HELP ME: FAILED: MS-CHAP2-Response is incorrect

tnt at kalik.co.yu tnt at kalik.co.yu
Sat Sep 1 17:36:24 CEST 2007 

NT-Password is wrong. Try first with plain text one (Cleartext-Password).
Then fix hashing.

Ivan Kalik
Kalik Informatika ISP


Dana 1/9/2007, "hyunok" <jinjusi at Kornet.net> piše:

>Hello,
>
>I have a freeradius 1.1.7 server setup with ppp and pptp using a mysql 
>DB for user authentication.
>
>--with-mysql-lib-dir=/usr/lib/mysql 
>--with-mysql-include-dir=/usr/include/mysql 
>
>rpmbuild -bb redhat/freeradius.spec
>rpm -Uvh freeradius-1.1.7-0.i386.rpm
>rpm -Uvh freeradius-debuginfo-1.1.7-0.i386.rpm
>-------------------------------------------------------------
>options.pptpd
>refuse-pap
>refuse-chap
>refuse-mschap
>#require-mppe-128  <==disable
>require-mschap-v2
>
>plugin radius.so
>radius-config-file /usr/local/etc/radiusclient/radiusclient.conf
>plugin radattr.so
>
>-------------------------------------------------------------
>radiusd.conf 
>
>use_mppe = no  
>
>authorize {
>    preprocess
>    chap
>     mschap
>     suffix
>    eap
>    files
>    sql
>     pap
>   }
>
>accounting {
>   unix
>   radutmp
>   sql
>   }
>
>-------------------------------------------------------------
>
>Here is my debug output:
>
>
>Listening on accounting *:1813
>Ready to process requests.
>rad_recv: Access-Request packet from host 127.0.0.1:32981, id=154, length=151
>--- Walking the entire request list ---
>Waking up in 31 seconds...
>Threads: total/active/spare threads = 5/0/5
>Thread 1 got semaphore
>Thread 1 handling request 0, (1 handled so far)
>        Service-Type = Framed-User
>        Framed-Protocol = PPP
>        User-Name = "testuser"
>        MS-CHAP-Challenge = 0x46dec3e9097bc536b786971f662d900d
>        MS-CHAP2-Response = 0xf80040b7092f930cb6002b55b7e1d2e1998900000000000000009c17dfe89020dea63a8232e83dffe3600e77bc95a87b1918
>        Calling-Station-Id = "12x.xx.xx.xx"
>        NAS-IP-Address = 127.0.0.1
>        NAS-Port = 0
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>  modcall[authorize]: module "preprocess" returns ok for request 0
>  modcall[authorize]: module "chap" returns noop for request 0
>  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>  modcall[authorize]: module "mschap" returns ok for request 0
>    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 0
>    users: Matched entry DEFAULT at line 153
>    users: Matched entry DEFAULT at line 172
>    users: Matched entry DEFAULT at line 184
>  modcall[authorize]: module "files" returns ok for request 0
>radius_xlat:  'testuser'
>rlm_sql (sql): sql_set_user escaped user --> 'testuser'
>radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'testuser'           ORDER BY id'
>rlm_sql (sql): Reserving sql socket id: 4
>radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheckAttribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'testuser'           ORDER BY id'
>radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreplyAttribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql (sql): Released sql socket id: 4
>  modcall[authorize]: module "sql" returns ok for request 0
>rlm_pap: Found existing Auth-Type, not changing it.
>  modcall[authorize]: module "pap" returns noop for request 0
>modcall: leaving group authorize (returns ok) for request 0
>  rad_check_password:  Found Auth-Type MS-CHAP
>auth: type "MS-CHAP"
>  Processing the authenticate section of radiusd.conf
>modcall: entering group MS-CHAP for request 0
>  rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password
>  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>  modcall[authenticate]: module "mschap" returns reject for request 0
>modcall: leaving group MS-CHAP (returns reject) for request 0
>auth: Failed to validate the user.
>Delaying request 0 for 1 seconds
>Finished request 0
>Going to the next request
>Thread 1 waiting to be assigned a request
>rad_recv: Access-Request packet from host 127.0.0.1:32981, id=154, length=151
>Sending Access-Reject of id 154 to 127.0.0.1 port 32981
>--- Walking the entire request list ---
>Cleaning up request 0 ID 154 with timestamp 46d95613
>Nothing to do.  Sleeping until we see a request.

More information about the Freeradius-Users mailing list