MSCHAP failing on new 2.1.10 install

Gary Gatten Ggatten at waddell.com
Wed May 11 22:29:39 CEST 2011


PS: I apparently have to leave the "DEFAULT Auth-Type = ntlm_auth "  in the users file or "nothing" works.  FWIW I am exclusively using AD/ntlm_auth for all auth types, so hopefully this won't matter?  I did find a Wiki article about updating the control such that if Auth-Type doesn't exist then set it to ntlm_auth.  I have this in my 2.1.6 deployment, so may copy it over here as well.  I'm trying to change as little as possible from the default confs....

________________________________
From: Gary Gatten
Sent: Wednesday, May 11, 2011 3:13 PM
To: FreeRadius users mailing list
Subject: MSCHAP failing on new 2.1.10 install

PAP works, MSCHAP fails - specifically MSCHAPv2.

This is a fresh install of 2.1.10, built from source.  I'm using ntlm_auth; samba version 3.0.33-3.7.el5  I also have version 2.1.6 running on the same box and it "mostly" works: seems to work with everything except Winblows7, hence I installed 2.1.10 in a different dir structure and it's listening on different ports.  I just tested a login using the same user account and pw; works great on 2.1.6 but fails on 2.1.10.  I've tried 4 or 5 different command strings for ntlm_auth - no go.  It's as if mschap is not using ntlm_auth, but not sure.  I'll keep checking and googling, but any hints would be appreciated!  TIA!  Gary


I've changed only the minimum from the default, clients.conf and the recommended for integrating with AD:
http://deployingradius.com/documents/configuration/active_directory.html


rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=19, length=224
        NAS-IP-Address = 1.1.2.4
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        User-Name = "netengtest"
        Calling-Station-Id = "000000000000"
        Called-Station-Id = "000B8661BF34"
        MS-CHAP-Challenge = 0x9b1a142405c7a0dbe4f486d9d3fb2090
        MS-CHAP2-Response = 0x00006cda5d434c296668b7f2b446899e01af0000000000000000419c6cfec984b856377a6c40c6144373a1dbc14f777ce8eb
        Service-Type = Login-User
        Aruba-Location-Id = "N/A"
        NAS-Identifier = "My802.11controller"
        Message-Authenticator = 0x02610ba4a72cdc35ce94415f1ae46dcb
# Executing section authorize from file /devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /devel/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> netengtest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 19 to 1.1.2.4 port 33350
Waking up in 4.9 seconds.
Cleaning up request 3 ID 19 with timestamp +372
Ready to process requests.








<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110511/566e4c8b/attachment.html>


More information about the Freeradius-Users mailing list