problems authenticating

jck-freeradius at southwestern.edu jck-freeradius at southwestern.edu
Tue Jul 12 17:30:22 CEST 2005 

On Mon, Jul 11, 2005 at 08:12:09PM -0400, Alan DeKok wrote:
> jck-freeradius at southwestern.edu wrote:
> > >   Try using just MS-CHAP with an NT password in SQL.  Once that works,
> > > PEAP will work.
> > 
> > I am not entirely sure what you mean, so I tried a two different combinations.
> 
>   Find a RADIUS client that implements MS-CHAPv.

The native windows XP client uses MS-CHAPv2.  Unless I decide to use 
a smartcard, the built-in client uses EAP type of PEAP and 
authentication of MS-CHAP-V2, /only/.

> 
>   See src/tests/mschapv1 for a sample script which can be used with
> "radclient" to test MSCHAP.
> 

I do not understand how radclient is any different compared to radtest.  If
I use the src/tests/mschapv1 script as input to radclient, do I not need to
put some information in for user "Bob" into my SQL database?  I am unsure
how I need to change my radiusd.conf or authorization backend, to accommodate
the script.

If it is MS-CHAP-V2 which is failing, how will testing MS-CHAP-V2 with a
MS-CHAP client help?  I should see the same error when testing, that I see
now, correct?

rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = MS-CHAP'
  modcall[authorize]: module "mschap" returns ok for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv1 with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: MS-CHAP-Response is incorrect.
  modcall[authenticate]: module "mschap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Login incorrect: [bob/<no User-Password attribute>] (from client localhost port 0)


> > EAP removed from authorization stanza:
> > http://www.southwestern.edu/~johnk/eap_removed_authorization.txt
> 
>   If you tell the server not to use EAP, and then send it EAP
> requests, it won't work.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

--johnk

More information about the Freeradius-Users mailing list