Using 1.1.4, still can't get MSCHAPv2 working to a local file. Here is the full output and the conf files: Thread 2 handling request 1, (1 handled so far) NAS-Identifier = "localhost" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "127.0.0.1" User-Name = "cobb@guests" MS-CHAP2-Response = 0x0101e79fb5f1bd1b2c95f335275ebc9e3d5a0000000000000000be30b1b54d7e9a9785 bd07c4cb7188553e231dbfa355970a MS-CHAP-Challenge = 0x1d9fbe47738e455b28dd9bc9bc81a6df Service-Type = 47 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 1 rlm_realm: Looking up realm "guests" for User-Name = "cobb@guests" rlm_realm: Found realm "guests" rlm_realm: Adding Stripped-User-Name = "cobb" rlm_realm: Proxying request from user cobb to realm guests rlm_realm: Adding Realm = "guests" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "ntdomain" returns noop for request 1 modcall: leaving group (returns noop) for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry cobb at line 1 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 1 modcall: leaving group MS-CHAP (returns reject) for request 1 auth: Failed to validate the user. Login incorrect: [cobb@guests] (from client localhost port 0 cli 127.0.0.1) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 1 users file: cobb User-Password=="secret" (also tried Cleartext-Password with same results) proxy.conf: proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = no } realm guests { type = radius authhost = LOCAL:1812 accthost = LOCAL:1813 secret = whatever } realm testlab.com { type = radius authhost = 172.16.0.3:1812 accthost = 172.16.0.3:1813 secret = testing } realm DEFAULT { type = radius authhost = 172.16.0.3:1812 accthost = 172.16.0.3:1813 secret = testing } radius.conf: prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var/lib sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = /var/log/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 1812 listen { ipaddr = * port = 1645 type = auth } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP #use_mppe = no #require_encryption = yes #require_strong = yes #with_ntdomain_hack = no } ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } # 'username@realm' # realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = yes } # 'username%realm' # realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no #notfound-reject = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } # Write a detailed log of all accounting records received. # detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { # Where the file is stored. It's not a log file, # so it doesn't need rotating. # filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } # attr_filter - filters the attributes received in replies from # proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { # range-start,range-stop: The start and end ip # addresses for the ip pool range-start = 192.168.1.1 range-stop = 192.168.3.254 # netmask: The network mask used for the ip's netmask = 255.255.255.0 # cache-size: The gdbm cache size for the db # files. Should be equal to the number of ip's # available in the ip pool cache-size = 800 # session-db: The main db file used to allocate ip's to clients session-db = ${raddbdir}/db.ippool # ip-index: Helper db index file used in multilink ip-index = ${raddbdir}/db.ipindex # override: Will this ippool override a Framed-IP-Address already set override = no # maximum-timeout: If not zero specifies the maximum time in seconds an # entry may be active. Default: 0 maximum-timeout = 0 } } instantiate { exec expr # daily } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { preprocess chap mschap suffix ntdomain eap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique suffix ntdomain # # Read the 'acct_users' file files } accounting { detail unix radutmp } session { radutmp } post-auth { } post-proxy { eap }
Hi,
Using 1.1.4, still can't get MSCHAPv2 working to a local file. Here is the full output and the conf files:
use 1.1.6
rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with NT-Password
note this debug output line.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
attempt was rejected. why? ...
cobb User-Password=="secret"
(also tried Cleartext-Password with same results)
thats why. you cant use a plain password. alan
Hello,
thats why. you cant use a plain password.
alan
[Cobb] What should I use? I have tried User-Password==, Cleartext-Password:=, Cleartext-Password==, NT-Password=="0x0123456789abcdef...", NT-Password=="0123456789abcdef......" All complain that the NT Response is invalid and all but User-Password complain that the User-Password is not supplied.
Try := with NT-Password. Cleartext-Password works fine in 1.1.6 Ivan Kalik Kalik Informatika ISP Dana 21/6/2007, "Matt Cobb" <mattc@lockdownnetworks.com> piše:
Hello,
thats why. you cant use a plain password.
alan
[Cobb] What should I use? I have tried User-Password==, Cleartext-Password:=, Cleartext-Password==, NT-Password=="0x0123456789abcdef...", NT-Password=="0123456789abcdef......"
All complain that the NT Response is invalid and all but User-Password complain that the User-Password is not supplied.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Same thing basically: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 My users file now looks like: #cobb User-Password=="secret" #cobb Cleartext-Password=="secret" #cobb Cleartext-Password:="secret" #cobb NT-Password == "0xB6FFB3200061D7B7928F0D932F095128" #cobb NT-Password == "B6FFB3200061D7B7928F0D932F095128" #cobb NT-Password := "0xB6FFB3200061D7B7928F0D932F095128" cobb NT-Password := "B6FFB3200061D7B7928F0D932F095128"
Tried that already. cobb Cleartext-Password := "secret" It just spits out an error that says I didn't use User-Password and fails: Thread 1 handling request 0, (1 handled so far) NAS-Identifier = "localhost" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "127.0.0.1" User-Name = "cobb@guests" MS-CHAP2-Response = 0x01013410fa7660ac21dc93c5313bcab77f150000000000000000e601cdc04a6c368aed b66db426dff79111702aa7dbf9d3bb MS-CHAP-Challenge = 0xc171ce27fd0fc0189daf86b649fe8588 Service-Type = 47 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 modcall: entering group for request 0 rlm_realm: Looking up realm "guests" for User-Name = "cobb@guests" rlm_realm: Found realm "guests" rlm_realm: Adding Stripped-User-Name = "cobb" rlm_realm: Proxying request from user cobb to realm guests rlm_realm: Adding Realm = "guests" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "ntdomain" returns noop for request 0 modcall: leaving group (returns noop) for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry cobb at line 2 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [cobb@guests] (from client localhost port 0 cli 127.0.0.1) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 0 DBUS Method Call to com.lockdownnetworks.RadiusEvents:/ on com.lockdownnetworks.RadiusEvents Early exit of processing return values. Finished with dbus method. modcall[post-auth]: module "dbus" returns reject for request 0 modcall: leaving group REJECT (returns reject) for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:32776, id=181, length=161 Sending Access-Reject of id 181 to 127.0.0.1 port 32776 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 181 with timestamp 467ae04a Nothing to do. Sleeping until we see a request. -----Original Message----- From: freeradius-users-bounces+mattc=lockdownnetworks.com@lists.freeradius.org [mailto:freeradius-users-bounces+mattc=lockdownnetworks.com@lists.freera dius.org] On Behalf Of tnt@kalik.co.yu Sent: Thursday, June 21, 2007 11:30 AM To: FreeRadius users mailing list Subject: Re: MSCHAPv2 with 1.1.4
users file:
cobb User-Password=="secret"
(also tried Cleartext-Password with same results)
Wrong operator (==) for Cleartext-Password. Use := cobb Cleartext-Password := "secret" Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matt Cobb wrote:
Using 1.1.4, still can’t get MSCHAPv2 working to a local file. Here is ... rlm_mschap: Told to do MS-CHAPv2 for cobb@guests with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Then either the password you have on the server isn't the same as the password on the client, OR the MS-CHAP calculations are being done different on the client and server. FreeRADIUS works in tens of thousands of deployments using MS-CHAP, for tens of millions of users. It's fine. See src/tests for a sample MS-CHAP request that you can send to the server with radclient. If *that* fails, then something is very broken on your system. If it works, then either the passwords aren't the same, OR the client you're using is broken. So... which client are you using? Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Matt Cobb -
tnt@kalik.co.yu