MS-CHAPv2 change password not working in master
Hi, I downloaded git master yesterday to test the new MS-CHAPv2 change password functionality. My setup is a Cisco router with "passwd-expiry" setup with Cisco VPN client for login, with FreeRadius to Windows AD through Winbind. MS-CHAPv2 authentication works fine. Winbind and AD setup is right. But testing the new passchange functionality by selecting "User must change password at next logon" in the Windows user, the New password windows popup in Cisco VPN client, but the change password process fails: ntlm_auth said: Password-Change: No Password-Change-Error: Wrong Password . . Winbind logs also shows: NT_STATUS_WRONG_PASSWORD Looking into code I suppose the problem is something with the old NT hash, but not an expert here. Any help would be apreciated. In these logs the user is "NIMASTELECOM\testpw". The current password is "y58R41ut8W" (expired). And the new password used was "H6eEWu7r65tw38ert1". Some radius logs: === # radiusd -X radiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Nov 16 2012 at 01:46:19 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... ...................................... Ready to process requests. rad_recv: Access-Request packet from host 10.112.14.2 port 1645, id=127, length=202 User-Name = "NIMASTELECOM\\testpw" Calling-Station-Id = "217.126.166.195" MS-CHAP-Challenge = 0xdd2a98d3c3c69fb959df2f561d50d025 MS-CHAP2-Response = 0x01007b0896de80c7098bac5566313c61d1b200000000000000003cc2724e1d2be6d1868df97bd0607859441dc99b5ef37af0 NAS-Port-Type = Virtual Cisco-NAS-Port = "85.112.6.36" NAS-Port = 0 NAS-Port-Id = "85.112.6.36" Service-Type = Login-User NAS-IP-Address = 10.112.14.2 Event-Timestamp = "Nov 16 2012 10:39:06 CET" (0) # Executing section authorize from file /etc/raddb/sites-enabled/vpn_nimas_tk (0) group authorize { (0) - entering group authorize {...} (0) mschap-vpn_nimas_tk : Found MS-CHAP attributes. Setting 'Auth-Type = mschap-vpn_nimas_tk' (0) [mschap-vpn_nimas_tk] = ok (0) ? if (!control:Auth-Type) (0) ? Evaluating !(control:Auth-Type) -> FALSE (0) ? if (!control:Auth-Type) -> FALSE (0) detail-vpn_nimas_tk-auth : expand: /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d -> /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (0) detail-vpn_nimas_tk-auth : /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d expands to /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (0) detail-vpn_nimas_tk-auth : expand: %t -> Fri Nov 16 10:39:06 2012 (0) [detail-vpn_nimas_tk-auth] = ok (0) Found Auth-Type = MSCHAP (0) # Executing group from file /etc/raddb/sites-enabled/vpn_nimas_tk (0) group MS-CHAP { (0) - entering group MS-CHAP {...} (0) mschap-vpn_nimas_tk : Creating challenge hash with username: testpw (0) mschap-vpn_nimas_tk : Client is using MS-CHAPv2 for testpw, we need NT-Password (0) mschap-vpn_nimas_tk : expand: --username=%{mschap-vpn_nimas_tk:User-Name} -> --username=testpw (0) mschap-vpn_nimas_tk : expand: --domain=%{mschap-vpn_nimas_tk:NT-Domain} -> --domain=NIMASTELECOM (0) mschap-vpn_nimas_tk : Creating challenge hash with username: testpw (0) mschap-vpn_nimas_tk : expand: --challenge=%{mschap-vpn_nimas_tk:Challenge:-00} -> --challenge=3550f7bf5746677f (0) mschap-vpn_nimas_tk : expand: --nt-response=%{mschap-vpn_nimas_tk:NT-Response:-00} -> --nt-response=3cc2724e1d2be6d1868df97bd0607859441dc99b5ef37af0 Exec-Program output: Must change password (0xc0000224) Exec-Program-Wait: plaintext: Must change password (0xc0000224) Exec-Program: returned: 1 (0) mschap-vpn_nimas_tk : ntlm_auth says Must change password (0xc0000224) (0) [mschap-vpn_nimas_tk] = reject (0) Failed to authenticate the user. (0) Login incorrect: [NIMASTELECOM\\testpw] (from client RMADTKNIMAS01 port 0 cli 217.126.166.195) (0) Using Post-Auth-Type Reject (0) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. (0) Finished