Another LDAP/MSCHAPv2 problem
Alan DeKok
aland at deployingradius.com
Thu Feb 9 17:42:56 CET 2012
Francois Gaudreault wrote:
> I had a look in the LDAP, and the ntPassword is having the correct lenght :
> ntPassword: 44AFA3XXXXXXXXXXXXXXXXXXXXXXX856
Yup. That's the hex version.
> I did enable pap, but without success.
...
> [pap] Normalizing NT-Password from hex encoding
That's something, at least.
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ...
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] Found NT-Password
> [mschap] Creating challenge hash with username: host/dti-dahport
> [mschap] Told to do MS-CHAPv2 for host/dti-dahport with NT-Password
> [mschap] FAILED: MS-CHAP2-Response is incorrect
>
> Is it possible that the issue is somewhere else? The nt/lmPassword are
> properly handled when we do user auth, and the printout in debug is also
> in a 0xsomething format.
The issue could be somewhere else. From what I recall, host
authentication is... weird. The name in the MS-CHAP blob might *not* be
the same as the User-Name field. If that happens, the calculated
response using the User-Name will be wrong.
Grab the debug output and use it as a test case. You should be able
to replay the packets verbatim. Configure a static password. Also try
configuring "MS-CHAP-User-Name", which will end up being the name used
for the MS-CHAP calculations. Decode the MS-CHAP blobs manually to see
if the name in them is the same as the User-Name.
Alan DeKok.
More information about the Freeradius-Users
mailing list