mschap: ERROR: MS-CHAP2-Response is incorrect
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 15 12:30:00 CEST 2020
Hai,
Hm,, still..
whats in krb5.conf ?
whats the default REALM and did you configure other (optional extra REALMS) and which REALM is set/used in smb.conf
Also important, what is your running OS and samba version, you might have hit a bug from and older samba version.
That might help me a bit.
Greetz,
Louis
Van: Jon Ander MB [mailto:jonandermonleon at gmail.com]
Verzonden: woensdag 15 april 2020 12:22
Aan: L.P.H. van Belle
CC: FreeRadius users mailing list
Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect
Hi, Louis: Thanks for trying to help me.
I made the changes you suggested on the mschap module and I still get the same error.
Is it possible that the challenge hash is being created with the wrong domain? i.e.: some-user at somewhere.com instead of MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "somewhere.com" some-user at swhr.com ?
(0) mschap: Creating challenge hash with username: some-user at somewhere.com
which might have to be something like:
(0) mschap: Creating challenge hash with username: some-user at swhr.com
What is weird is that local tests with standard tools succeed, but this other vendor's test does not.
Regards
On Wed, 15 Apr 2020 at 11:41, L.P.H. van Belle <belle at bazuin.nl> wrote:
Hai Red,
Well, almost.. you mist 1 part.
This :
Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
change that to :
/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
I even highlighted it in the samba wiki ..
So edit : /etc/freeradius/3.0/sites-enabled/eduroam
And correct that and try again.
If it then still is not working, as extra you could try.
Adduser freeradion to the winbind_priv group
And check if apparmor is running and adjust the needed files there also.
Greetz,
Louis
________________________________
Van: Red Nano [mailto:r3dnano at gmail.com]
Verzonden: woensdag 15 april 2020 11:27
Aan: FreeRadius users mailing list
CC: L.P.H. van Belle
Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect
First of all: Thanks for the help.
I've modified the smb.conf file according to the link you suggested.
I'm trying to do the auth via ntlm_auth now and this is the response I got:
(10) } # authorize = updated
(10) Found Auth-Type = mschap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
(10) Auth-Type mschap {
(10) mschap: Creating challenge hash with username: some-user at somewhere.com
(10) mschap: Client is using MS-CHAPv2
(10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(10) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(10) mschap: --> --username=some-user
(10) mschap: Creating challenge hash with username: some-user at somewhere.com
(10) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(10) mschap: --> --challenge=39258c5db7d3edb7
(10) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(10) mschap: --> --nt-response=1a16fe12fb9e1557724bf5a3aad065da38173340a65363ba
(10) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(10) mschap: External script failed
(10) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(10) mschap: ERROR: MS-CHAP2-Response is incorrect
(10) [mschap] = reject
(10) } # Auth-Type mschap = reject
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
maybe something to point out (which don't know if does matter) is that the user might be providing @somewhere.com, however, the AD domain name I have to do the queries against is really "swr.com"
Operator name is @somewhere.com on the server config file so I can properly filter the local users, but the samba configuration and the domain is configured against the real domain name "swr.com"- could it be that the challenge hash is being wrongfuly created here?:
(10) mschap: Creating challenge hash with username: some-user at somewhere.com
And somehow, mschap should create the hash with "some-user at swe.com"?
I sure don't have this issue when testing locally...
I don't know if this makes sense---
On Wed, 15 Apr 2020 at 10:52, L.P.H. van Belle via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
That samba part is on the free radius site is obsolete
Configure samba as a member server as shown here :
Step 1.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Then what most people dont see/forget is : https://wiki.samba.org/index.php/Idmap_config_rid
This is oblicated..
If its only for authentication just use RID backend, thats fine.
When thats done, go here.
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
And verify your settings, this is the most important one for smb.conf
ntlm auth = mschapv2-and-ntlmv2-only
So all info to fix it is in this mail ;-)
See how far you get, questions, mail again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle <mailto:freeradius-users-bounces%2Bbelle> =bazuin.nl at lists.freerad
> ius.org] Namens R3DNano
> Verzonden: woensdag 15 april 2020 10:35
> Aan: FreeRadius users mailing list
> Onderwerp: mschap: ERROR: MS-CHAP2-Response is incorrect
>
> I'm trying to deploy a FreeRADIUS server for eduroam authentication.
> The local authentication source is a Microsoft AD that I configured
> following this guide:
> https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-
> Integration-HOWTO
> The binding was successful and the eapol_test tests are all green too.
>
> However, I'm having a hard time implementing it with an
> aerohive controller.
