PAP works, MSCHAP fails - specifically MSCHAPv2. This is a fresh install of 2.1.10, built from source. I'm using ntlm_auth; samba version 3.0.33-3.7.el5 I also have version 2.1.6 running on the same box and it "mostly" works: seems to work with everything except Winblows7, hence I installed 2.1.10 in a different dir structure and it's listening on different ports. I just tested a login using the same user account and pw; works great on 2.1.6 but fails on 2.1.10. I've tried 4 or 5 different command strings for ntlm_auth - no go. It's as if mschap is not using ntlm_auth, but not sure. I'll keep checking and googling, but any hints would be appreciated! TIA! Gary I've changed only the minimum from the default, clients.conf and the recommended for integrating with AD: http://deployingradius.com/documents/configuration/active_directory.html rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=19, length=224 NAS-IP-Address = 1.1.2.4 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "netengtest" Calling-Station-Id = "000000000000" Called-Station-Id = "000B8661BF34" MS-CHAP-Challenge = 0x9b1a142405c7a0dbe4f486d9d3fb2090 MS-CHAP2-Response = 0x00006cda5d434c296668b7f2b446899e01af0000000000000000419c6cfec984b856377a6c40c6144373a1dbc14f777ce8eb Service-Type = Login-User Aruba-Location-Id = "N/A" NAS-Identifier = "My802.11controller" Message-Authenticator = 0x02610ba4a72cdc35ce94415f1ae46dcb # Executing section authorize from file /devel/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "netengtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /devel/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: netengtest [mschap] Told to do MS-CHAPv2 for netengtest with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /devel/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> netengtest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 19 to 1.1.2.4 port 33350 Waking up in 4.9 seconds. Cleaning up request 3 ID 19 with timestamp +372 Ready to process requests. <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Did you see this in your debug output: [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: netengtest [mschap] Told to do MS-CHAPv2 for netengtest with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
Yes, but I don't know what that means exactly. "WHY" is there no NT/LM password? My 802.11 controller "test auth function" seems to work fine on 2.1.6; and I'm using the same user info. My ignorance is getting in my way, hence my post. Several years ago I was making headway, but I've forgotten much of what I learned :( ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Garber, Neal Sent: Wednesday, May 11, 2011 3:32 PM To: 'FreeRadius users mailing list' Subject: RE: MSCHAP failing on new 2.1.10 install Did you see this in your debug output: [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: netengtest [mschap] Told to do MS-CHAPv2 for netengtest with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
On 05/11/2011 09:12 PM, Gary Gatten wrote:
PAP works, MSCHAP fails – specifically MSCHAPv2.
This is a fresh install of 2.1.10, built from source. I’m using ntlm_auth;
No, you're not:
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
See? No "ntlm_auth"
I told it to use ntlm_auth, I guess it's not listening. I followed docs AND RTFM, guess I missed something.... I did notice the 2.1.10 includes a "module" called ntlm_auth where 2.1.6 did not. I'm looking into this now... -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 11, 2011 3:38 PM To: freeradius-users@lists.freeradius.org Subject: Re: MSCHAP failing on new 2.1.10 install On 05/11/2011 09:12 PM, Gary Gatten wrote:
PAP works, MSCHAP fails - specifically MSCHAPv2.
