MS-CHAPv2 change password not working in master

Carlos Velasco carlos.velasco at nimastelecom.com
Fri Nov 16 12:43:19 CET 2012


> On 11/16/2012 11:27 AM, Carlos Velasco wrote:
> 
>>  According to RFC2548, after 0x0701 should be the "Encrypted-Hash"
>> 16 octects, but they are all 00.
>>
>> I am trying to find out why, seems a bug in Cisco part. But I think
>> this works fine with Cisco ACS radius. :S
> 
> The CPW packet lets you send the NT and/or LM hashes.
> 
> The "ntlm_auth" code supports (and sends) both, but it's very likely 
> that support for LM hashes has been disabled on your domain; they're 
> horribly insecure and deprecated.
> 
> My guess is the Cisco has old code. LM hashes were "easy" so older code 
> tends to support them.
> 

Mmm well, the "Encrypted-Hash" should be an NT hash.

===
   Encrypted-Hash
      The Encrypted-Hash field is 16 octets in length.  It contains  the
      old  Windows  NT  password  hash encrypted with the new Windows NT
      password hash.
===

I don't see LM hashes allowed in the Radius attributes for password
change. Don't seem Cisco using them.

I am trying to make some findings. Maybe installing ACS and testing to
see any difference.


More information about the Freeradius-Users mailing list