Fwd: MSCHAP module returns OK, authentication fails..
EAP-MSCHAPV2: Invalid authenticator response in success request
Upgrade Samba. If you're not using at least 3.2.1, upgrade to that.
http://jim.geezas.com/stuff/radius-debugging/ *-failure.log), the message authenticator does seem to be invalid,
No. eapol_test is saying that the MSCHAP response is invalid.
Has anyone seen this problem before, or am I looking in the wrong place?
Others have seen exactly the same thing in the past weeks. Upgrading Samba fixed it.
Alan DeKok. -
I've upgraded to the testing version of samba for FC9, 3.2.1 which unfortunately didn't resolve the issue - still getting the 'Invalid authenticator response in success request' problem. jim@florence:~$ /usr/sbin/winbindd -V Version 3.2.1-18.fc9 Is there a known good version of Samba, or could the problem lie elsewhere? I've included the server output from the MSCHAP module trying the authentication for reference. +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for jim2 with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=jim2 rlm_mschap: No NT-Domain was found in the User-Name. expand: --domain=%{mschap:NT-Domain:-CURRICULUM} -> --domain=CURRICULUM mschap2: ee expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c48639cf15fbe669 expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=0b4b18f4afaa63f4147e4250c8c907f3248ba67e7ee976a0 Exec-Program output: NT_KEY: 1847BA6C5854C261219362F18B4923E4 Exec-Program-Wait: plaintext: NT_KEY: 1847BA6C5854C261219362F18B4923E4 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d39313431454342383036383441464346413533303131384242454445363435373037323941383039 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x40622130416a3b8e9b04d3d502f1f161 PEAP: Processing from tunneled session code 0xa13a0d0 11 EAP-Message = 0x010800331a0307002e533d39313431454342383036383441464346413533303131384242454445363435373037323941383039 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x40622130416a3b8e9b04d3d502f1f161 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 127.0.0.1 port 35048 EAP-Message = 0x0108005b19001703010050a25e02bf01a7f7f6ca355df2cec89e3c2508b47b180497a05669336d0ac233f14b38ed612205594956295de1abbda4f5e4f8f03753d57524e01a42e5d29cabcf7996143335211d76065176783a7bb8ec Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5899ddd95f91c4e2ae146201bfc3a1be Finished request 7. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 0 with timestamp +5 Cleaning up request 1 ID 1 with timestamp +5 Cleaning up request 2 ID 2 with timestamp +5 Cleaning up request 3 ID 3 with timestamp +5 Cleaning up request 4 ID 4 with timestamp +5 Cleaning up request 5 ID 5 with timestamp +5 Cleaning up request 6 ID 6 with timestamp +5 Cleaning up request 7 ID 7 with timestamp +5 Ready to process requests. Thanks, James
James Yale wrote:
I've upgraded to the testing version of samba for FC9, 3.2.1 which unfortunately didn't resolve the issue - still getting the 'Invalid authenticator response in success request' problem.
If it works when you put a Cleartext-Password in the "users" file, then there isn't much wrong with FreeRADIUS. In this case, FreeRADIUS is at the mercy of ntlm/samba/AD. If the returned NT-key is wrong (and the supplicant says so), then there really isn't anything that FreeRADIUS can do to fix it.
Is there a known good version of Samba, or could the problem lie elsewhere?
That version of Samba has been known to fix the problem for other people. Alan DeKok.
hi, whats wrong with that debug? looked fine here - that should end with a happy connection. ntlm_auth got the correct response. alan
2008/8/28 <A.L.M.Buxey@lboro.ac.uk>:
hi,
whats wrong with that debug? looked fine here - that should end with a happy connection. ntlm_auth got the correct response.
alan
The problem is that when that log ends the WPA supplicant gets: -- EAP-MSCHAPV2: Invalid authenticator response in success request And the authentication fails. The full logs of the failure are at: http://jim.geezas.com/stuff/radius-debugging/eapol-ntlmuser-failure.log for the supplicant and: http://jim.geezas.com/stuff/radius-debugging/radius-ntlmuser-failure.log for radiusd. I'm going to try afew different distributions/versions of FreeRadius and Samba, perhaps compile from source - presumably this configuration is fairly common and working elsewhere, so it should work with some combination (if I find one I'll post it up). Thanks, James
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
James Yale