This is a fresh install of 2.1.10, built from source. I'm using ntlm_auth;
No, you're not:
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
See? No "ntlm_auth" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Here's a debug from the 2.1.6 that's working... Wait a sec.... I think I MAY have found something. I'm making backup copies of the files with a .org extension... I bet it's reading the .org files and overwriting my changes. Standby.... rad_recv: Access-Request packet from host 10.1.22.194 port 32794, id=125, length=219 NAS-IP-Address = 1.1.2.4 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "netengtest" Calling-Station-Id = "000000000000" Called-Station-Id = "000B8661BF34" MS-CHAP-Challenge = 0x6dba078ee718725c618d84a1edce5d14 MS-CHAP2-Response = 0x0000bb4bb8bf5790e6f254f196e3dc59af970000000000000000f78d6e1108740133b7a6b5248401860d589fece32e60e83d Service-Type = Login-User Aruba-Location-Id = "N/A" NAS-Identifier = "HQ" Message-Authenticator = 0xe64a9afbb0da2f21d145e35dd4339e5f +- entering group authorize {...} [preprocess] expand: %{NAS-IP-Address} -> 1.1.2.4 [preprocess] expand: %{NAS-IP-Address} -> 1.1.2.4 ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "netengtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for netengtest with NT-Password [mschap] expand: %{mschap:User-Name} -> netengtest [mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=netengtest [mschap] mschap2: 6d [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=22eb815d95193969 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=f78d6e1108740133b7a6b5248401860d589fece32e60e83d Exec-Program output: NT_KEY: 2CB678F2CDDD71FC2F7E2E038A479AC4 Exec-Program-Wait: plaintext: NT_KEY: 2CB678F2CDDD71FC2F7E2E038A479AC4 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok Login OK: [netengtest] (from client port 0 cli 000000000000) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 125 to 1.1.2.4 port 32794 MS-CHAP2-Success = 0x00533d38394139443743353134443335433741333733434338353734334543323944414144443635443733 MS-MPPE-Recv-Key = 0xc0897c3ada77f45bda8b05c5814a2c1a MS-MPPE-Send-Key = 0x113ca9198c618a90fabb20678030dee3 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 125 with timestamp +6 Ready to process requests. -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Wednesday, May 11, 2011 3:43 PM To: 'FreeRadius users mailing list' Subject: RE: MSCHAP failing on new 2.1.10 install I told it to use ntlm_auth, I guess it's not listening. I followed docs AND RTFM, guess I missed something.... I did notice the 2.1.10 includes a "module" called ntlm_auth where 2.1.6 did not. I'm looking into this now... -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 11, 2011 3:38 PM To: freeradius-users@lists.freeradius.org Subject: Re: MSCHAP failing on new 2.1.10 install On 05/11/2011 09:12 PM, Gary Gatten wrote:
PAP works, MSCHAP fails - specifically MSCHAPv2.
This is a fresh install of 2.1.10, built from source. I'm using ntlm_auth;
No, you're not:
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
See? No "ntlm_auth" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
On 05/11/2011 05:07 PM, Gary Gatten wrote:
Here's a debug from the 2.1.6 that's working... Wait a sec.... I think I MAY have found something. I'm making backup copies of the files with a .org extension... I bet it's reading the .org files and overwriting my changes. Standby....
Yes, that's likely happening. The server reads all files in the directory. Don't feel bad, you're not the first person to get burned by this behavior. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Quick test shows this is working now. Not tested enough yet to claim victory, but I'm not scratching my head going WTF.... I VAGUELY recall burning myself several years ago when I started playing with FR, hence why I remembered it - finally! If I feel froggy I MAY tweak the source and submit a "patch" to ignore files with any extension. Of course some people may not like that... Perhaps a seting in radiusd.conf with file extensions to ignore; such as .bak, .org, etc. Anything in that list would be ignored... I like that one, but since I can't code worth a $hit it would take me a LONG time for this one. Maybe I can/will submit a feature request for such a thing... Gary -----Original Message----- From: John Dennis [mailto:jdennis@redhat.com] Sent: Wednesday, May 11, 2011 4:17 PM To: FreeRadius users mailing list Cc: Gary Gatten Subject: Re: MSCHAP failing on new 2.1.10 install On 05/11/2011 05:07 PM, Gary Gatten wrote:
Here's a debug from the 2.1.6 that's working... Wait a sec.... I think I MAY have found something. I'm making backup copies of the files with a .org extension... I bet it's reading the .org files and overwriting my changes. Standby....
