Yet Another PEAP-MSCHAPV2 problem

Alex Moen alexm at ndtel.com
Mon Sep 21 23:18:32 CEST 2015 

OK, I figured out part of this...

I have multiple directories on that server.  My basedn was too broad, 
and I was getting an answer from a different directory tree than I thought.

Once I figured that out, it made sense.  However, now neither account 
will log in properly.  But, I don't have a weird discrepancy staring at 
me in the face.

Now I just have to figure out why I can't authenticate.  I know one of 
the differences between the "branches" of the directory tree, is that 
the incorrect one is using Crypt passwords, and the correct one is using 
SSHA passwords.  Seems that the SSHA passwords are not working while the 
Crypt passwords do.



On 09/21/2015 03:34 PM, Alex Moen wrote:
> On 09/21/2015 03:16 PM, Matthew Newton wrote:
>> On Mon, Sep 21, 2015 at 02:57:07PM -0500, Alex Moen wrote:
>>> (12)   User-Name = "debio at ndtel.com"
>> ...
>>> rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
>>> rlm_ldap (ldap): Waiting for bind result...
>>> rlm_ldap (ldap): Bind successful
>>> rlm_ldap (ldap): Reserved connection (7)
>>> (19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>>> (19) ldap:    --> (uid=debio)
>>> (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
>>> (19) ldap: Waiting for search result...
>>> (19) ldap: Search returned no results
>>
>> ^^^ this ^^^
>>
>> Your LDAP search is failing for user debio...
>>
>>
>> ...
>>> (19) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>>> (19) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
>>> (19) mschap: Creating challenge hash with username: debio at ndtel.com
>>> (19) mschap: Client is using MS-CHAPv2
>>> (19) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
>>
>>> (21)   User-Name = "alexm at ndtel.com"
>> ...
>>> rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
>>> rlm_ldap (ldap): Waiting for bind result...
>>> rlm_ldap (ldap): Bind successful
>>> rlm_ldap (ldap): Reserved connection (10)
>>> (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>>> (28) ldap:    --> (uid=alexm)
>>> (28) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub"
>>> (28) ldap: Waiting for search result...
>>> (28) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc"
>>> (28) ldap: Processing user attributes
>>> (28) ldap:   control:Password-With-Header += 'ose55m1'
>>
>> ...but fine for alexm.
>>
>> ...
>>> (28) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
>>> (28) pap: Removing &control:Password-With-Header
>> ...
>>> (28) mschap: Found Cleartext-Password, hashing to create NT-Password
>>> (28) mschap: Found Cleartext-Password, hashing to create LM-Password
>>> (28) mschap: Creating challenge hash with username: alexm at ndtel.com
>>> (28) mschap: Client is using MS-CHAPv2
>>> (28) mschap: Adding MS-CHAPv2 MPPE keys
>>> (28)     [mschap] = ok
>>
>>
>> So FreeRADIUS can't get a password, hence mschap fails.
>>
>> When you bind as the same account FR binds as and do a search as
>> below, does it find anything?
>>
>>> (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
>>
>> Matthew
>>
>>
>
> In a word, yes.  Here's a copy of the output from the server running
> FreeRADIUS:
>
> [root at ndtc-fs]# ldapsearch -x -H ldap://66.163.129.140 -D
> 'cn=admin,o=ndtc' -W -b 'uid=debio at ndtel.com,ou=ndtel,o=ndtc' -s sub
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <uid=debio at ndtel.com,ou=ndtel,o=ndtc> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # debio at ndtel.com, ndtel, ndtc
> dn: uid=debio at ndtel.com,ou=ndtel,o=ndtc
> uid: debio at ndtel.com
> cn: Debi
> sn: O
> mail: debio at ndtel.com
> uidNumber: 640
> homeDirectory: /cust/ndtel/users/debio
> gecos: Debi Ohma,,
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> objectClass: mailUser
> loginShell: /bin/bash
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaSID: S-1-5-21-3311107553-3899660464-2674327009-2280
> sambaHomeDrive: F:
> sambaHomePath: \\ndtc-fs\cust\ndtel\users
> gidNumber: 500
> sambaPrimaryGroupSID: S-1-5-21-3311107553-3899660464-2674327009-2001
> shadowExpire: -1
> sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE
> sambaAcctFlags: [U]
> sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE
> sambaPwdLastSet: 1390515443
> sambaPwdMustChange: 1394403443
> shadowLastChange: 16093
> shadowMax: 99999
> userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>

-- 
Alex Moen
NSTII
North Dakota Telephone Company
701-662-6481

More information about the Freeradius-Users mailing list