Problem with MSCHAP and Freeradius authentication

Dhiraj Gaur dhiraj.gaur at gmail.com
Fri Jan 20 17:17:36 CET 2012


HI Alan
Thanks for the reply. I already followed your site and was able to make
ntlm_auth work. For MS-CHAP the AD page of your site says

"Start the server and use a test client to send an MS-CHAP authentication
request. The radclient cannot currently be used to send this request,
unfortunately, which makes testing a little difficult If everything goes
well, you should see the server returning an
Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message
as above."

Hence I was of the view radtest cannot work for MS-CHAP authentication.
Request you to point me to the right link and way to do the MS-CHAP
procedure and testing the same thorugh radtest. I could not understand
"There's no User-Password in MS-CHAP."

Regards
Dhiraj Gaur

On Fri, Jan 20, 2012 at 9:15 PM, Alan DeKok <aland at deployingradius.com>wrote:

> Dhiraj Gaur wrote:
> > I have been trying to implement radius authetication server at my
> > workplace. The idea is to have all wifi access points authenticate
> > against a radius server.
>
>   That is a common deployment, and should be easy to do.
>
> > The radius server needs to pass authentication to a backend Active
> > Directory server. I have been sucessful in authenticating wifi users
> > against file based and SQL based authentication in radius. NTLM_AUTH
> > using PAP also works fine, wherein plaintext password is sucessfully
> > authenticated against the AD and I get an "Access-Accept". However when
> > I pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is
> > not working and I end up in a "Access-Reject".
>
>   CHAP will *not* work with AD.  See my web site:
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> > Seems like that the
> > ntlm_auth program is not parsing the received encrypted password hence
> > the authetication fails. MSCHAP is a requirement as wifi clients at my
> > place mostly have eap supplicant. (Read in freeradius documentation that
> > eap and ldap doesnt go hand in hand, I may be wrong at interpreting the
> > same)
>
>   You've misconfigured the server.  You have it trying to do ntlm_auth
> using the User-Password, and then sending it an MS-CHAP authentication.
>  There's no User-Password in MS-CHAP.
>
>  Follow the instructions on my web site for configuring ntlm_auth:
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
>  And then follow the other instructions for getting EAP to work.
>
> > The freeradius logs for all the cases is listed below. Radius gurus
> > please point me to the right direction as to make MS_CHAP authentication
> > owrk over ntlm_auth or ldap(if possible).
> >
> > PS: I did all the testing using JRadius simulator.
>
>   FreeRADIUS comes with "radclient", which does PAP, CHAP, and MS-CHAP.
>  That should be all you need.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Regards

Dhiraj Gaur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120120/1c3a72a6/attachment.html>


More information about the Freeradius-Users mailing list