FR 3.0.4: MS-CHAP2-Response is incorrect
Phil Mayers
p.mayers at imperial.ac.uk
Tue Dec 2 15:12:44 CET 2014
On 02/12/14 09:52, Heiko O wrote:
> (0) mschap : Creating challenge hash with username: testuser
> (0) mschap : Client is using MS-CHAPv2
> (0) ERROR: mschap : MS-CHAP2-Response is incorrect
> (0) [mschap] = reject
> (0) } # Auth-Type MS-CHAP = reject
> (0) Failed to authenticate the user
>
> I did a lot of try-and-error with suffix ans Strip and configuring,
> but i can't get mschap to work.
> How can I teach mschap to work with "user at thedomain.net"?
You don't. The MSCHAP RFCs don't specify this but all clients (AFAIK)
turn "user at domain" into "user" before doing the MSCHAP crypto, which is
analogous to turning "DOMAIN\user" into "user" (which the RFCs do specify).
As you can see from the "Creating challenge hash", the mschap module is
using the right username i.e. with domain stripped. So your config is
fine. Check the password hash.
More information about the Freeradius-Users
mailing list