pptpd mschap auth fails
Horatiu Nimigean
horatiu.nimigean at ddnet.ro
Tue Aug 6 17:04:43 CEST 2013
i have pptpd on a centos 6 box configured to use radius for auth.
radius in turn checks credentials in ldap.
the user in ldap has a samba extension and a configured password (i used
ldap account manager to set it up) it also has a sambaNTPassword field
and it's populated.
rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64
the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
this is the log from radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 49338,
id=12, length=152
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "testuser1"
MS-CHAP-Challenge = 0x09235ac983790fedc6ccf93af69b67bf
MS-CHAP2-Response =
0x5e004a81f91bcf75cd6452c64bd587a74f210000000000000000ff5eaa8a5df6639683423ed294074ceb705105d5d762932d
Calling-Station-Id = "***.***.***.***" - edited out
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[ldap] performing user authorization for testuser1
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> testuser1
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testuser1)
[ldap] expand: dc=my-domain,dc=com -> dc=my-domain,dc=com - edited out
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=my-domain,dc=com, with filter
(uid=testuser1)
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{SSHA}YQwkujoqTZAKF1Jl1e1JRxKKvDVVRGYv"
[ldap] sambaNtPassword -> NT-Password ==
0x3331443643464530443136414539333142373343353944374530433038394330
[ldap] looking for reply items in directory...
[ldap] user testuser1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: testuser1
[mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 12 to 127.0.0.1 port 49338
MS-CHAP-Error = "^E=691 R=1
C=50685502b0ea6334450d0cd8077ac242 V=3 M=Re-enter (or reset) the
password"
Waking up in 4.9 seconds.
Cleaning up request 4 ID 12 with timestamp +801
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130806/dd66066c/attachment.html>
More information about the Freeradius-Users
mailing list