Another LDAP/MSCHAPv2 problem

Francois Gaudreault fgaudreault at inverse.ca
Thu Feb 9 15:53:30 CET 2012


Hi,

I am trying to make PEAP working with an LDAP/Samba backend and 
MSCHAPv2.  It works well for the user authentication (they have lm and 
nt stored in the LDAP).  However, the machine auth is causing issues. 
It appears to have only the NT-Password stored in the LDAP.  I thought 
it should be sufficient for the MSCHAP to handle the auth, is it?

ldap] looking for check items in directory...
   [ldap] acctFlags -> SMB-Account-CTRL-TEXT == "[W          ]"
   [ldap] userPassword -> Password-With-Header == "..."
   [ldap] ntPassword -> NT-Password == 0x34343446...242
[ldap] looking for reply items in directory...
[ldap] user host/dti-dahport authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file 
/etc/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: host/dti-dahport
[mschap] Told to do MS-CHAPv2 for host/dti-dahport with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject

My MSCHAP Config :
mschap {
	use_mppe = yes
	require_encryption = yes
	require_strong = yes
	with_ntdomain_hack = yes
}

Any thoughts?

Thanks!

-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)



More information about the Freeradius-Users mailing list