MS-CHAPv2 change password not working in master

Phil Mayers p.mayers at imperial.ac.uk
Fri Nov 16 12:38:16 CET 2012


On 11/16/2012 11:27 AM, Carlos Velasco wrote:

>  According to RFC2548, after 0x0701 should be the "Encrypted-Hash"
> 16 octects, but they are all 00.
>
> I am trying to find out why, seems a bug in Cisco part. But I think
> this works fine with Cisco ACS radius. :S

The CPW packet lets you send the NT and/or LM hashes.

The "ntlm_auth" code supports (and sends) both, but it's very likely 
that support for LM hashes has been disabled on your domain; they're 
horribly insecure and deprecated.

My guess is the Cisco has old code. LM hashes were "easy" so older code 
tends to support them.


More information about the Freeradius-Users mailing list