> This controller has a "test" function which lets you input an
> username and
> a password and does who knows what in order to check the
> radius server.
> As far as I understood, it tries to do MSCHAPv2 without any
> encryption as
> per the logs I'll show below (please, correct me if I'm wrong)
> Other than that, I receive an Access-Reject which looks like
> is pointing at
> a wrong password being provided, although, it is not the case
> (checked the
> password)
>
> This is what I see on the server side:
>
> (0) Received Access-Request Id 155 from MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.50.5:22074 <MailScanner warning: numerical links are often malicious: http://10.10.50.5:22074> to
> MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.168.0.14:1812 <MailScanner warning: numerical links are often malicious: http://10.168.0.14:1812>
> length 198
> (0) User-Name = "some-user at somewhere.com"
> (0) Message-Authenticator = 0x021108ef4ce751de58540e09fc6d0147
> (0) Attr-26.26928.212 = 0x43382d36372d35452d35392d46462d4330
> (0) Service-Type = Authorize-Only
> (0) NAS-Port = 0
> (0) NAS-Port-Type = Wireless-802.11
> (0) NAS-Identifier = "SOME_ID"
> (0) NAS-IP-Address = 10.40.1.186
> (0) MS-CHAP-Challenge = 0x451507759c738d0d3792bb6474f55e88
> (0) MS-CHAP2-Response =
> 0xcf0003d0a09c080f1f3981adf41050b91b960000000000000000c568a193
> 2f0abe2cf1f9908feb851dee780c95ccefcd6aca
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/eduroam
> (0) authorize {
>
> [edited]
>
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> (0) [mschap] = ok
>
> [edited, removed log entries]
>
> (0) } # authorize = updated
> (0) Found Auth-Type = mschap
> (0) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/eduroam
> (0) Auth-Type mschap {
> (0) mschap: Creating challenge hash with username:
> some-user at somewhere.com
> (0) mschap: Client is using MS-CHAPv2
> (0) mschap: EXPAND %{Stripped-User-Name}
> (0) mschap: --> some-user
> rlm_mschap (mschap): Closing connection (0): Hit
> idle_timeout, was idle for
> 2240 seconds
> rlm_mschap (mschap): Closing connection (1): Hit
> idle_timeout, was idle for
> 2240 seconds
> rlm_mschap (mschap): Closing connection (2): Hit
> idle_timeout, was idle for
> 2240 seconds
> rlm_mschap (mschap): You probably need to lower "min"
> rlm_mschap (mschap): Closing connection (3): Hit
> idle_timeout, was idle for
> 2240 seconds
> rlm_mschap (mschap): You probably need to lower "min"
> rlm_mschap (mschap): Closing connection (4): Hit
> idle_timeout, was idle for
> 2240 seconds
> rlm_mschap (mschap): You probably need to lower "min"
> rlm_mschap (mschap): 0 of 0 connections in use. You may
> need to increase
> "spare"
> rlm_mschap (mschap): Opening additional connection (5), 1 of
> 32 pending
> slots used
> rlm_mschap (mschap): Reserved connection (5)
> (0) mschap: sending authentication request user='some-user' domain='
> SOMEWHERE.COM'
> rlm_mschap (mschap): Released connection (5)
> Need 2 more connections to reach min connections (3)
> rlm_mschap (mschap): Opening additional connection (6), 1 of
> 31 pending
> slots used
> (0) mschap: ERROR: When trying to update a password, this
> return status
> indicates that the value provided as the current password is
> not correct.
> [0xC000006A]
> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> (0) [mschap] = reject
> (0) } # Auth-Type mschap = reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
>
> [edited, removed log entries]
>
> (0) } # Post-Auth-Type REJECT = updated
> (0) Sent Access-Reject Id 155 from MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.168.0.14:1812 <MailScanner warning: numerical links are often malicious: http://10.168.0.14:1812> to
> MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.50.5:22074 <MailScanner warning: numerical links are often malicious: http://10.10.50.5:22074>
> length 0
> (0) MS-CHAP-Error = "\317E=691 R=1
> C=e7b3f200a3c36896f32a2ecf4adaab39 V=3
> M=Authentication rejected"
> (0) Finished request
>
>
>
> I edited the linelog parts out - yes there's only one single
> request (0)
> Although, It does have an "Authorize-Only" value, which makes
> me think this
> test only does authorization but no authentication and that's
> why the test
> fails?? - any help trying to interpret and troubleshoot this
> issue would be
> welcome.
>
> Thanks.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--- Jon Ander Monleón Besteiro ---
More information about the Freeradius-Users
mailing list