Charles Blake wrote:
I am trying to set up a freeradius-1.1.0 server for authenticating users using MS-CHAP passwords.
I pretend to authenticate users against shadow.
You can't do that. MS-CHAP requires the NT hash, the plaintext password from which it can derive the NT hash, or Samba configured as a domain member and use of the "ntlm_auth" helper.
radtest shows ok:
This is a PAP request. They work fine against /etc/shadow
# radtest mts mypassword localhost 0 testing123 Sending Access-Request of id 160 to 127.0.0.1 port 1812 User-Name = "mts" User-Password = "mypassword" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=160, length=20
But when I try to authenticate an user using MS-CHAP, I am getting this output:
This is an MS-CHAP request - you cannot authenticate it against /etc/shadow. See above.
rad_recv: Access-Request packet from host 127.0.0.1:1027, id=5, length=146 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mts" MS-CHAP-Challenge = 0x6b61b1ed954a289c0fa3aebedc329ac6 MS-CHAP2-Response = 0x8f0001684e1d34295e1232edb0682bd04e6e00000000000000002caaa9579823e00501812d3e2dce9225b7dd251c02e1fd89
These error messages are quite detailed:
Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password configured. Cannot create LM-Password. Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password configured. Cannot create NT-Password. Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: Told to do MS-CHAPv2 for mts with NT-Password Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
As it says.