MS-CHAP2 Failure

Mike Diggins mike.diggins at mcmaster.ca
Mon Mar 16 16:51:11 CET 2009 

I configured what I thought were two identical FreeRadus 2.1.3 servers. 
I'm attempting to do MS-CHAP2 authentication on both, one is working, the 
other is not. For the life of me I can't find any difference in their 
configuration.

On my client, I switch the host name between the two servers, everything 
else stays the same. One works, one fails, and I don't know why. Below is 
the debug output for both the failure and success. PAP authentication 
works fine on both with the same id. What the heck have I missed?

This is the one that fails:

rad_recv: Access-Request packet from host 192.168.2.15 port 2357, id=26, 
length=127
          NAS-Identifier = "test-cam1"
          NAS-IP-Address = 192.168.2.15
          MS-CHAP-Challenge = 0xbd4261d677c0d793ee781d7a032218df
          MS-CHAP2-Response = 
0xa300ac9567587df3e83b3799dc49a53f433000000000000000007e0e6320a093349fbd0afc94436ed32e1258e26c5463147b
          User-Name = "test26"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test26", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [test26] (from client 192.168.2.15 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test26
   attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 26 to 192.168.2.15 port 2357
Waking up in 4.9 seconds.
Cleaning up request 7 ID 26 with timestamp +1885
Ready to process requests.


This one works:

rad_recv: Access-Request packet from host 192.168.2.15 port 2358, id=115, 
length=127
          NAS-Identifier = "test-cam1"
          NAS-IP-Address = 192.168.2.15
          MS-CHAP-Challenge = 0xfdd0ccd7059225f80093cea2929eb415
          MS-CHAP2-Response = 
0x780017ff811e7761fc6bd332fb45f4f6b3f50000000000000000b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
          User-Name = "test26"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test26", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap]        expand: --username=%{mschap:User-Name:-None} -> 
--username=test26
[mschap] No NT-Domain was found in the User-Name.
[mschap]        expand: --domain=%{mschap:NT-Domain:-ap1} -> --domain=ap1
[mschap]  mschap2: fd
[mschap]        expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=cc26ba941d6d9678
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program: returned: 0
++[mschap] returns ok
Login OK: [test26] (from client 192.168.2.15 port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 115 to 192.168.2.15 port 2358
          MS-CHAP2-Success = 
0x78533d41453631324635393130344535373132364133414234374339463844443541453538384142453943
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 5 ID 115 with timestamp +1773
Ready to process requests.

-Mike

More information about the Freeradius-Users mailing list