MS-CHAP-V2 with no retry

James J J Hooper jjj.hooper at bristol.ac.uk
Fri Mar 4 15:41:46 CET 2011



--On Friday, March 04, 2011 13:32:35 +0100 Alan DeKok 
<aland at deployingradius.com> wrote:

> Alan DeKok wrote:
>> James J J Hooper wrote:
>>>> rlm_eap_mschapv2.c: In function `mschapv2_authenticate':
>>>> rlm_eap_mschapv2.c:658: error: called object is not a function
>>>> rlm_eap_mschapv2.c:658: error: too few arguments to function
>>>> `pairmove2'
>>> I've added the missing comma, and it's building now....  :-)
>>
>>   Then you're using the git "master" branch, and not 2.1.x.
>
>   Nope, my mistake.  See the recent message for a better patch.


***  With a bad password it does:

[eduroamlocalmschap] 	expand: 
--nt-response=%{eduroamlocalmschap:NT-Response} -> 
--nt-response=58a58ef81a7975443ce2f2ea61d6e66b11974cd3fbbf2b2d
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[eduroamlocalmschap] External script failed.
[eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect
++[eduroamlocalmschap] returns reject
rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
[eduroamlocaleap-bris-sha-ca] Handler failed in EAP/mschapv2
[eduroamlocaleap-bris-sha-ca] Failed in EAP select
++[eduroamlocaleap-bris-sha-ca] returns invalid
Failed to authenticate the user.
Login incorrect (eduroamlocalmschap: External script says Logon failure 
(0xc000006d)): [jh1761 at bris.ac.uk] (from client custard-66 port 0 cli 
99-88-77-66-55-44 via TLS tunnel)
} # server eduroamlocal-inner
[peap] Got tunneled reply code 3
	MS-CHAP-Error = "\tE=691 R=1"
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
	MS-CHAP-Error = "\tE=691 R=1"
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eduroamlocaleap-bris-sha-ca] returns handled



***  With a locked out user it does:

server eduroamlocal-inner {
Exec-Program output: Account locked out (0xc0000234)
Exec-Program-Wait: plaintext: Account locked out (0xc0000234)
Exec-Program: returned: 1
rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
Login incorrect (eduroamlocalmschap: External script says Account locked 
out (0xc0000234)): [jh1761-s at bris.ac.uk] (from client custard-66 port 0 cli 
99-88-77-66-55-44 via TLS tunnel)
} # server eduroamlocal-inner
	MS-CHAP-Error = "\007E=691 R=1"
	EAP-Message = 0x04070004
	Message-Authenticator = 0x00000000000000000000000000000000
	MS-CHAP-Error = "\007E=691 R=1"
	EAP-Message = 0x04070004
	Message-Authenticator = 0x00000000000000000000000000000000
 attr_filter: Matched entry DEFAULT at line 1
Sending Access-Challenge of id 7 to 137.222.253.66 port 48817
	EAP-Message = 
0x0108002b19001703010020bfba7af9865436c3cbcd179868046228adb578769d6312fd4cb3caaf3626edc0
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2183e4ed268bfd6e277ccbd19a06e21c



* Also, each time MS-CHAP-Error seems to be prefixed with a character  - Is 
that intended?

-James


-- 
James J J Hooper
Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk 	
-- 





More information about the Freeradius-Users mailing list