MSCHAP Auth fails
Weber, Felix
Felix.Weber at swmr.de
Wed Apr 4 13:59:53 CEST 2012
Hello out there,
I'm testing the FreeRADIUS Version 2.1.12 Modul with AD Integration
following the deployingradius.com Guide.
Installed winbind and samba Version 3.6.3 and ntlm_auth tests are fine.
Now i'm testing with radtest while running radius in Debug mod.
The following line has been added to users:
DEFAULT Auth-Type = mschap
This is the output from radtest:
radtest -t mschap User001 USERPW localhost 0 s3cr3t
Sending Access-Request of id 61 to 127.0.0.1 port 1812
User-Name = "User001"
NAS-IP-Address = 172.16.28.168
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0x7e9462ca7fbf5d20
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000a42d3b5b243dede8b6
dc20fc78f0fdad458a494f649cca2b
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=61,
length=38
MS-CHAP-Error = "\000E=691 R=1"
And this from radiusd -X:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 48471, id=105,
length=133
User-Name = "User001"
NAS-IP-Address = 172.16.28.168
NAS-Port = 0
Message-Authenticator = 0x5d1a20d2d2c7897d376d003f73153552
MS-CHAP-Challenge = 0x28d302e62ccf7399
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000f7b8cd66af90b5791f
b4b09421dbbf2cbed180e7e72304b5
server packetfence {
# Executing section authorize from file
/etc/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "User001", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair User-Name = User001
rlm_perl: Added pair MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000f7b8cd66af90b5791f
b4b09421dbbf2cbed180e7e72304b5
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address = 172.16.28.168
rlm_perl: Added pair MS-CHAP-Challenge = 0x28d302e62ccf7399
rlm_perl: Added pair Message-Authenticator =
0x5d1a20d2d2c7897d376d003f73153552
rlm_perl: Added pair Auth-Type = MSCHAP
++[packetfence] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{mschap:User-Name:-None} -> User001
[mschap] expand:
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} ->
--username=User001
[mschap] mschap1: 28
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=28d302e62ccf7399
[mschap] expand: #ntresponse=%{mschap:NT-Response:-00} ->
#ntresponse=f7b8cd66af90b5791fb4b09421dbbf2cbed180e7e72304b5
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Logon failure
(0xc000006d)): [User001] (from client 127.0.0.1 port 0)
The ntlm_auth is well configured in mschap module (--ntresponse)!
Thanks for helping.
More information about the Freeradius-Users
mailing list