pptpd mschap auth fails
i have pptpd on a centos 6 box configured to use radius for auth. radius in turn checks credentials in ldap. the user in ldap has a samba extension and a configured password (i used ldap account manager to set it up) it also has a sambaNTPassword field and it's populated. rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64 the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. this is the log from radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 49338, id=12, length=152 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser1" MS-CHAP-Challenge = 0x09235ac983790fedc6ccf93af69b67bf MS-CHAP2-Response = 0x5e004a81f91bcf75cd6452c64bd587a74f210000000000000000ff5eaa8a5df6639683423ed294074ceb705105d5d762932d Calling-Station-Id = "***.***.***.***" - edited out NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "testuser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [ldap] performing user authorization for testuser1 [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> testuser1 [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser1) [ldap] expand: dc=my-domain,dc=com -> dc=my-domain,dc=com - edited out [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=my-domain,dc=com, with filter (uid=testuser1) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}YQwkujoqTZAKF1Jl1e1JRxKKvDVVRGYv" [ldap] sambaNtPassword -> NT-Password == 0x3331443643464530443136414539333142373343353944374530433038394330 [ldap] looking for reply items in directory... [ldap] user testuser1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Creating challenge hash with username: testuser1 [mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 12 to 127.0.0.1 port 49338 MS-CHAP-Error = "^E=691 R=1 C=50685502b0ea6334450d0cd8077ac242 V=3 M=Re-enter (or reset) the password" Waking up in 4.9 seconds. Cleaning up request 4 ID 12 with timestamp +801 Ready to process requests.
On 06/08/13 16:04, Horatiu Nimigean wrote:
i have pptpd on a centos 6 box configured to use radius for auth. radius in turn checks credentials in ldap. the user in ldap has a samba extension and a configured password (i used ldap account manager to set it up) it also has a sambaNTPassword field and it's populated. rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64
the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords.
I you are *really* sure of this (have you created a test user with a simple password?), then it might be the PAP module "helpfully" fiddling with the password:
[pap] Normalizing NT-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding
Try commenting out "pap", since you're not using it
ok so i edited /etc/raddb/sites-enabled/default and commented pap from authorize { ... } and commented Auth-Type PAP { pap } from authenticate { ... } but i still have the same error . i have also created a new user betatesting1 i have also tested in the local shell (although it attempts mschapv1) and it gives me the same error [root@be-vpn ~]# radtest -t mschap betatesting1 secret 127.0.0.1 1812 myubersecretpassword Sending Access-Request of id 13 to 127.0.0.1 port 1812 User-Name = "betatesting1" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0xdca09b5922346674 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000048cc2307c5dcb95d9cdc59f621d5d7e4b17c391d8ab5b4f4 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=13, length=112 MS-CHAP-Error = "\000E=691 R=1 C=f20ec16aa685d6a06f1ed900857d9c0e V=3 M=Re-enter (or reset) the password" On 8/6/2013 6:31 PM, Phil Mayers wrote:
On 06/08/13 16:04, Horatiu Nimigean wrote:
i have pptpd on a centos 6 box configured to use radius for auth. radius in turn checks credentials in ldap. the user in ldap has a samba extension and a configured password (i used ldap account manager to set it up) it also has a sambaNTPassword field and it's populated. rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64
the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords.
I you are *really* sure of this (have you created a test user with a simple password?), then it might be the PAP module "helpfully" fiddling with the password:
[pap] Normalizing NT-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding
Try commenting out "pap", since you're not using it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Horatiu Nimigean wrote:
the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords.
No, you're not.
[mschap] Found NT-Password [mschap] Creating challenge hash with username: testuser1 [mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
The passwords are different. Alan DeKok.
oook.... the damn password is "letmein" for testing purposes. i can't seriously mistype it that many times. and i did not. it turns out lam successfully reports changing both unix and samba passwords but upon closer inspection and verifying with smbencrypt cli tool the samba hases are NOT updated. Apologies. upon editing with apache directory studio it auths perfectly. both from win8 client as well as radtest. thanks for strongly pointing out that indeed there s a problem with the damn hashes. Cheers. On 8/6/2013 6:36 PM, Alan DeKok wrote:
Horatiu Nimigean wrote:
the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. No, you're not.
[mschap] Found NT-Password [mschap] Creating challenge hash with username: testuser1 [mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
The passwords are different.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Horatiu Nimigean -
Phil Mayers