request 0. Waking up in 0.9 seconds. (0) Sending delayed reject Sending Access-Reject of id 127 from 85.112.8.156 port 1812 to 10.112.14.2 port 1645 MS-CHAP-Error = "\001E=648 R=0 C=47763c0a72e4fb2d546c9a413245f87b V=3 M=Password Expired" Waking up in 4.9 seconds. (0) Cleaning up request packet ID 127 with timestamp +14 Ready to process requests. rad_recv: Access-Request packet from host 10.112.14.2 port 1645, id=128, length=755 User-Name = "NIMASTELECOM\\testpw" MS-CHAP-Challenge = 0xf42a98d3c3c69fb959df2f561d50d025 MS-CHAP2-CPW = 0x070100000000000000000000000000000000b79a22699ae1dedc832935c8f5c5d7880000000000000000b0bfd263d6c0bbc0b2b28e085c072676857cf1f7c6f88a300000 MS-CHAP-NT-Enc-PW = 0x0601000176116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb52114017 MS-CHAP-NT-Enc-PW = 0x060100025ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d582 MS-CHAP-NT-Enc-PW = 0x060100030c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bd99e89c3c6d56a3e9eb3a8025d5ef968ba7523c78f11bb43cd49936d2b28d289788d164b507a76fb6 NAS-Port-Type = Virtual Cisco-NAS-Port = "85.112.6.36" NAS-Port = 0 NAS-Port-Id = "85.112.6.36" Service-Type = Login-User NAS-IP-Address = 10.112.14.2 Event-Timestamp = "Nov 16 2012 10:39:20 CET" (1) # Executing section authorize from file /etc/raddb/sites-enabled/vpn_nimas_tk (1) group authorize { (1) - entering group authorize {...} (1) mschap-vpn_nimas_tk : Found MS-CHAP attributes. Setting 'Auth-Type = mschap-vpn_nimas_tk' (1) [mschap-vpn_nimas_tk] = ok (1) ? if (!control:Auth-Type) (1) ? Evaluating !(control:Auth-Type) -> FALSE (1) ? if (!control:Auth-Type) -> FALSE (1) detail-vpn_nimas_tk-auth : expand: /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d -> /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (1) detail-vpn_nimas_tk-auth : /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d expands to /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (1) detail-vpn_nimas_tk-auth : expand: %t -> Fri Nov 16 10:39:20 2012 (1) [detail-vpn_nimas_tk-auth] = ok (1) Found Auth-Type = MSCHAP (1) # Executing group from file /etc/raddb/sites-enabled/vpn_nimas_tk (1) group MS-CHAP { (1) - entering group MS-CHAP {...} (1) mschap-vpn_nimas_tk : MS-CHAPv2 password change request received (1) mschap-vpn_nimas_tk : Password change payload valid (1) mschap-vpn_nimas_tk : Doing MS-CHAPv2 password change via ntlm_auth helper (1) mschap-vpn_nimas_tk : expand: username: %{mschap-vpn_nimas_tk:User-Name} -> username: testpw (1) mschap-vpn_nimas_tk : expand: nt-domain: %{mschap-vpn_nimas_tk:NT-Domain} -> nt-domain: NIMASTELECOM (1) mschap-vpn_nimas_tk : ntlm_auth said: Password-Change: No Password-Change-Error: Wrong Password . . (1) mschap-vpn_nimas_tk : ntlm auth password change failed: Password-Change-Error: Wrong Password (1) mschap-vpn_nimas_tk : Password change failed (1) [mschap-vpn_nimas_tk] = reject (1) Failed to authenticate the user. (1) Login incorrect: [NIMASTELECOM\\testpw] (from client RMADTKNIMAS01 port 0) (1) Using Post-Auth-Type Reject (1) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. (1) Finished request 1. Waking up in 0.2 seconds. Waking up in 0.7 seconds. (1) Sending delayed reject Sending Access-Reject of id 128 from 85.112.8.156 port 1812 to 10.112.14.2 port 1645 MS-CHAP-Error = "\001E=709 R=0 M=Password change failed" Waking up in 4.9 seconds. (1) Cleaning up request packet ID 128 with timestamp +28 Ready to process requests. === The mschap derived module is simple: === mschap mschap-vpn_nimas_tk { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap-vpn_nimas_tk:User-Name} --domain=%{mschap-vpn_nimas_tk:NT-Domain} --challenge=%{mschap-vpn_nimas_tk:Challenge:-00} --nt-response=%{mschap-vpn_nimas_tk:NT-Response:-00}" passchange { ntlm_auth = "/usr/bin/ntlm_auth -d 10 -l /var/log/samba --helper-protocol=ntlm-change-password-1" ntlm_auth_username = "username: %{mschap-vpn_nimas_tk:User-Name}" ntlm_auth_domain = "nt-domain: %{mschap-vpn_nimas_tk:NT-Domain}" retry_msg = "Re-enter (or reset) the password" } === Winbind logs: === [2012/11/16 10:39:06.810639, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:06.810793, 10] winbindd/winbindd.c:644(process_request) process_request: request fn INTERFACE_VERSION [2012/11/16 10:39:06.810841, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 9918]: request interface version [2012/11/16 10:39:06.810906, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9918:INTERFACE_VERSION]: delivered response to client [2012/11/16 10:39:06.810964, 10] winbindd/winbindd.c:644(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/11/16 10:39:06.811002, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 9918]: request location of privileged pipe [2012/11/16 10:39:06.811068, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9918:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/11/16 10:39:06.811117, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited [2012/11/16 10:39:06.811171, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:06.811227, 10] winbindd/winbindd.c:617(process_request) process_request: Handling async request 9918:PAM_AUTH_CRAP [2012/11/16 10:39:06.811266, 3] winbindd/winbindd_pam_auth_crap.c:56(winbindd_pam_auth_crap_send) [ 9918]: pam auth crap domain: [NIMASTELECOM] user: testpw [2012/11/16 10:39:07.071142, 10] winbindd/winbindd.c:679(wb_request_done) wb_request_done[9918:PAM_AUTH_CRAP]: NT_STATUS_PASSWORD_MUST_CHANGE [2012/11/16 10:39:07.071243, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9918:PAM_AUTH_CRAP]: delivered response to client [2012/11/16 10:39:07.071320, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited [2012/11/16 10:39:20.825567, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:20.825731, 10] winbindd/winbindd.c:644(process_request) process_request: request fn INTERFACE_VERSION [2012/11/16 10:39:20.825780, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 9957]: request interface version [2012/11/16 10:39:20.825851, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:INTERFACE_VERSION]: delivered response to client [2012/11/16 10:39:20.825916, 10] winbindd/winbindd.c:644(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/11/16 10:39:20.825960, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 9957]: request location of privileged pipe [2012/11/16 10:39:20.826035, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/11/16 10:39:20.826106, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited [2012/11/16 10:39:20.826169, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:20.826235, 10] winbindd/winbindd.c:644(process_request) process_request: request fn DOMAIN_NAME [2012/11/16 10:39:20.826279, 3] winbindd/winbindd_misc.c:394(winbindd_domain_name) [ 9957]: request domain name [2012/11/16 10:39:20.826341, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:DOMAIN_NAME]: delivered response to client [2012/11/16 10:39:20.826497, 10] winbindd/winbindd.c:617(process_request) process_request: Handling async request 9957:PAM_CHNG_PSWD_AUTH_CRAP [2012/11/16 10:39:20.826544, 3] winbindd/winbindd_pam_chng_pswd_auth_crap.c:57(winbindd_pam_chng_pswd_auth_crap_send) [ 9957]: pam change pswd auth crap domain: NIMASTELECOM user: testpw [2012/11/16 10:39:20.856407, 10] winbindd/winbindd.c:679(wb_request_done) wb_request_done[9957:PAM_CHNG_PSWD_AUTH_CRAP]: NT_STATUS_WRONG_PASSWORD [2012/11/16 10:39:20.856498, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:PAM_CHNG_PSWD_AUTH_CRAP]: delivered response to client [2012/11/16 10:39:20.856674, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited === Regards, Carlos Velasco
Looking into code I suppose the problem is something with the old NT hash, but not an expert here. Any help would be apreciated.
