On 11/16/2012 10:00 AM, Carlos Velasco wrote:
windows popup in Cisco VPN client, but the change password process fails: ntlm_auth said: Password-Change: No Password-Change-Error: Wrong Password . . Looking into code I suppose the problem is something with the old NT hash, but not an expert here. Any help would be apreciated.
In these logs the user is "NIMASTELECOM\testpw". The current password is "y58R41ut8W" (expired). And the new password used was "H6eEWu7r65tw38ert1".
There *might* be a bug in the CPW code, but I can't really see how; it tested fine when I wrote it, and the crypto/hash/blob stuff doesn't really leave room for "only if CONDITION X do something invalid".
I'll take a look a little bit later but in the meantime can you confirm that if you clear the "must change password", auth works fine with the old/current password?
Yes, auth works fine without "Must change". I think I have found the problem. MS-CHAP2-CPW = 0x0701000000000000000000000000000000004194697300c611e68e661957a30d0015000000000000000041eb18eb29a0ebb20ff232620f708e68e27f251767ccd3060000 According to RFC2548, after 0x0701 should be the "Encrypted-Hash" 16 octects, but they are all 00. I am trying to find out why, seems a bug in Cisco part. But I think this works fine with Cisco ACS radius. :S