<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.2900.3395" name=GENERATOR></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>Hi,</DIV>
<DIV>We are trying to set up freeRADIUS 2.1.1 against eDirectory LDAP and getting problems. </DIV>
<DIV>(Trying SLES 10 SP2 32bit and 64 bit)</DIV>
<DIV>pap against LDAP works fine</DIV>
<DIV>chap against LDAP works fine (With ntradping)</DIV>
<DIV>BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect"</DIV>
<DIV>Am I missing something required for MSCHAP to work? The NT-Password seems to be retrieved...</DIV>
<DIV> </DIV>
<DIV>Working CHAP debug from ntradping:<BR><BR>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in directory...<BR>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags -> SMB-Account-CTRL-TEXT == "[UX ]"<BR>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword -> NT-Password == 0x4145394341303636374133413937333342303139423034323645363933373332<BR>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword -> LM-Password == 0x3635423939303044343142344533363831394631304139333344343836384443<BR>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in directory...<BR>Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to use remote access<BR>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0<BR>Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok<BR>Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop<BR>Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop<BR>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from hex encoding<BR>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from hex encoding<BR>Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not changing it.<BR>Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop<BR>Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP<BR>Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...}<BR>Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser" with CHAP password<BR>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password "ommitted" for user testuser authentication.<BR>Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser authenticated succesfully<BR>Tue Nov 11 10:10:26 2008 : Info: ++[chap] returns ok<BR>Tue Nov 11 10:10:26 2008 : Info: +- entering group post-auth {...}<BR>Tue Nov 11 10:10:26 2008 : Info: ++[exec] returns noop<BR>Sending Access-Accept of id 13 to 194.82.224.117 port 1958</DIV>
<DIV><BR>Debug from it not working using MSCHAP2:<BR><BR>Tue Nov 11 10:06:10 2008 : Info: [ldap] looking for check items in directory...<BR>Tue Nov 11 10:06:10 2008 : Debug: rlm_ldap: acctFlags -> SMB-Account-CTRL-TEXT == "[UX ]"<BR>Tue Nov 11 10:06:10 2008 : Debug: rlm_ldap: sambaNtPassword -> NT-Password == 0x4145394341303636374123413937333342303139423034323445363933373332<BR>Tue Nov 11 10:06:10 2008 : Debug: rlm_ldap: sambaLmPassword -> LM-Password == 0x3635423939303044342142344533363831394631304139353344343836384443<BR>Tue Nov 11 10:06:10 2008 : Info: [ldap] looking for reply items in directory...<BR>Tue Nov 11 10:06:10 2008 : Info: [ldap] user testuser authorized to use remote access<BR>Tue Nov 11 10:06:10 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0<BR>Tue Nov 11 10:06:10 2008 : Info: ++[ldap] returns ok<BR>Tue Nov 11 10:06:10 2008 : Info: ++[expiration] returns noop<BR>Tue Nov 11 10:06:10 2008 : Info: ++[logintime] returns noop<BR>Tue Nov 11 10:06:10 2008 : Info: [pap] Normalizing NT-Password from hex encoding<BR>Tue Nov 11 10:06:10 2008 : Info: [pap] Normalizing LM-Password from hex encoding<BR>Tue Nov 11 10:06:10 2008 : Info: [pap] Found existing Auth-Type, not changing it.<BR>Tue Nov 11 10:06:10 2008 : Info: ++[pap] returns noop<BR>Tue Nov 11 10:06:10 2008 : Info: Found Auth-Type = MSCHAP<BR>Tue Nov 11 10:06:10 2008 : Info: +- entering group MS-CHAP {...}<BR>Tue Nov 11 10:06:10 2008 : Info: [mschap] Found LM-Password<BR>Tue Nov 11 10:06:10 2008 : Info: [mschap] Found NT-Password<BR>Tue Nov 11 10:06:10 2008 : Info: [mschap] Told to do MS-CHAPv2 for testuser with NT-Password<BR>Tue Nov 11 10:06:10 2008 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect<BR>Tue Nov 11 10:06:10 2008 : Info: ++[mschap] returns reject<BR>Tue Nov 11 10:06:10 2008 : Info: Failed to authenticate the user.<BR>Using Post-Auth-Type Reject<BR>+- entering group REJECT {...}<BR>++[ldap] returns noop<BR>Delaying reject of request 0 for 1 seconds<BR>Going to the next request<BR>Waking up in 0.6 seconds.<BR>Sending delayed reject for request 0<BR>Sending Access-Reject of id 32 to 192.168.100.25 port 32834<BR> MS-CHAP-Error = "\000E=691 R=1"<BR></DIV>
<DIV>modules/ldap extract:</DIV>
<DIV>ldap {<BR> server = "192.168.1.1"<BR> port = 636<BR> identity = "cn=admin,o=csg"<BR> password = "password"<BR> basedn = "O=csg"<BR> filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"<BR> base_filter = "(objectclass=radiusprofile)"<BR>...</DIV>
<DIV> # start_tls = yes</DIV>
<DIV> tls_mode = yes<BR> # cacertfile = /path/to/cacert.pem # I don't think we need to check the certs so put require_cert below to never<BR> # cacertdir = /usr/local/etc/raddb/certs<BR> # certfile = /usr/local/etc/raddb/certs/certs.b64<BR> # keyfile = /path/to/radius.key<BR> #randfile = /usr/local/etc/raddb/random<BR> require_cert = "never"</DIV>
<DIV> dictionary_mapping = ${confdir}/ldap.attrmap</DIV>
<DIV> password_attribute = nspmPassword</DIV>
<DIV> edir_account_policy_check = no #I've tried this with yes - and enabling the option in sites-enabled/default and it's no different</DIV>
<DIV> </DIV>
<DIV>Default configuration in modules/mschap and modules/chap</DIV>
<DIV>In sites-enabled/default</DIV>
<DIV>authorize {</DIV>
<DIV>ldap</DIV>
<DIV>}</DIV>
<DIV>authenticate {</DIV>
<DIV> Auth-Type PAP {<BR> pap<BR> }</DIV>
<DIV> Auth-Type CHAP {<BR> chap<BR> }<BR> Auth-Type MS-CHAP {<BR> mschap<BR> }</DIV>
<DIV> Auth-Type LDAP { <BR> ldap<BR> }</DIV>
<DIV>}</DIV>
<DIV> </DIV>
<DIV>post-auth {</DIV>
<DIV> # ldap<BR> Post-Auth-Type REJECT {<BR> # attr_filter.access_reject<BR> ldap<BR> }</DIV>
<DIV> </DIV>
<DIV>Some help would be most appreciated.</DIV>
<DIV>Cheers</DIV>
<DIV><BR>Simon<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Simon Palmer<BR>Systems Development Officer<BR><BR>Colegsirgâr<BR><BR>e-mail: <A href="mailto:simon.palmer@colegsirgar.ac.uk">simon.palmer@colegsirgar.ac.uk</A></DIV>
<DIV>tel: 01554 748088<BR></DIV><BR>
</BODY></HTML>