PAP works, MSCHAP fails – specifically MSCHAPv2.

 

This is a fresh install of 2.1.10, built from source.  I’m using ntlm_auth; samba version 3.0.33-3.7.el5  I also have version 2.1.6 running on the same box and it “mostly” works: seems to work with everything except Winblows7, hence I installed 2.1.10 in a different dir structure and it’s listening on different ports.  I just tested a login using the same user account and pw; works great on 2.1.6 but fails on 2.1.10.  I’ve tried 4 or 5 different command strings for ntlm_auth – no go.  It’s as if mschap is not using ntlm_auth, but not sure.  I’ll keep checking and googling, but any hints would be appreciated!  TIA!  Gary

 

 

I’ve changed only the minimum from the default, clients.conf and the recommended for integrating with AD:

http://deployingradius.com/documents/configuration/active_directory.html

 

 

rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=19, length=224

        NAS-IP-Address = 1.1.2.4

        NAS-Port = 0

        NAS-Port-Type = Wireless-802.11

        User-Name = "netengtest"

        Calling-Station-Id = "000000000000"

        Called-Station-Id = "000B8661BF34"

        MS-CHAP-Challenge = 0x9b1a142405c7a0dbe4f486d9d3fb2090

        MS-CHAP2-Response = 0x00006cda5d434c296668b7f2b446899e01af0000000000000000419c6cfec984b856377a6c40c6144373a1dbc14f777ce8eb

        Service-Type = Login-User

        Aruba-Location-Id = "N/A"

        NAS-Identifier = "My802.11controller"

        Message-Authenticator = 0x02610ba4a72cdc35ce94415f1ae46dcb

# Executing section authorize from file /devel/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

++[mschap] returns ok

++[digest] returns noop

[suffix] No '@' in User-Name = "netengtest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

[files] users: Matched entry DEFAULT at line 2

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

Found Auth-Type = MSCHAP

# Executing group from file /devel/sites-enabled/default

+- entering group MS-CHAP {...}

[mschap] No Cleartext-Password configured.  Cannot create LM-Password.

[mschap] No Cleartext-Password configured.  Cannot create NT-Password.

[mschap] Creating challenge hash with username: netengtest

[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password

[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.

[mschap] FAILED: MS-CHAP2-Response is incorrect

++[mschap] returns reject

Failed to authenticate the user.

Using Post-Auth-Type Reject

# Executing group from file /devel/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> netengtest

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 3 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 3

Sending Access-Reject of id 19 to 1.1.2.4 port 33350

Waking up in 4.9 seconds.

Cleaning up request 3 ID 19 with timestamp +372

Ready to process requests.

 

 

 

"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."