FR 3.0.4: MS-CHAP2-Response is incorrect

Phil Mayers p.mayers at imperial.ac.uk
Tue Dec 2 15:12:44 CET 2014


On 02/12/14 09:52, Heiko O wrote:

> (0)  mschap : Creating challenge hash with username: testuser
> (0)  mschap : Client is using MS-CHAPv2
> (0)  ERROR: mschap : MS-CHAP2-Response is incorrect
> (0)   [mschap] = reject
> (0)  } # Auth-Type MS-CHAP = reject
> (0) Failed to authenticate the user
>
> I did a lot of try-and-error with suffix ans Strip and configuring,
> but i can't get mschap to work.
> How can I teach mschap to work with "user at thedomain.net"?

You don't. The MSCHAP RFCs don't specify this but all clients (AFAIK) 
turn "user at domain" into "user" before doing the MSCHAP crypto, which is 
analogous to turning "DOMAIN\user" into "user" (which the RFCs do specify).

As you can see from the "Creating challenge hash", the mschap module is 
using the right username i.e. with domain stripped. So your config is 
fine. Check the password hash.


More information about the Freeradius-Users mailing list