Yet Another PEAP-MSCHAPV2 problem

Matthew Newton mcn4 at leicester.ac.uk
Tue Sep 22 00:49:25 CEST 2015


On Mon, Sep 21, 2015 at 05:02:05PM -0500, Alex Moen wrote:
> >...
> >>sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE
> >>sambaAcctFlags: [U]
> >>sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE
> >...
> >>userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
> >
> >so there you've got userPassword (I presume plaintext)
> 
> Nope.  It's definitely an ssha.  Her password is not 50 characters
> long.  But it would definitely explain why it's not working, if SSHA
> passwords won't work.

You can forget about trying to use that one then.

Though I'm slightly confused where the plaintext password came
from in the first debug output. But that doesn't really matter.

> Yes, there are NTLM passwords on the accounts I want to use, since
> they are the same authentication mechanism used for our Samba
> server...
> 
> So, I have switched (in the /etc/raddb/mods-available/ldap file) from:
> 	control:Password-With-Header    += 'userPassword'
> to:
> 	control:Password-With-Header    += 'sambaNTPassword'

Password-With-Header expects a {...} header at the start (see the
man page for rlm_pap). So you can either use unlang to add the
header on, or just update NT-Password instead, as in the ldap
config.

So in mods-enabled/ldap update {}, comment out
control:Password-With-Header += 'userPassword', then
uncomment

  # control:NT-Password := 'ntPassword'

and set it to

  control:NT-Password := 'sambaNTPassword'

> (7) ldap: User object found at DN "uid=alexm at ndtel.com,ou=ndtel,o=ndtc"
> (7) ldap: Processing user attributes
> (7) ldap:   control:Password-With-Header +=
> 'CF1189B22D7E43F062F8E1A4AE1B8418'

^^^ rlm_ldap gets sambaNTPassword and puts it in
Password-With-Header

> rlm_ldap (ldap): Released connection (0)
> rlm_ldap (ldap): 0 of 5 connections in use.  Need more spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending
> slots used
> rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (7)       [ldap] = updated
> (7)       [expiration] = noop
> (7)       [logintime] = noop
> (7) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password

^^^ rlm_pap checks the passwords are in a good form. Here it
notices that Password-With-Header doesn't have a header, so it
copies it to Cleartext-Password and then removes it.

> (7) pap: Removing &control:Password-With-Header
> (7) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (7)       [pap] = noop
> (7)     } # authorize = updated
> (7)   Found Auth-Type = EAP
> (7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7)     authenticate {
> (7) eap: Expiring EAP session with state 0xf624fb83f67ee10e
> (7) eap: Finished EAP session with state 0xf624fb83f67ee10e
> (7) eap: Previous EAP request found for state 0xf624fb83f67ee10e,
> released from the list
> (7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (7) eap: Calling submodule eap_mschapv2 to process data
> (7) eap_mschapv2: # Executing group from file
> /etc/raddb/sites-enabled/inner-tunnel
> (7) eap_mschapv2:   Auth-Type MS-CHAP {
> (7) mschap: Found Cleartext-Password, hashing to create NT-Password
> (7) mschap: Found Cleartext-Password, hashing to create LM-Password

^^^ rlm_mschap notices that Cleartext-Password exists (which
actually contains the NT-Password), and hashes that again and puts
it in NT-Password. What you really want is that value in
NT-Password directly, which the above ldap config should do.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list