MS-CHAPv2 change password not working in master
Carlos Velasco
carlos.velasco at nimastelecom.com
Fri Nov 16 12:27:16 CET 2012
> On 11/16/2012 10:00 AM, Carlos Velasco wrote:
>
>> windows popup in Cisco VPN client, but the change password process fails:
>> ntlm_auth said: Password-Change: No Password-Change-Error: Wrong
>> Password . .
>> Looking into code I suppose the problem is something with the old NT
>> hash, but not an expert here. Any help would be apreciated.
>>
>> In these logs the user is "NIMASTELECOM\testpw".
>> The current password is "y58R41ut8W" (expired).
>> And the new password used was "H6eEWu7r65tw38ert1".
>
> There *might* be a bug in the CPW code, but I can't really see how; it
> tested fine when I wrote it, and the crypto/hash/blob stuff doesn't
> really leave room for "only if CONDITION X do something invalid".
>
> I'll take a look a little bit later but in the meantime can you confirm
> that if you clear the "must change password", auth works fine with the
> old/current password?
Yes, auth works fine without "Must change".
I think I have found the problem.
MS-CHAP2-CPW =
0x0701000000000000000000000000000000004194697300c611e68e661957a30d0015000000000000000041eb18eb29a0ebb20ff232620f708e68e27f251767ccd3060000
According to RFC2548, after 0x0701 should be the "Encrypted-Hash" 16
octects, but they are all 00.
I am trying to find out why, seems a bug in Cisco part. But I think this
works fine with Cisco ACS radius. :S
More information about the Freeradius-Users
mailing list