adding mschap to an existing ttls/pap setup

Brian Gold bgold at simons-rock.edu
Thu Apr 12 19:38:32 CEST 2012


> -----Original Message-----
> From: freeradius-users-bounces+bgold=simons-rock.edu at lists.freeradius.org [mailto:freeradius-users-bounces+bgold=simons-
> rock.edu at lists.freeradius.org] On Behalf Of Alan DeKok
> Sent: Thursday, April 12, 2012 12:02 PM
> To: FreeRadius users mailing list
> Subject: Re: adding mschap to an existing ttls/pap setup
> 
> Brian Gold wrote:
> > We currently have an existing freeradius setup using eap-ttls/pap with
> > an openldap backend. Up until now, our userPassword has always been SHA encoded. I've been working to add sambaNTPassword
> hashes so that we can use either eap-ttls/mschap or peap/mschap.
> > I've got the nt hashes set, but I'm having some difficulty getting freeradius to successfully authenticate.
> > Output from "radtest -t mschap username password localhost 0 secret":
> > http://pastebin.com/FeiwwhzE
> 
>   The NT hash doesn't match the supplied password.
> 
> > output from "radtest -t pap username password localhost 0 secret":
> > http://pastebin.com/tvZXqJCm
> 
>   In which you've forced "Auth-Type := LDAP", which means it's ignoring the NT hash.
> 
>   Don't do that.
> 
>   Use the "smbpasswd" program supplied with FreeRADIUS to create the NT hash.  Use a simple password like "test".  That also means
> you don't need to worry about pasting it to the list.
> 
>   Put the password into the "users" file.  Test it with PAP && MS-CHAP.
>  CHECK TO MAKE SURE it's using the password.  i.e. not LDAP.
> 
>   Then... delete the password from the users file, and put it into LDAP.
> Check also that you're not setting "Auth-Type := LDAP"
> 
>   You're trying to fix a problem which has a lot of pieces.  Some of the pieces are configured wrong, which means it's impossible
to
> figure out the *other* pieces.
> 
>   Solve one problem at a time.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Ok, new pastebin: http://pastebin.com/5f2W3PjN
I've confirmed that I don't have "Auth-Type := LDAP" anywhere in my configuration. The sambaNTPassword hash was incorrect. We can't
use smbpasswd since we don't actually have a full samba setup at this time, just a normal openldap server which happens to have the
samba schema so we can use sambaNTPassword. We will probably be moving to a full samba at some point, but not just yet. I've
manually corrected the NT hash and confirmed that it works via radtest, but I'm still apparently getting rejected. Any help would be
appreciated. If there is more information I can give, just let me know.



More information about the Freeradius-Users mailing list