LDAP & MSCHAP errors

Simon Palmer Simon.Palmer at colegsirgar.ac.uk
Tue Nov 11 20:02:43 CET 2008 

Hi,
We are trying to set up freeRADIUS 2.1.1 against eDirectory LDAP and
getting problems. 
(Trying SLES 10 SP2 32bit and 64 bit)
pap against LDAP works fine
chap against LDAP works fine (With ntradping)
BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect"
Am I missing something required for MSCHAP to work? The NT-Password
seems to be retrieved...
 
Working CHAP debug from ntradping:

Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in
directory...
Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags ->
SMB-Account-CTRL-TEXT == "[UX         ]"
Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword ->
NT-Password ==
0x4145394341303636374133413937333342303139423034323645363933373332
Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword ->
LM-Password ==
0x3635423939303044343142344533363831394631304139333344343836384443
Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in
directory...
Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to use
remote access
Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release
Id: 0
Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok
Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop
Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop
Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from hex
encoding
Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from hex
encoding
Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not
changing it.
Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop
Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP
Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...}
Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser"
with CHAP password
Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password
"ommitted" for user testuser authentication.
Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser
authenticated succesfully
Tue Nov 11 10:10:26 2008 : Info: ++[chap] returns ok
Tue Nov 11 10:10:26 2008 : Info: +- entering group post-auth {...}
Tue Nov 11 10:10:26 2008 : Info: ++[exec] returns noop
Sending Access-Accept of id 13 to 194.82.224.117 port 1958

Debug from it not working using MSCHAP2:

Tue Nov 11 10:06:10 2008 : Info: [ldap] looking for check items in
directory...
Tue Nov 11 10:06:10 2008 : Debug: rlm_ldap: acctFlags ->
SMB-Account-CTRL-TEXT == "[UX         ]"
Tue Nov 11 10:06:10 2008 : Debug: rlm_ldap: sambaNtPassword ->
NT-Password ==
0x4145394341303636374123413937333342303139423034323445363933373332
Tue Nov 11 10:06:10 2008 : Debug: rlm_ldap: sambaLmPassword ->
LM-Password ==
0x3635423939303044342142344533363831394631304139353344343836384443
Tue Nov 11 10:06:10 2008 : Info: [ldap] looking for reply items in
directory...
Tue Nov 11 10:06:10 2008 : Info: [ldap] user testuser authorized to use
remote access
Tue Nov 11 10:06:10 2008 : Debug: rlm_ldap: ldap_release_conn: Release
Id: 0
Tue Nov 11 10:06:10 2008 : Info: ++[ldap] returns ok
Tue Nov 11 10:06:10 2008 : Info: ++[expiration] returns noop
Tue Nov 11 10:06:10 2008 : Info: ++[logintime] returns noop
Tue Nov 11 10:06:10 2008 : Info: [pap] Normalizing NT-Password from hex
encoding
Tue Nov 11 10:06:10 2008 : Info: [pap] Normalizing LM-Password from hex
encoding
Tue Nov 11 10:06:10 2008 : Info: [pap] Found existing Auth-Type, not
changing it.
Tue Nov 11 10:06:10 2008 : Info: ++[pap] returns noop
Tue Nov 11 10:06:10 2008 : Info: Found Auth-Type = MSCHAP
Tue Nov 11 10:06:10 2008 : Info: +- entering group MS-CHAP {...}
Tue Nov 11 10:06:10 2008 : Info: [mschap] Found LM-Password
Tue Nov 11 10:06:10 2008 : Info: [mschap] Found NT-Password
Tue Nov 11 10:06:10 2008 : Info: [mschap] Told to do MS-CHAPv2 for
testuser with NT-Password
Tue Nov 11 10:06:10 2008 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
Tue Nov 11 10:06:10 2008 : Info: ++[mschap] returns reject
Tue Nov 11 10:06:10 2008 : Info: Failed to authenticate 
the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
++[ldap] returns noop
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 32 to 192.168.100.25 port 32834
        MS-CHAP-Error = "\000E=691 R=1"
modules/ldap extract:
ldap {
        server = "192.168.1.1"
        port = 636
        identity = "cn=admin,o=csg"
        password = "password"
        basedn = "O=csg"
        filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
        base_filter = "(objectclass=radiusprofile)"
...
        # start_tls = yes
        tls_mode = yes
        # cacertfile    = /path/to/cacert.pem            # I don't
think we need to check the certs so put require_cert below to never
        # cacertdir             = /usr/local/etc/raddb/certs
        # certfile              = /usr/local/etc/raddb/certs/certs.b64
        # keyfile               = /path/to/radius.key
        #randfile               = /usr/local/etc/raddb/random
         require_cert    = "never"
         dictionary_mapping = ${confdir}/ldap.attrmap
         password_attribute = nspmPassword
         edir_account_policy_check = no #I've tried this with yes - and
enabling the option in sites-enabled/default and it's no different
 
Default configuration in modules/mschap and modules/chap
In sites-enabled/default
authorize {
ldap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
       Auth-Type LDAP {           
               ldap
       }
}
 
post-auth {
        #       ldap
        Post-Auth-Type REJECT {
        #       attr_filter.access_reject
                ldap
 }
 
Some help would be most appreciated.
Cheers

Simon
 
 
Simon Palmer
Systems Development Officer

Colegsirgâr

e-mail: simon.palmer at colegsirgar.ac.uk 
tel: 01554 748088

Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r
unigolyn neu'r sefydliad a enwir uchod. Bydd 
unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni
chynrychiolant o anghenraid farn Coleg Sir Gâr. 
Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r
gweinyddwr ar y cyfeiriad canlynol:
postmaster at colegsirgar.ac.uk 

Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to 
whom they are addressed. Any views or opinions expressed are solely
those of the author and do not necessarily represent those of Coleg Sir
Gâr. If you have received this email in error please notify the
administrator on the following address:
postmaster at colegsirgar.ac.uk 

Please consider the environment - do you really need to print this
email?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081111/7dadcaa6/attachment.html>

More information about the Freeradius-Users mailing list