On Mon, Jul 11, 2005 at 05:26:54PM -0400, Alan DeKok wrote:
jck-freeradius@southwestern.edu wrote:
rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
That's pretty definitive.
I thought so as well. I am 99% sure that the NTLM passwords I am using are valid.
My thoughts are that SQL and MSCHAP should be in the authorization section, and MSCHAP and EAP should be in authentication.
"eap" should be in the "authorize" section, too. That's the way the server comnes configured.
radiusd.conf now reads, in part: authorize { preprocess auth_log sql mschap eap } authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } mschap eap }
I am storing NTLM passwords in my SQL server. ... | 1490 | johnk | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 |
No, you're not.
You're telling the server that the clear-text password is a hex string, which it's not.
If you want to store the NT-hashed passwords in SQL, use the "NT-Password" attribute, and ensure that the value is 32 bytes of hex data.
When using NT-Password, I was noticing that the sql authorization phase would not return OK. Switching it to User-Password seemed to fix that (albeit not correctly). I have switched radcheck back to using Attributes of NT-Password.
But before you do that, I would STRONGLY suggest storing a simple clear-text password in SQL, like "test". Verify that it works, and THEN start storing NT password.
I have a test account, named testacct. I have switched his values in radcheck to "Password == monkey" host:/etc/raddb # radtest testacct monkey host:1645 0 testing123 Sending Access-Request of id 77 to 127.0.0.1:1645 User-Name = "testacct" User-Password = "monkey" NAS-IP-Address = hecate NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=77, length=37 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "111" host:/etc/raddb #
By trying to configure 3 things at the same time, you guarantee that you can't possible figure out which one of the three is failing.
Agreed. I am including two URLs. One with debug logs showing user 'johnk' trying to AAA, using NT-Password. The other shows testacct (using the same supplicant as johnk, XP) using Password (cleartext). NT-Password, logging in as johnk: http://www.southwestern.edu/~johnk/johnk_NT-Password_debug.txt Password, logging in as testacct: http://www.southwestern.edu/~johnk/testacct_Password_debug.txt Notice that with changing the Attribute in radcheck to Password, and assigning the Value a cleartext, Access-Accept is generated. --johnk