LDAP & MSCHAP errors

Wed Nov 12 13:07:48 CET 2008

>>pap against LDAP works fine
>>chap against LDAP works fine (With ntradping)
>
>They used different password.

Do you mean chap and MSCHAPv2 require passwords in different formats or
something?
I can auth CHAP, but with the same username and password can't auth
CHAPv2
(with no config change on freeradius)
My two debugs show that
Debug: rlm_ldap: sambaNtPassword -> NT-Password ==
0x4145394341303636374123413937333342303139423034323445363933373332
So the NT-Password is being retrieved from LDAP in both cases.

>
>>BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect"
>>Am I missing something required for MSCHAP to work? The NT-Password
>>seems to be retrieved...
>>
>
>A coorect password.

Do you think the has being retrieved from LDAP is wrong then?
If I do put in an incorrect password I do get the same error message.

Does anyone have Freeradius working with MSCHAP against eDir?

>
>>Working CHAP debug from ntradping:
>>
>>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in
>>directory...
>>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags ->
>>SMB-Account-CTRL-TEXT == "[UX         ]"
>>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword ->
>>NT-Password ==
>>0x4145394341303636374133413937333342303139423034323645363933373332
>>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword ->
>>LM-Password ==
>>0x3635423939303044343142344533363831394631304139333344343836384443
>>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in
>>directory...
>>Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to
use
>>remote access
>>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn:
Release
>>Id: 0
>>Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok
>>Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop
>>Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop
>>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from
hex
>>encoding
>>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from
hex
>>encoding
>>Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not
>>changing it.
>>Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop
>>Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP
>>Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...}
>>Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser"
>>with CHAP password
>
>*****
>>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password
>>"ommitted" for user testuser authentication.
>*****
>
>>Where did that come from?

I don't know - inside tha chap module? It's retrieved from LDAP.  I'm
using the default modules/chap - it just says:
chap {
	# no configuration
}

>
>>Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser
>>authenticated succesfully
>
>>Default configuration in modules/mschap and modules/chap
>>In sites-enabled/default
>>authorize {
>>ldap
>>}
>
>That is obviously untrue from your debug.
Just checked again, modules/mschap has nothing unhashed.
modules/chap has as above with # no configuration
>
>Try doing pap with that NT-Password from ldap (remove clear text
password
>entry wherever it is).
Yeah - PAP works perfectly, chap works perfectly, MSCHAP doesn't.
Thanks
>
>Ivan Kalik
>Kalik Informatika ISP

Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r
unigolyn neu'r sefydliad a enwir uchod. Bydd 
unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni
chynrychiolant o anghenraid farn Coleg Sir Gâr. 
Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r
gweinyddwr ar y cyfeiriad canlynol:
postmaster at colegsirgar.ac.uk 

Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to 
whom they are addressed. Any views or opinions expressed are solely
those of the author an
d do not necessarily represent those of Coleg Sir
Gâr. If you have received this email in error please notify the
administrator on the following address:
postmaster at colegsirgar.ac.uk 

Please consider the environment - do you really need to print this
email?