Client is using MSCHAPv2 for %s, we need NT-Password
Is this message merely informative, or does it indicate a problem? I'm attempting to debug my issue with something else and this is the only line I see that sounds like a warning/error prior to the rejection happening. From what I see in rlm_mschap.c, I would have seen a different message if the code could not either find a valid NT-Password attribute[1] or could not create one from a Cleartext-Password attribute[2]. Based on the comment left above the message
The old "mschapv2" function has been moved to here
It leads me to believe this line is informative only. (i.e., we need this attribute to be present, and unless you've seen otherwise it is). -Matt [1] https://github.com/FreeRADIUS/freeradius-server/blob/ec8c055b4c8e9358a08d511... [2] https://github.com/FreeRADIUS/freeradius-server/blob/ec8c055b4c8e9358a08d511...
Matthew Berry wrote:
Is this message merely informative, or does it indicate a problem?
The message should be clear. What part is hard to understand? See also: http://deployingradius.com/documents/protocols/compatibility.html
I'm attempting to debug my issue with something else and this is the only line I see that sounds like a warning/error prior to the rejection happening.
Then it's the cause of the reject, isn't it? Alan DeKok.
Alan DeKok <aland@deployingradius.com> wrote:
The message should be clear. What part is hard to understand? See also:
http://deployingradius.com/documents/protocols/compatibility.html
I checked out the link provided (and the source code) and I still take issue with the message. It says it needs the NT-Password but doesn't clearly indicate if it has an NT-Password. Clearly if it needs one but it doesn't have one that's a problem. However if it needs one and it has what it needs, well that's just a nice informative message. When I read "we need NT-Password" I read that as "we need NT-Password in order to operate but are missing one", this of course is subjective others might read it the other way. The question is, why bother mentioning it at all in that case? I need air to breathe. I have plenty of air though, so it's not a big deal. It's safe to assume I have air unless I say otherwise. If I told you I need air, you'd (hopefully) become concerned for my well being.
Then it's the cause of the reject, isn't it?
Turns out it wasn't, there was a mismatch in the passwords. Sometimes you spend so much time looking at the tiny details you miss the obvious. After I put the correct password in everything was fine. -Matt
Matthew Berry wrote:
I checked out the link provided (and the source code) and I still take issue with the message. It says it needs the NT-Password but doesn't clearly indicate if it has an NT-Password.
If you read the source code, you'll see it DOES indicate it has an NT-Password. But only when it has one.
Then it's the cause of the reject, isn't it?
Turns out it wasn't, there was a mismatch in the passwords.
That's not what the debug output said.
Sometimes you spend so much time looking at the tiny details you miss the obvious. After I put the correct password in everything was fine.
And the debug output shows "Found NT-Password", which wasn't there before. Alan DeKok.
On Sat, Jun 14, 2014 at 6:21 AM, Alan DeKok <aland@deployingradius.com> wrote:
If you read the source code, you'll see it DOES indicate it has an NT-Password. But only when it has one.
"Found NT-Password" appears if and only if the NT-Password attribute is present, but the last part of that if/elseif/else deals with the case where an NT-Password is calculated from a clear-text password. In that branch, no message is produced.
That's not what the debug output said. ... And the debug output shows "Found NT-Password", which wasn't there before.
I have not posted any output in this thread. This thread is completely separate from the other thread I started. That thread was using the older 2.1 version of freeradius that is in the Ubuntu repos, whereas this thread is using the 2.x branch from github. -Matt
participants (2)
-
Alan DeKok -
Matthew Berry