pptpd mschap auth fails

Horatiu Nimigean horatiu.nimigean at ddnet.ro
Tue Aug 6 17:04:43 CEST 2013


i have pptpd on a centos 6 box configured to use radius for auth.
radius in turn checks credentials in ldap.
the user in ldap has a samba extension and a configured password (i used 
ldap account manager to set it up) it also has a sambaNTPassword field 
and it's populated.
rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64

the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
this is the log from radiusd -X

    rad_recv: Access-Request packet from host 127.0.0.1 port 49338,
    id=12, length=152
             Service-Type = Framed-User
             Framed-Protocol = PPP
             User-Name = "testuser1"
             MS-CHAP-Challenge = 0x09235ac983790fedc6ccf93af69b67bf
             MS-CHAP2-Response =
    0x5e004a81f91bcf75cd6452c64bd587a74f210000000000000000ff5eaa8a5df6639683423ed294074ceb705105d5d762932d
             Calling-Station-Id = "***.***.***.***" - edited out
             NAS-IP-Address = 127.0.0.1
             NAS-Port = 0
    # Executing section authorize from file /etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
    ++[mschap] returns ok
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "testuser1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    [files] users: Matched entry DEFAULT at line 172
    ++[files] returns ok
    [ldap] performing user authorization for testuser1
    [ldap]  expand: %{Stripped-User-Name} ->
    [ldap]  ... expanding second conditional
    [ldap]  expand: %{User-Name} -> testuser1
    [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
    (uid=testuser1)
    [ldap]  expand: dc=my-domain,dc=com -> dc=my-domain,dc=com - edited out
       [ldap] ldap_get_conn: Checking Id: 0
       [ldap] ldap_get_conn: Got Id: 0
       [ldap] performing search in dc=my-domain,dc=com, with filter
    (uid=testuser1)
    [ldap] looking for check items in directory...
       [ldap] userPassword -> Password-With-Header ==
    "{SSHA}YQwkujoqTZAKF1Jl1e1JRxKKvDVVRGYv"
       [ldap] sambaNtPassword -> NT-Password ==
    0x3331443643464530443136414539333142373343353944374530433038394330
    [ldap] looking for reply items in directory...
    [ldap] user testuser1 authorized to use remote access
       [ldap] ldap_release_conn: Release Id: 0
    ++[ldap] returns ok
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] Normalizing NT-Password from hex encoding
    [pap] Normalizing SSHA1-Password from base64 encoding
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = MSCHAP
    # Executing group from file /etc/raddb/sites-enabled/default
    +- entering group MS-CHAP {...}
    [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
    [mschap] Found NT-Password
    [mschap] Creating challenge hash with username: testuser1
    [mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password
    [mschap] FAILED: MS-CHAP2-Response is incorrect
    ++[mschap] returns reject
    Failed to authenticate the user.
    Using Post-Auth-Type Reject
    # Executing group from file /etc/raddb/sites-enabled/default
    +- entering group REJECT {...}
    [attr_filter.access_reject]     expand: %{User-Name} -> testuser1
    attr_filter: Matched entry DEFAULT at line 11
    ++[attr_filter.access_reject] returns updated
    Delaying reject of request 4 for 1 seconds
    Going to the next request
    Waking up in 0.9 seconds.
    Sending delayed reject for request 4
    Sending Access-Reject of id 12 to 127.0.0.1 port 49338
             MS-CHAP-Error = "^E=691 R=1
    C=50685502b0ea6334450d0cd8077ac242 V=3 M=Re-enter (or reset) the
    password"
    Waking up in 4.9 seconds.
    Cleaning up request 4 ID 12 with timestamp +801
    Ready to process requests.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130806/dd66066c/attachment.html>


More information about the Freeradius-Users mailing list