Fwd: MSCHAP module returns OK, authentication fails..

James Yale jim at thebiggame.org
Thu Aug 28 16:35:18 CEST 2008 

>> EAP-MSCHAPV2: Invalid authenticator response in success request
>
>  Upgrade Samba.  If you're not using at least 3.2.1, upgrade to that.
>
>> http://jim.geezas.com/stuff/radius-debugging/ *-failure.log), the
>> message authenticator does seem to be invalid,
>
>  No.  eapol_test is saying that the MSCHAP response is invalid.
>
>> Has anyone seen this problem before, or am I looking in the wrong place?
>
>  Others have seen exactly the same thing in the past weeks.  Upgrading
> Samba fixed it.
>
>  Alan DeKok.
> -

I've upgraded to the testing version of samba for FC9, 3.2.1 which
unfortunately didn't resolve the issue - still getting the 'Invalid
authenticator response in success request' problem.

jim at florence:~$ /usr/sbin/winbindd -V
Version 3.2.1-18.fc9

Is there a known good version of Samba, or could the problem lie
elsewhere? I've included the server output from the MSCHAP module
trying the authentication for reference.

+- entering group MS-CHAP
 rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
 rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
 rlm_mschap: Told to do MS-CHAPv2 for jim2 with NT-Password
       expand: --username=%{mschap:User-Name:-None} -> --username=jim2
 rlm_mschap: No NT-Domain was found in the User-Name.
       expand: --domain=%{mschap:NT-Domain:-CURRICULUM} -> --domain=CURRICULUM
 mschap2: ee
       expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=c48639cf15fbe669
       expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0b4b18f4afaa63f4147e4250c8c907f3248ba67e7ee976a0
Exec-Program output: NT_KEY: 1847BA6C5854C261219362F18B4923E4
Exec-Program-Wait: plaintext: NT_KEY: 1847BA6C5854C261219362F18B4923E4
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
 PEAP: Got tunneled reply RADIUS code 11
       EAP-Message =
0x010800331a0307002e533d39313431454342383036383441464346413533303131384242454445363435373037323941383039
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x40622130416a3b8e9b04d3d502f1f161
 PEAP: Processing from tunneled session code 0xa13a0d0 11
       EAP-Message =
0x010800331a0307002e533d39313431454342383036383441464346413533303131384242454445363435373037323941383039
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x40622130416a3b8e9b04d3d502f1f161
 PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 127.0.0.1 port 35048
       EAP-Message =
0x0108005b19001703010050a25e02bf01a7f7f6ca355df2cec89e3c2508b47b180497a05669336d0ac233f14b38ed612205594956295de1abbda4f5e4f8f03753d57524e01a42e5d29cabcf7996143335211d76065176783a7bb8ec
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x5899ddd95f91c4e2ae146201bfc3a1be
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 0 with timestamp +5
Cleaning up request 1 ID 1 with timestamp +5
Cleaning up request 2 ID 2 with timestamp +5
Cleaning up request 3 ID 3 with timestamp +5
Cleaning up request 4 ID 4 with timestamp +5
Cleaning up request 5 ID 5 with timestamp +5
Cleaning up request 6 ID 6 with timestamp +5
Cleaning up request 7 ID 7 with timestamp +5
Ready to process requests.

Thanks,

James

More information about the Freeradius-Users mailing list