MS-CHAPv2 change password not working in master
Carlos Velasco
carlos.velasco at nimastelecom.com
Fri Nov 16 15:08:04 CET 2012
> On 16/11/12 11:43, Carlos Velasco wrote:
>
>> I don't see LM hashes allowed in the Radius attributes for password
>> change. Don't seem Cisco using them.
>
> Sorry yes ignore me; I'm being dumb.
>
Ok. After further findings... it is a bug in Cisco IOS router version
15.1M. Downgrading to 15.0M works fine.
I have seen that after "Password change successful", the module tries to
authenticate the user again but with wrong password, I suppose. "Logon
failure".
Radius logs:
===
rad_recv: Access-Request packet from host 10.112.14.2 port 1645, id=13,
length=755
User-Name = "NIMASTELECOM\\testpw"
MS-CHAP-Challenge = 0x3145a0bc1fc2c0e4e69b8ff555861037
MS-CHAP2-CPW =
0x07024dbbd90bfd0760d77899ba7604a84c21b220a1fc49be375f9bad552ab92ee06b0000000000000000bb63180ea5a0e43f62c0abd2b8b1d6f0795780b2074dec690000
MS-CHAP-NT-Enc-PW =
0x0602000176116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb52114017
MS-CHAP-NT-Enc-PW =
0x060200025ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d582
MS-CHAP-NT-Enc-PW =
0x060200030c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bdd1e8aa3c0856e6e9bc3a8c25d7efd28ba6525d78f01bf43ca6997dd2e48d6897ced164b539a76fb6
NAS-Port-Type = Virtual
Cisco-NAS-Port = "85.112.6.36"
NAS-Port = 0
NAS-Port-Id = "85.112.6.36"
Service-Type = Login-User
NAS-IP-Address = 10.112.14.2
Event-Timestamp = "Nov 16 2012 14:19:36 CET"
(17) # Executing section authorize from file
/etc/raddb/sites-enabled/vpn_nimas_tk
(17) group authorize {
(17) - entering group authorize {...}
(17) mschap-vpn_nimas_tk : Found MS-CHAP attributes. Setting 'Auth-Type
= mschap-vpn_nimas_tk'
(17) [mschap-vpn_nimas_tk] = ok
(17) ? if (!control:Auth-Type)
(17) ? Evaluating !(control:Auth-Type) -> FALSE
(17) ? if (!control:Auth-Type) -> FALSE
(17) detail-vpn_nimas_tk-auth : expand:
/var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d ->
/var/log/radius/radacct/vpn_nimas_tk-auth-20121116
(17) detail-vpn_nimas_tk-auth :
/var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d expands to
/var/log/radius/radacct/vpn_nimas_tk-auth-20121116
(17) detail-vpn_nimas_tk-auth : expand: %t -> Fri Nov 16
14:19:36 2012
(17) [detail-vpn_nimas_tk-auth] = ok
(17) Found Auth-Type = MSCHAP
(17) # Executing group from file /etc/raddb/sites-enabled/vpn_nimas_tk
(17) group MS-CHAP {
(17) - entering group MS-CHAP {...}
(17) mschap-vpn_nimas_tk : MS-CHAPv2 password change request received
(17) mschap-vpn_nimas_tk : Password change payload valid
(17) mschap-vpn_nimas_tk : Doing MS-CHAPv2 password change via ntlm_auth
helper
(17) mschap-vpn_nimas_tk : expand: username:
%{mschap-vpn_nimas_tk:User-Name} -> username: testpw
(17) mschap-vpn_nimas_tk : expand: nt-domain:
%{mschap-vpn_nimas_tk:NT-Domain} -> nt-domain: NIMASTELECOM
(17) mschap-vpn_nimas_tk : new_nt_password: 118, Write buf:
new-nt-password-blob:
76116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb521140175ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d5820c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bdd1e8aa3c0856e6e9bc3a8c25d7efd28ba6525!
d78f01bf
43ca6997dd2e48d6897ced164b539a76fb6
(17) mschap-vpn_nimas_tk : old_nt_hash: 77 || Write buf:
old-nt-hash-blob: 4dbbd90bfd0760d77899ba7604a84c21
(17) mschap-vpn_nimas_tk : Write buf: new-lm-password-blob:
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000!
00000000
00000000000000000000000000000000000
(17) mschap-vpn_nimas_tk : Write buf: old-lm-hash-blob:
00000000000000000000000000000000 point n
(17) mschap-vpn_nimas_tk : ntlm_auth said: Password-Change: Yes .
(17) mschap-vpn_nimas_tk : ntlm_auth password change succeeded
(17) mschap-vpn_nimas_tk : Password change successful
(17) mschap-vpn_nimas_tk : Creating challenge hash with username: testpw
(17) mschap-vpn_nimas_tk : Client is using MS-CHAPv2 for testpw, we need
NT-Password
(17) mschap-vpn_nimas_tk : expand:
--username=%{mschap-vpn_nimas_tk:User-Name} -> --username=testpw
(17) mschap-vpn_nimas_tk : expand:
--domain=%{mschap-vpn_nimas_tk:NT-Domain} -> --domain=NIMASTELECOM
(17) mschap-vpn_nimas_tk : Creating challenge hash with username: testpw
(17) mschap-vpn_nimas_tk : expand:
--challenge=%{mschap-vpn_nimas_tk:Challenge:-00} ->
--challenge=07a8831f274a55d3
(17) mschap-vpn_nimas_tk : expand:
--nt-response=%{mschap-vpn_nimas_tk:NT-Response:-00} ->
--nt-response=bb63180ea5a0e43f62c0abd2b8b1d6f0795780b2074dec69
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
(17) mschap-vpn_nimas_tk : External script failed.
(17) mschap-vpn_nimas_tk : FAILED: MS-CHAP2-Response is incorrect
(17) [mschap-vpn_nimas_tk] = reject
(17) Failed to authenticate the user.
(17) Login incorrect (mschap-vpn_nimas_tk: External script says Logon
failure (0xc000006d)): [NIMASTELECOM\\testpw] (from client RMADTKNIMAS01
port 0)
(17) Using Post-Auth-Type Reject
(17) WARNING: Unknown value specified for Post-Auth-Type. Cannot
perform requested action.
(17) Finished request 17.
===
More information about the Freeradius-Users
mailing list