Hi,
The basic use scenario is a mySQL DB backend which pulls a NT-Hash for the user. Input is PAP, so rlm_pap calls xlat:NT-Hash for the input, and then returns with the log message that mschap xlat failed.
Debug says?
It seems to be the single quote. Sorry for not attching it in the first place, debug from separate test box below: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 53873, id=57, length=64 User-Name = "xlat-to-hell" User-Password = "abc'def" NAS-IP-Address = 158.64.1.155 NAS-Port = 123 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "xlat-to-hell", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry xlat-to-hell at line 59 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "abc'def" [pap] Using NT encryption. [pap] Badly formatted variable: %{mschap:NT-Hash abc'def} [pap] mschap xlat failed [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject
Send a test case over, and I'll take a look. It should be easy to fix, as the new code isn't insane.
Above debug was on such a test instance. Fresh compilation an install, one line with Auth-Type := PAP, NT-Password := "0xsomething", radtest with the bad password in it. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473