619468b70254dd2a7590e
[mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=47dddb601f337b40cbedc92fe89619468b70254dd2a7590e
Exec output: Logon failure (0xc000006d)
Exec plaintext: Logon failure (0xc000006d) [mschap] Exec: program returned: 1 [mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject


the output of debug is clearly showing you this..... so, as the RELAM wasnt known...it hasnt been stripped therefore Stripped-User-Name is the same as User-Name.... and is something that either you need to verify that realm is your AD one... or, you need to handle this. 

it'll probably work if you simply use

mschap:User-Name

instead of Stripped-User-Name or User-Name.....

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list