Adding some debug to code, this seems really wrong: (1) mschap-vpn_nimas_tk : old_nt_hash: 3497295200 || Write buf: old-nt-hash-blob: 00000000000000000000000000000000 len = sprintf(buf, "old-nt-hash-blob: "); fr_bin2hex(old_nt_hash, buf+len, 16); buf[len+32] = '\n'; buf[len+33] = '\0'; len = strlen(buf); ++ RDEBUG2("old_nt_hash: %u || Write buf: %s", old_nt_hash, buf); if (write_all(to_child, buf, len) != len) { RDEBUG2("failed to write old hash blob to child"); goto ntlm_auth_err; }
On 11/16/2012 10:00 AM, Carlos Velasco wrote:
windows popup in Cisco VPN client, but the change password process fails: ntlm_auth said: Password-Change: No Password-Change-Error: Wrong Password . .
Hmm.
Winbind logs also shows: NT_STATUS_WRONG_PASSWORD
Looking into code I suppose the problem is something with the old NT hash, but not an expert here. Any help would be apreciated.
In these logs the user is "NIMASTELECOM\testpw". The current password is "y58R41ut8W" (expired). And the new password used was "H6eEWu7r65tw38ert1".
There *might* be a bug in the CPW code, but I can't really see how; it tested fine when I wrote it, and the crypto/hash/blob stuff doesn't really leave room for "only if CONDITION X do something invalid". I'll take a look a little bit later but in the meantime can you confirm that if you clear the "must change password", auth works fine with the old/current password?
On 11/16/2012 10:00 AM, Carlos Velasco wrote:
windows popup in Cisco VPN client, but the change password process fails: ntlm_auth said: Password-Change: No Password-Change-Error: Wrong Password . . Looking into code I suppose the problem is something with the old NT hash, but not an expert here. Any help would be apreciated.
In these logs the user is "NIMASTELECOM\testpw". The current password is "y58R41ut8W" (expired). And the new password used was "H6eEWu7r65tw38ert1".
There *might* be a bug in the CPW code, but I can't really see how; it tested fine when I wrote it, and the crypto/hash/blob stuff doesn't really leave room for "only if CONDITION X do something invalid".
I'll take a look a little bit later but in the meantime can you confirm that if you clear the "must change password", auth works fine with the old/current password?
Yes, auth works fine without "Must change". I think I have found the problem. MS-CHAP2-CPW = 0x0701000000000000000000000000000000004194697300c611e68e661957a30d0015000000000000000041eb18eb29a0ebb20ff232620f708e68e27f251767ccd3060000 According to RFC2548, after 0x0701 should be the "Encrypted-Hash" 16 octects, but they are all 00. I am trying to find out why, seems a bug in Cisco part. But I think this works fine with Cisco ACS radius. :S
On 11/16/2012 11:27 AM, Carlos Velasco wrote:
According to RFC2548, after 0x0701 should be the "Encrypted-Hash" 16 octects, but they are all 00.
