Help needed with MS-CHAP
Phil Mayers
p.mayers at imperial.ac.uk
Thu Feb 23 22:51:26 CET 2006
Charles Blake wrote:
> I am trying to set up a freeradius-1.1.0 server for authenticating users
> using MS-CHAP passwords.
>
> I pretend to authenticate users against shadow.
You can't do that.
MS-CHAP requires the NT hash, the plaintext password from which it can
derive the NT hash, or Samba configured as a domain member and use of
the "ntlm_auth" helper.
>
> radtest shows ok:
>
>
This is a PAP request. They work fine against /etc/shadow
>
> # radtest mts mypassword localhost 0 testing123
> Sending Access-Request of id 160 to 127.0.0.1 port 1812
> User-Name = "mts"
> User-Password = "mypassword"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 0
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=160, length=20
>
>
>
> But when I try to authenticate an user using MS-CHAP, I am getting this
> output:
>
This is an MS-CHAP request - you cannot authenticate it against
/etc/shadow. See above.
>
>
> rad_recv: Access-Request packet from host 127.0.0.1:1027, id=5, length=146
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "mts"
> MS-CHAP-Challenge = 0x6b61b1ed954a289c0fa3aebedc329ac6
> MS-CHAP2-Response =
> 0x8f0001684e1d34295e1232edb0682bd04e6e00000000000000002caaa9579823e00501812d3e2dce9225b7dd251c02e1fd89
These error messages are quite detailed:
> Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password
> configured.
> Cannot create LM-Password.
> Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password
> configured.
> Cannot create NT-Password.
> Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: Told to do MS-CHAPv2 for
> mts
> with NT-Password
> Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: FAILED: No NT/LM-Password.
> Cannot perform authentication.
As it says.
More information about the Freeradius-Users
mailing list