Yes, that's likely happening. The server reads all files in the directory. Don't feel bad, you're not the first person to get burned by this behavior. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Hi,
Quick test shows this is working now. Not tested enough yet to claim victory, but I'm not scratching my head going WTF.... I VAGUELY recall burning myself several years ago when I started playing with FR, hence why I remembered it - finally!
If I feel froggy I MAY tweak the source and submit a "patch" to ignore files with any extension. Of course some people may not like that... Perhaps a seting in radiusd.conf with file extensions to ignore; such as .bak, .org, etc. Anything in that list would be ignored... I like that one, but since I can't code worth a $hit it would take me a LONG time for this one. Maybe I can/will submit a feature request for such a thing...
there was similar discussion end of last year or so.....my view is that you just make a new directory eg sites-old and dump the old configs or backups into there...they wont get read then :-) alan
I ended up doing something similar, so yeah that will work. Lots of ways to do it I guess. At minimum perhaps a BIG WARNING in the README's telling you to not make file backups in the "live" directories. Or, maybe do something like the sites directory for modules and others: modules-available and modules-enabled? That would work for me too. G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, May 11, 2011 4:46 PM To: FreeRadius users mailing list Subject: Re: MSCHAP failing on new 2.1.10 install Hi,
Quick test shows this is working now. Not tested enough yet to claim victory, but I'm not scratching my head going WTF.... I VAGUELY recall burning myself several years ago when I started playing with FR, hence why I remembered it - finally!
If I feel froggy I MAY tweak the source and submit a "patch" to ignore files with any extension. Of course some people may not like that... Perhaps a seting in radiusd.conf with file extensions to ignore; such as .bak, .org, etc. Anything in that list would be ignored... I like that one, but since I can't code worth a $hit it would take me a LONG time for this one. Maybe I can/will submit a feature request for such a thing...
there was similar discussion end of last year or so.....my view is that you just make a new directory eg sites-old and dump the old configs or backups into there...they wont get read then :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Can't you include files by pattern match or am i imagining a feature? -Arran On May 11, 2011, at 2:51 PM, Gary Gatten wrote:
I ended up doing something similar, so yeah that will work. Lots of ways to do it I guess. At minimum perhaps a BIG WARNING in the README's telling you to not make file backups in the "live" directories. Or, maybe do something like the sites directory for modules and others: modules-available and modules-enabled? That would work for me too.
G
-----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, May 11, 2011 4:46 PM To: FreeRadius users mailing list Subject: Re: MSCHAP failing on new 2.1.10 install
Hi,
Quick test shows this is working now. Not tested enough yet to claim victory, but I'm not scratching my head going WTF.... I VAGUELY recall burning myself several years ago when I started playing with FR, hence why I remembered it - finally!
If I feel froggy I MAY tweak the source and submit a "patch" to ignore files with any extension. Of course some people may not like that... Perhaps a seting in radiusd.conf with file extensions to ignore; such as .bak, .org, etc. Anything in that list would be ignored... I like that one, but since I can't code worth a $hit it would take me a LONG time for this one. Maybe I can/will submit a feature request for such a thing...
there was similar discussion end of last year or so.....my view is that you just make a new directory eg sites-old and dump the old configs or backups into there...they wont get read then :-)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841
John Dennis wrote:
On 05/11/2011 05:07 PM, Gary Gatten wrote:
Here's a debug from the 2.1.6 that's working... Wait a sec.... I think I MAY have found something. I'm making backup copies of the files with a .org extension... I bet it's reading the .org files and overwriting my changes. Standby....
Yes, that's likely happening. The server reads all files in the directory. Don't feel bad, you're not the first person to get burned by this behavior.
In version 2.1.11, it checks for duplicate module/virtual server configurations. Any duplicate means a configuration error, and the server refuses to start. Alan DeKok.
participants (7)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Garber, Neal -
Gary Gatten -
John Dennis -
Phil Mayers