mschap: ERROR: MS-CHAP2-Response is incorrect

R3DNano r3dnano at gmail.com
Wed Apr 15 10:35:30 CEST 2020 

I'm trying to deploy a FreeRADIUS server for eduroam authentication.
The local authentication source is a Microsoft AD that I configured
following this guide:
https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
The binding was successful and the eapol_test tests are all green too.

However, I'm having a hard time implementing it with an aerohive controller.
This controller has a "test" function which lets you input an username and
a password and does who knows what in order to check the radius server.
As far as I understood, it tries to do MSCHAPv2 without any encryption as
per the logs I'll show below (please, correct me if I'm wrong)
Other than that, I receive an Access-Reject which looks like is pointing at
a wrong password being provided, although, it is not the case (checked the
password)

This is what I see on the server side:

(0) Received Access-Request Id 155 from 10.10.50.5:22074 to 10.168.0.14:1812
length 198
(0)   User-Name = "some-user at somewhere.com"
(0)   Message-Authenticator = 0x021108ef4ce751de58540e09fc6d0147
(0)   Attr-26.26928.212 = 0x43382d36372d35452d35392d46462d4330
(0)   Service-Type = Authorize-Only
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Wireless-802.11
(0)   NAS-Identifier = "SOME_ID"
(0)   NAS-IP-Address = 10.40.1.186
(0)   MS-CHAP-Challenge = 0x451507759c738d0d3792bb6474f55e88
(0)   MS-CHAP2-Response =
0xcf0003d0a09c080f1f3981adf41050b91b960000000000000000c568a1932f0abe2cf1f9908feb851dee780c95ccefcd6aca
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/eduroam
(0)   authorize {

[edited]

(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok

[edited, removed log entries]

(0)   } # authorize = updated
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
(0)   Auth-Type mschap {
(0) mschap: Creating challenge hash with username: some-user at somewhere.com
(0) mschap: Client is using MS-CHAPv2
(0) mschap: EXPAND %{Stripped-User-Name}
(0) mschap:    --> some-user
rlm_mschap (mschap): Closing connection (0): Hit idle_timeout, was idle for
2240 seconds
rlm_mschap (mschap): Closing connection (1): Hit idle_timeout, was idle for
2240 seconds
rlm_mschap (mschap): Closing connection (2): Hit idle_timeout, was idle for
2240 seconds
rlm_mschap (mschap): You probably need to lower "min"
rlm_mschap (mschap): Closing connection (3): Hit idle_timeout, was idle for
2240 seconds
rlm_mschap (mschap): You probably need to lower "min"
rlm_mschap (mschap): Closing connection (4): Hit idle_timeout, was idle for
2240 seconds
rlm_mschap (mschap): You probably need to lower "min"
rlm_mschap (mschap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_mschap (mschap): Opening additional connection (5), 1 of 32 pending
slots used
rlm_mschap (mschap): Reserved connection (5)
(0) mschap: sending authentication request user='some-user' domain='
SOMEWHERE.COM'
rlm_mschap (mschap): Released connection (5)
Need 2 more connections to reach min connections (3)
rlm_mschap (mschap): Opening additional connection (6), 1 of 31 pending
slots used
(0) mschap: ERROR: When trying to update a password, this return status
indicates that the value provided as the current password is not correct.
[0xC000006A]
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject
(0)   } # Auth-Type mschap = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject

[edited, removed log entries]

(0)   } # Post-Auth-Type REJECT = updated
(0) Sent Access-Reject Id 155 from 10.168.0.14:1812 to 10.10.50.5:22074
length 0
(0)   MS-CHAP-Error = "\317E=691 R=1 C=e7b3f200a3c36896f32a2ecf4adaab39 V=3
M=Authentication rejected"
(0) Finished request



I edited the linelog parts out - yes there's only one single request (0)
Although, It does have an "Authorize-Only" value, which makes me think this
test only does authorization but no authentication and that's why the test
fails?? - any help trying to interpret and troubleshoot this issue would be
welcome.

Thanks.

More information about the Freeradius-Users mailing list