MSCHAPv2, MySQL, Freeradius

Dan Russell dan at in-house.com.au
Tue Oct 4 06:07:36 CEST 2005


> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-
> users-bounces at lists.freeradius.org] On Behalf Of Alan DeKok
> Sent: Monday, 3 October 2005 2:48 PM
> To: FreeRadius users mailing list
> Subject: Re: MSCHAPv2, MySQL, Freeradius
> 
> "Dan Russell" <dan at in-house.com.au> wrote:
> > >> If I used a third party tool like mkntpwd to create NT Hashes,
could
> > I
> > >> put premade hashes in the database and use them to authenticate
> ...
> > Is there any specific config change I would need to make to enable
this?
> 
>   No.  It should work in the default config.
>
> > How does freeradius identify that the password has already been NT
> > hashed?
> 
>   Because you put it into the NT-Password attribute, instead of the
> User-Password attribute.
>

Okay, I've tried that and not found it to work for me.  I looked through
the source code to the rlm_mschap now and have found where I believe it
is falling over.

It tries to get the 'User-Password' attribute first (which it fails on,
I don't have one), then it tried to get the 'LM-Password' attribute
which it also fails on.  After dealing with that it tries the same thing
with 'NT-Password'.  For some reason it isn't pulling these attributes
out of mysql..

After looking at the debug output from freeradius, the sql statement
that it executes when it receives an authentication request should
return the LM-Password and NT-Password.

When I try to authenticate it gives me the error :

" rlm_mschap: No User-Password configured.  Cannot create LM-Password."
" rlm_mschap: No User-Password configured.  Cannot create NT-Password."

And a couple of lines later I get

" rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform
authentication."

I'm not sure why it isn't picking the attributes up..

If its any help, I'm using mysql 4.1.11 and freeradius 1.0.2
 
> > What stops it from encrypting whatever it finds in the radcheck
table
> > for the password?
> 
>   I have no idea what question you're asking.  So far as I can tell,
> the answer is "it doesn't work that way".
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html






More information about the Freeradius-Users mailing list