I am trying to find out why, seems a bug in Cisco part. But I think this works fine with Cisco ACS radius. :S
The CPW packet lets you send the NT and/or LM hashes. The "ntlm_auth" code supports (and sends) both, but it's very likely that support for LM hashes has been disabled on your domain; they're horribly insecure and deprecated. My guess is the Cisco has old code. LM hashes were "easy" so older code tends to support them.
On 11/16/2012 11:27 AM, Carlos Velasco wrote:
According to RFC2548, after 0x0701 should be the "Encrypted-Hash" 16 octects, but they are all 00.
I am trying to find out why, seems a bug in Cisco part. But I think this works fine with Cisco ACS radius. :S
The CPW packet lets you send the NT and/or LM hashes.
The "ntlm_auth" code supports (and sends) both, but it's very likely that support for LM hashes has been disabled on your domain; they're horribly insecure and deprecated.
My guess is the Cisco has old code. LM hashes were "easy" so older code tends to support them.
Mmm well, the "Encrypted-Hash" should be an NT hash. === Encrypted-Hash The Encrypted-Hash field is 16 octets in length. It contains the old Windows NT password hash encrypted with the new Windows NT password hash. === I don't see LM hashes allowed in the Radius attributes for password change. Don't seem Cisco using them. I am trying to make some findings. Maybe installing ACS and testing to see any difference.
On 16/11/12 11:43, Carlos Velasco wrote:
I don't see LM hashes allowed in the Radius attributes for password change. Don't seem Cisco using them.
Sorry yes ignore me; I'm being dumb.
Ok. After further findings... it is a bug in Cisco IOS router version 15.1M. Downgrading to 15.0M works fine. I have seen that after "Password change successful", the module tries to authenticate the user again but with wrong password, I suppose. "Logon failure". Radius logs: === rad_recv: Access-Request packet from host 10.112.14.2 port 1645, id=13, length=755 User-Name = "NIMASTELECOM\\testpw" MS-CHAP-Challenge = 0x3145a0bc1fc2c0e4e69b8ff555861037 MS-CHAP2-CPW = 0x07024dbbd90bfd0760d77899ba7604a84c21b220a1fc49be375f9bad552ab92ee06b0000000000000000bb63180ea5a0e43f62c0abd2b8b1d6f0795780b2074dec690000 MS-CHAP-NT-Enc-PW = 0x0602000176116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb52114017 MS-CHAP-NT-Enc-PW = 0x060200025ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d582 MS-CHAP-NT-Enc-PW = 0x060200030c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bdd1e8aa3c0856e6e9bc3a8c25d7efd28ba6525d78f01bf43ca6997dd2e48d6897ced164b539a76fb6 NAS-Port-Type = Virtual Cisco-NAS-Port = "85.112.6.36" NAS-Port = 0 NAS-Port-Id = "85.112.6.36" Service-Type = Login-User NAS-IP-Address = 10.112.14.2 Event-Timestamp = "Nov 16 2012 14:19:36 CET" (17) # Executing section authorize from file /etc/raddb/sites-enabled/vpn_nimas_tk (17) group authorize { (17) - entering group authorize {...} (17) mschap-vpn_nimas_tk : Found MS-CHAP attributes. Setting 'Auth-Type = mschap-vpn_nimas_tk' (17) [mschap-vpn_nimas_tk] = ok (17) ? if (!control:Auth-Type) (17) ? Evaluating !(control:Auth-Type) -> FALSE (17) ? if (!control:Auth-Type) -> FALSE (17) detail-vpn_nimas_tk-auth : expand: /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d -> /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (17) detail-vpn_nimas_tk-auth : /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d expands to /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (17) detail-vpn_nimas_tk-auth : expand: %t -> Fri Nov 16 14:19:36 2012 (17) [detail-vpn_nimas_tk-auth] = ok (17) Found Auth-Type = MSCHAP (17) # Executing group from file /etc/raddb/sites-enabled/vpn_nimas_tk (17) group MS-CHAP { (17) - entering group MS-CHAP {...