MS-CHAPv2 change password not working in master

Carlos Velasco carlos.velasco at nimastelecom.com
Fri Nov 16 12:27:16 CET 2012


> On 11/16/2012 10:00 AM, Carlos Velasco wrote:
> 
>> windows popup in Cisco VPN client, but the change password process fails:
>> ntlm_auth said: Password-Change: No Password-Change-Error: Wrong
>> Password . .
>> Looking into code I suppose the problem is something with the old NT
>> hash, but not an expert here. Any help would be apreciated.
>>
>> In these logs the user is "NIMASTELECOM\testpw".
>> The current password is "y58R41ut8W" (expired).
>> And the new password used was "H6eEWu7r65tw38ert1".
> 
> There *might* be a bug in the CPW code, but I can't really see how; it 
> tested fine when I wrote it, and the crypto/hash/blob stuff doesn't 
> really leave room for "only if CONDITION X do something invalid".
> 
> I'll take a look a little bit later but in the meantime can you confirm 
> that if you clear the "must change password", auth works fine with the 
> old/current password?

Yes, auth works fine without "Must change".

I think I have found the problem.

MS-CHAP2-CPW =
0x0701000000000000000000000000000000004194697300c611e68e661957a30d0015000000000000000041eb18eb29a0ebb20ff232620f708e68e27f251767ccd3060000

According to RFC2548, after 0x0701 should be the "Encrypted-Hash" 16
octects, but they are all 00.

I am trying to find out why, seems a bug in Cisco part. But I think this
works fine with Cisco ACS radius. :S


More information about the Freeradius-Users mailing list