LDAP & MSCHAP errors

tnt at kalik.net tnt at kalik.net
Tue Nov 11 20:58:55 CET 2008


>We are trying to set up freeRADIUS 2.1.1 against eDirectory LDAP and
>getting problems. 
>(Trying SLES 10 SP2 32bit and 64 bit)
>pap against LDAP works fine
>chap against LDAP works fine (With ntradping)

They used different password.

>BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect"
>Am I missing something required for MSCHAP to work? The NT-Password
>seems to be retrieved...
>

A coorect password.

>Working CHAP debug from ntradping:
>
>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in
>directory...
>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags ->
>SMB-Account-CTRL-TEXT == "[UX         ]"
>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword ->
>NT-Password ==
>0x4145394341303636374133413937333342303139423034323645363933373332
>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword ->
>LM-Password ==
>0x3635423939303044343142344533363831394631304139333344343836384443
>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in
>directory...
>Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to use
>remote access
>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release
>Id: 0
>Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok
>Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop
>Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop
>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from hex
>encoding
>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from hex
>encoding
>Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not
>changing it.
>Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop
>Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP
>Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...}
>Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser"
>with CHAP password

*****
>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password
>"ommitted" for user testuser authentication.
*****

Where did that come from?

>Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser
>authenticated succesfully

>Default configuration in modules/mschap and modules/chap
>In sites-enabled/default
>authorize {
>ldap
>}

That is obviously untrue from your debug.

Try doing pap with that NT-Password from ldap (remove clear text password
entry wherever it is).

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list