FR 3.0.4: MS-CHAP2-Response is incorrect

Heiko O puettagoras at gmail.com
Tue Dec 2 10:52:21 CET 2014


Hello all,

i have two question on realms:

Authenication works fine when Users only enter "username",but i want
the users to login with something like "username at thedomain.net". But
when doing this i get

(0)  preprocess :    --> testuser
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)  mschap : Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)   [mschap] = ok
(0)   [digest] = noop
(0)  suffix : Checking for suffix after "@"
(0)  suffix : No '@' in User-Name = "testuser", looking up realm NULL
(0)  suffix : No such realm "NULL"
(0)   [suffix] = noop
(0)  eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0)  sql : EXPAND %{User-Name}
(0)  sql :    --> testuser
(0)  sql : SQL-User-Name set to 'testuser'
rlm_sql (sql): Reserved connection (4)
(0)  sql : EXPAND SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(0)  sql :    --> SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = 'testuser' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute,
Value, Op FROM radcheck WHERE Username = 'testuser' ORDER BY id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
(0)  sql : User found in radcheck table
(0)  sql : Check items matched
(0)  sql : EXPAND SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
(0)  sql :    --> SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = 'testuser' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute,
Value, Op FROM radreply WHERE Username = 'testuser' ORDER BY id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 2 , fields = 5
(0)  sql : User found in radreply table
(0)  sql : EXPAND SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority
(0)  sql :    --> SELECT GroupName FROM radusergroup WHERE
UserName='testuser' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT GroupName FROM radusergroup
WHERE UserName='testuser' ORDER BY priority'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
(0)  sql : User not found in any groups
rlm_sql (sql): Released connection (4)
(0)   [sql] = ok
(0)   [expiration] = noop
(0)   [logintime] = noop
(0)  } #  authorize = ok
(0) Found Auth-Type = MSCHAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)  Auth-Type MS-CHAP {
(0)  mschap : Found Cleartext-Password, hashing to create LM-Password
(0)  mschap : Found Cleartext-Password, hashing to create NT-Password
(0)  mschap : Creating challenge hash with username: testuser
(0)  mschap : Client is using MS-CHAPv2
(0)  ERROR: mschap : MS-CHAP2-Response is incorrect
(0)   [mschap] = reject
(0)  } # Auth-Type MS-CHAP = reject
(0) Failed to authenticate the user

I did a lot of try-and-error with suffix ans Strip and configuring,
but i can't get mschap to work.
How can I teach mschap to work with "user at thedomain.net"?
BTW: The radcheck-table contains simply "username" with no realms, and
that cannot be changed.

The second question is about proxying. Since the is only one
RADIUS-Server, proxying is not needed. I wonder if i really have to
add a realm and proxy the request to localhost.
Is there a way to say "Hey, just answer all queries with
@thedomain.org and don't proxy it to yourself"?

Thanks for your help and suggestions.
Heiko


More information about the Freeradius-Users mailing list