Ms-Chap + NT-Password

Anton Kiryushkin swood at fotofor.biz
Fri Dec 21 00:18:00 CET 2018 

Hello, Alan.

You're right. My fault. Please see log below:

(9)   User-Name = "testlogin"
(9)   NAS-Port = 215
(9)   State = 0x5d9ac8cb5bb0d1b476356bca7bc2305b
(9)   EAP-Message =
0x022a00681900170303005d0000000000000002301470a7306238a494e48f971e6c3870bb09639041141c00594ceaf49ffe07ac3d0ecdb68988c165ca8f370152e4cc61bf8065410eb9cf70432c800237bc3f4b089aaa37633688a6abe470d7f72aacf17e16110ef7
(9)   Message-Authenticator = 0x3a5c65e42a9d0494a1805e850396ff75
(9)   Acct-Session-Id = "8O2.1x811d36760006c7c6"
(9)   NAS-Port-Id = "ge-3/0/40.0"
(9)   Calling-Station-Id = "2c-4d-54-65-19-3b"
(9)   Called-Station-Id = "88-e0-f3-b0-d6-00"
(9)   NAS-IP-Address = 192.168.7.2
(9)   NAS-Identifier = "sw-ex6210"
(9)   NAS-Port-Type = Ethernet
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9)   authorize {
(9)     if (!control:Cleartext-Password && &User-Password) {
(9)     if (!control:Cleartext-Password && &User-Password)  -> FALSE
(9)     if (config:User-Password && config:Cleartext-Password) {
(9)     if (config:User-Password && config:Cleartext-Password)  -> FALSE
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "testlogin", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 42 length 104
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x1b445c8e1b6e4610
(9) eap: Finished EAP session with state 0x5d9ac8cb5bb0d1b4
(9) eap: Previous EAP request found for state 0x5d9ac8cb5bb0d1b4, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap:   EAP-Message =
0x022a00491a022a0044314bdbebd0c0d0e6a8932b5fcdc388361a00000000000000004318685452e8005b97b446f5c1c0d23265bc1198557b1aa900646d697472792e616e616e796576
(9) eap_peap: Setting User-Name to testlogin
(9) eap_peap: Sending tunneled request to default
(9) eap_peap:   EAP-Message =
0x022a00491a022a0044314bdbebd0c0d0e6a8932b5fcdc388361a00000000000000004318685452e8005b97b446f5c1c0d23265bc1198557b1aa900646d697472792e616e616e796576
(9) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap:   User-Name = "testlogin"
(9) eap_peap:   State = 0x1b445c8e1b6e4610f294f492105a1239
(9) Virtual server default received request
(9)   EAP-Message =
0x022a00491a022a0044314bdbebd0c0d0e6a8932b5fcdc388361a00000000000000004318685452e8005b97b446f5c1c0d23265bc1198557b1aa900646d697472792e616e616e796576
(9)   FreeRADIUS-Proxied-To = 127.0.0.1
(9)   User-Name = "testlogin"
(9)   State = 0x1b445c8e1b6e4610f294f492105a1239
(9) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(9) server default {
(9)   session-state: No cached attributes
(9)   # Executing section authorize from file
/etc/raddb/sites-enabled/default
(9)     authorize {
(9)       if (!control:Cleartext-Password && &User-Password) {
(9)       if (!control:Cleartext-Password && &User-Password)  -> FALSE
(9)       if (config:User-Password && config:Cleartext-Password) {
(9)       if (config:User-Password && config:Cleartext-Password)  -> FALSE
(9)       [preprocess] = ok
(9)       [chap] = noop
(9)       [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "testlogin", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)       [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 42 length 73
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)       [eap] = updated
(9) sql-wifi: EXPAND %{User-Name}
(9) sql-wifi:    --> testlogin
(9) sql-wifi: SQL-User-Name set to 'testlogin'
rlm_sql (sql-wifi): Reserved connection (2)
(9) sql-wifi: EXPAND SELECT wifi_id as id, username, 'NT-Password' as
attribute, pass_hash, ':=' as  op FROM userstable WHERE username =
'%{SQL-User-Name}' ORDER BY id
(9) sql-wifi:    --> SELECT wifi_id as id, username, 'NT-Password' as
attribute, pass_hash, ':=' as  op FROM userstable WHERE username =
'testlogin' ORDER BY id
(9) sql-wifi: Executing select query: SELECT wifi_id as id, username,
'NT-Password' as attribute, pass_hash, ':=' as  op FROM userstable WHERE
username = 'testlogin' ORDER BY id
(9) sql-wifi: User found in radcheck table
(9) sql-wifi: Conditional check items matched, merging assignment check
items
(9) sql-wifi:   NT-Password :=
0x6336623331333036323736373866653636626166393538616561356566363138
(9) sql-wifi: EXPAND SELECT wifi_id as id, username, 'NT-Password' as
attribute, pass_hash, ':=' as  op FROM userstable WHERE username =
'%{SQL-User-Name}' ORDER BY id
(9) sql-wifi:    --> SELECT wifi_id as id, username, 'NT-Password' as