} (17) mschap-vpn_nimas_tk : MS-CHAPv2 password change request received (17) mschap-vpn_nimas_tk : Password change payload valid (17) mschap-vpn_nimas_tk : Doing MS-CHAPv2 password change via ntlm_auth helper (17) mschap-vpn_nimas_tk : expand: username: %{mschap-vpn_nimas_tk:User-Name} -> username: testpw (17) mschap-vpn_nimas_tk : expand: nt-domain: %{mschap-vpn_nimas_tk:NT-Domain} -> nt-domain: NIMASTELECOM (17) mschap-vpn_nimas_tk : new_nt_password: 118, Write buf: new-nt-password-blob: 76116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb521140175ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d5820c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bdd1e8aa3c0856e6e9bc3a8c25d7efd28ba6525! d78f01bf 43ca6997dd2e48d6897ced164b539a76fb6 (17) mschap-vpn_nimas_tk : old_nt_hash: 77 || Write buf: old-nt-hash-blob: 4dbbd90bfd0760d77899ba7604a84c21 (17) mschap-vpn_nimas_tk : Write buf: new-lm-password-blob: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000! 00000000 00000000000000000000000000000000000 (17) mschap-vpn_nimas_tk : Write buf: old-lm-hash-blob: 00000000000000000000000000000000 point n (17) mschap-vpn_nimas_tk : ntlm_auth said: Password-Change: Yes . (17) mschap-vpn_nimas_tk : ntlm_auth password change succeeded (17) mschap-vpn_nimas_tk : Password change successful (17) mschap-vpn_nimas_tk : Creating challenge hash with username: testpw (17) mschap-vpn_nimas_tk : Client is using MS-CHAPv2 for testpw, we need NT-Password (17) mschap-vpn_nimas_tk : expand: --username=%{mschap-vpn_nimas_tk:User-Name} -> --username=testpw (17) mschap-vpn_nimas_tk : expand: --domain=%{mschap-vpn_nimas_tk:NT-Domain} -> --domain=NIMASTELECOM (17) mschap-vpn_nimas_tk : Creating challenge hash with username: testpw (17) mschap-vpn_nimas_tk : expand: --challenge=%{mschap-vpn_nimas_tk:Challenge:-00} -> --challenge=07a8831f274a55d3 (17) mschap-vpn_nimas_tk : expand: --nt-response=%{mschap-vpn_nimas_tk:NT-Response:-00} -> --nt-response=bb63180ea5a0e43f62c0abd2b8b1d6f0795780b2074dec69 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 (17) mschap-vpn_nimas_tk : External script failed. (17) mschap-vpn_nimas_tk : FAILED: MS-CHAP2-Response is incorrect (17) [mschap-vpn_nimas_tk] = reject (17) Failed to authenticate the user. (17) Login incorrect (mschap-vpn_nimas_tk: External script says Logon failure (0xc000006d)): [NIMASTELECOM\\testpw] (from client RMADTKNIMAS01 port 0) (17) Using Post-Auth-Type Reject (17) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. (17) Finished request 17. ===
On 16/11/12 14:08, Carlos Velasco wrote:
On 16/11/12 11:43, Carlos Velasco wrote:
I don't see LM hashes allowed in the Radius attributes for password change. Don't seem Cisco using them.
Sorry yes ignore me; I'm being dumb.
Ok. After further findings... it is a bug in Cisco IOS router version 15.1M. Downgrading to 15.0M works fine.
I have seen that after "Password change successful", the module tries to authenticate the user again but with wrong password, I suppose. "Logon failure".
That's supposed to work. The "change password" code modifies the request in-place and falls through to the auth code. It might be that "ntlm_auth / Samba" haven't "caught up" with the password change, if it's slow to replicate.
participants (2)
-
Carlos Velasco -
Phil Mayers