RE: MSCHAPv2, MySQL, Freeradius
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius- users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, 3 October 2005 2:48 PM To: FreeRadius users mailing list Subject: Re: MSCHAPv2, MySQL, Freeradius
"Dan Russell" <dan@in-house.com.au> wrote:
If I used a third party tool like mkntpwd to create NT Hashes, could I put premade hashes in the database and use them to authenticate ... Is there any specific config change I would need to make to enable this?
No. It should work in the default config.
How does freeradius identify that the password has already been NT hashed?
Because you put it into the NT-Password attribute, instead of the User-Password attribute.
Okay, I've tried that and not found it to work for me. I looked through the source code to the rlm_mschap now and have found where I believe it is falling over. It tries to get the 'User-Password' attribute first (which it fails on, I don't have one), then it tried to get the 'LM-Password' attribute which it also fails on. After dealing with that it tries the same thing with 'NT-Password'. For some reason it isn't pulling these attributes out of mysql.. After looking at the debug output from freeradius, the sql statement that it executes when it receives an authentication request should return the LM-Password and NT-Password. When I try to authenticate it gives me the error : " rlm_mschap: No User-Password configured. Cannot create LM-Password." " rlm_mschap: No User-Password configured. Cannot create NT-Password." And a couple of lines later I get " rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication." I'm not sure why it isn't picking the attributes up.. If its any help, I'm using mysql 4.1.11 and freeradius 1.0.2
What stops it from encrypting whatever it finds in the radcheck table for the password?
I have no idea what question you're asking. So far as I can tell, the answer is "it doesn't work that way".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Dan Russell" <dan@in-house.com.au> wrote:
Because you put it into the NT-Password attribute, instead of the User-Password attribute.
Okay, I've tried that and not found it to work for me.
Sorry, it *does* work. Since you didn't provide any debug logs or config examples, I can only suggest that you probably did it wrong.
It tries to get the 'User-Password' attribute first (which it fails on, I don't have one), then it tried to get the 'LM-Password' attribute which it also fails on. After dealing with that it tries the same thing with 'NT-Password'. For some reason it isn't pulling these attributes out of mysql..
Read the debug log. It will tell you what it *is* getting from MySQL.
After looking at the debug output from freeradius, the sql statement that it executes when it receives an authentication request should return the LM-Password and NT-Password.
Does it return those attributes when you run the query by hand? Alan DeKok.
participants (2)
-
Alan DeKok -
Dan Russell