attribute, pass_hash, ':=' as  op FROM userstable WHERE username =
'testlogin' ORDER BY id
(9) sql-wifi: Executing select query: SELECT wifi_id as id, username,
'NT-Password' as attribute, pass_hash, ':=' as  op FROM userstable WHERE
username = 'testlogin' ORDER BY id
(9) sql-wifi: User found in radreply table, merging reply items
(9) sql-wifi:   NT-Password :=
0x6336623331333036323736373866653636626166393538616561356566363138
(9) sql-wifi: EXPAND SELECT 'OfficeWifi' as GroupName FROM userstable WHERE
UserName='%{SQL-User-Name}'
(9) sql-wifi:    --> SELECT 'OfficeWifi' as GroupName FROM userstable WHERE
UserName='testlogin'
(9) sql-wifi: Executing select query: SELECT 'OfficeWifi' as GroupName FROM
userstable WHERE UserName='testlogin'
(9) sql-wifi: User found in the group table
(9) sql-wifi: EXPAND SELECT wifi_id as id, 'OfficeWifi' as GroupName,
'NT-Password' as attribute, password, ':=' as op FROM userstable
WHERE Username = '%{SQL-User-Name}'           ORDER BY id
(9) sql-wifi:    --> SELECT wifi_id as id, 'OfficeWifi' as GroupName,
'NT-Password' as attribute, password, ':=' as op FROM userstable
WHERE Username = 'testlogin'           ORDER BY id
(9) sql-wifi: Executing select query: SELECT wifi_id as id, 'OfficeWifi' as
GroupName, 'NT-Password' as attribute, password, ':=' as op FROM userstable
          WHERE Username = 'testlogin'           ORDER BY id
(9) sql-wifi: Group "OfficeWifi": Conditional check items matched
(9) sql-wifi: Group "OfficeWifi": Merging assignment check items
(9) sql-wifi:   NT-Password := 0x61675648496e73416b666d41
(9) sql-wifi: EXPAND SELECT wifi_id as id, 'OfficeWifi' as GroupName,
'NT-Password' as attribute, password, ':=' as op         FROM userstable
        WHERE Username = '%{SQL-User-Name}'           ORDER BY id
(9) sql-wifi:    --> SELECT wifi_id as id, 'OfficeWifi' as GroupName,
'NT-Password' as attribute, password, ':=' as op         FROM userstable
        WHERE Username = 'testlogin'           ORDER BY id
(9) sql-wifi: Executing select query: SELECT wifi_id as id, 'OfficeWifi' as
GroupName, 'NT-Password' as attribute, password, ':=' as op         FROM
userstable           WHERE Username = 'testlogin'           ORDER BY id
(9) sql-wifi: Group "OfficeWifi": Merging reply items
(9) sql-wifi:   NT-Password := 0x61675648496e73416b666d41
rlm_sql (sql-wifi): Released connection (2)
(9)       [sql-wifi] = ok
(9) pap: WARNING: Auth-Type already set.  Not setting to PAP
(9)       [pap] = noop
(9)     } # authorize = updated
(9)   Found Auth-Type = eap
(9)   # Executing group from file /etc/raddb/sites-enabled/default
(9)     authenticate {
(9) eap: Expiring EAP session with state 0x1b445c8e1b6e4610
(9) eap: Finished EAP session with state 0x1b445c8e1b6e4610
(9) eap: Previous EAP request found for state 0x1b445c8e1b6e4610, released
from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/default
(9) eap_mschapv2:   Auth-Type MS-CHAP {
(9) mschap: WARNING: NT-Password found but incorrect length, expected 16
bytes got 12 bytes.  Authentication may fail
(9) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password
(9) mschap: WARNING: No Cleartext-Password configured.  Cannot create
LM-Password
(9) mschap: Creating challenge hash with username: testlogin
(9) mschap: Client is using MS-CHAPv2
(9) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(9) mschap: ERROR: MS-CHAP2-Response is incorrect
(9)     [mschap] = reject
(9)   } # Auth-Type MS-CHAP = reject


чт, 20 дек. 2018 г. в 21:06, Alan DeKok <aland at deployingradius.com>:

> On Dec 20, 2018, at 3:52 PM, Anton Kiryushkin <swood at fotofor.biz> wrote:
> >
> > Hello, Alan.
> >
> > I checked it.
> >
> > Let me show you full log:
> >
> > Thu Dec 20 01:10:08 2018 : Debug: (138)   User-Name = "
> > anonymous at espressif.com"
>
>   Please post the log from "radiusd -X" as suggested *EVERYWHERE* in the
> documentation.
>
>   For some unknown reason people recently seem to be ignoring all of the
> documentation that says to post "radiusd -X".  This is mentioned in the
> "man" page, the Wiki, and in the email you get when you join the list.
>
>   Out of general principle, I'm going to ignore messages which fail to
> follow the documentation.
>
>   Re-post this with the *correct* debug log, and I will read it.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Best regards,
Anton Kiryushkin

More information about the Freeradius-Users mailing list