problems authenticating

Tue Jul 12 00:05:47 CEST 2005

On Mon, Jul 11, 2005 at 05:26:54PM -0400, Alan DeKok wrote:
> jck-freeradius at southwestern.edu wrote:
> >   rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password
> >   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> 
>   That's pretty definitive.

I thought so as well.  I am 99% sure that the NTLM passwords I am
using are valid.

> 
> > My thoughts are that SQL and MSCHAP should be in the authorization section,
> > and MSCHAP and EAP should be in authentication.
> 
>   "eap" should be in the "authorize" section, too.  That's the way the
> server comnes configured.

radiusd.conf now reads, in part:

authorize {
        preprocess
        auth_log
        sql
        mschap
        eap

}
authenticate {
        #  MSCHAP authentication.
        Auth-Type MS-CHAP {
                mschap
        }

        mschap
        eap
}

> 
> > I am storing NTLM passwords in my SQL server.
> ...
> > | 1490 | johnk    | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 |
> 
>   No, you're not.
> 
>   You're telling the server that the clear-text password is a hex
> string, which it's not.
> 
>   If you want to store the NT-hashed passwords in SQL, use the
> "NT-Password" attribute, and ensure that the value is 32 bytes of hex
> data.

When using NT-Password, I was noticing that the sql authorization phase
would not return OK.  Switching it to User-Password seemed to fix that
(albeit not correctly).  I have switched radcheck back to using Attributes
of NT-Password.

> 
>   But before you do that, I would STRONGLY suggest storing a simple
> clear-text password in SQL, like "test".  Verify that it works, and
> THEN start storing NT password.

I have a test account, named testacct.  I have switched his values in radcheck
to "Password == monkey"

host:/etc/raddb # radtest testacct monkey host:1645 0 testing123
Sending Access-Request of id 77 to 127.0.0.1:1645
        User-Name = "testacct"
        User-Password = "monkey"
        NAS-IP-Address = hecate
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=77, length=37
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        Tunnel-Private-Group-Id:0 = "111"
host:/etc/raddb # 

> 
>   By trying to configure 3 things at the same time, you guarantee that
> you can't possible figure out which one of the three is failing.

Agreed.

I am including two URLs.  One with debug logs showing user 'johnk'
trying to AAA, using NT-Password.  The other shows testacct 
 (using the same supplicant as johnk, XP) using Password (cleartext).

NT-Password, logging in as johnk:
http://www.southwestern.edu/~johnk/johnk_NT-Password_debug.txt

Password, logging in as testacct:
http://www.southwestern.edu/~johnk/testacct_Password_debug.txt

Notice that with changing the Attribute in radcheck to Password, and assigning
the Value a cleartext, Access-Accept is generated.

--johnk 