Ms-Chap + NT-Password

Anton Kiryushkin swood at fotofor.biz
Thu Dec 20 03:22:21 CET 2018 

Hello.

I'm sorry for the odd question.
I have a freeradius installation with version 3.0.15.
Approximately a year ago I configured the next scheme:
- all users contained in MySQL;
- all users have an NTLM-hash as a password;
- when the user tries to auth to a radius, radius-server was hashed the
incoming password to NTLM-hash and check it.

Now I can't repeat it, and I don't know why.

I see the next error in my log:

Thu Dec 20 01:10:08 2018 : Debug: (138) sql-wifi:   NT-Password :=
0x696e616d6974414c545a694e3039393021
Thu Dec 20 01:10:08 2018 : Debug: (138) sql-wifi: ::: FROM 1 TO 1 MAX 2
Thu Dec 20 01:10:08 2018 : Debug: (138) sql-wifi: ::: Examining NT-Password
Thu Dec 20 01:10:08 2018 : Debug: (138) sql-wifi: ::: OVERWRITING
NT-Password FROM 0 TO 0
Thu Dec 20 01:10:08 2018 : Debug: (138) sql-wifi: ::: TO in 1 out 1
Thu Dec 20 01:10:08 2018 : Debug: (138) sql-wifi: ::: to[0] = NT-Password
Thu Dec 20 01:10:08 2018 : Debug: (138) sql-wifi: ... falling-through to
profile processing
Thu Dec 20 01:10:08 2018 : Debug: rlm_sql (sql-wifi): Released connection
(19)
Thu Dec 20 01:10:08 2018 : Info: Need 1 more connections to reach min
connections (5)
Thu Dec 20 01:10:08 2018 : Info: rlm_sql (sql-wifi): Opening additional
connection (30), 1 of 6 pending slots used
Thu Dec 20 01:10:08 2018 : Debug: rlm_sql_mysql: Starting connect to MySQL
server
Thu Dec 20 01:10:08 2018 : Debug: rlm_sql_mysql: Connected to database
'my_table' on 127.0.0.1 via TCP/IP, server version 5.7.19-17-log, protocol
version 10
Thu Dec 20 01:10:08 2018 : Debug: (138)       modsingle[authorize]:
returned from sql-wifi (rlm_sql)
Thu Dec 20 01:10:08 2018 : Debug: (138)       [sql-wifi] = ok
Thu Dec 20 01:10:08 2018 : Debug: (138)       modsingle[authorize]: calling
pap (rlm_pap)
Thu Dec 20 01:10:08 2018 : WARNING: (138) pap: Auth-Type already set.  Not
setting to PAP
Thu Dec 20 01:10:08 2018 : Debug: (138)       modsingle[authorize]:
returned from pap (rlm_pap)
Thu Dec 20 01:10:08 2018 : Debug: (138)       [pap] = noop
Thu Dec 20 01:10:08 2018 : Debug: (138)     } # authorize = updated
Thu Dec 20 01:10:08 2018 : Debug: (138)   Found Auth-Type = eap
Thu Dec 20 01:10:08 2018 : Debug: (138)   # Executing group from file
/etc/raddb/sites-enabled/default
Thu Dec 20 01:10:08 2018 : Debug: (138)     authenticate {
Thu Dec 20 01:10:08 2018 : Debug: (138)       modsingle[authenticate]:
calling eap (rlm_eap)
Thu Dec 20 01:10:08 2018 : Debug: (138) eap: Expiring EAP session with
state 0x0d5314a80d540ec8
Thu Dec 20 01:10:08 2018 : Debug: (138) eap: Finished EAP session with
state 0x0d5314a80d540ec8
Thu Dec 20 01:10:08 2018 : Debug: (138) eap: Previous EAP request found for
state 0x0d5314a80d540ec8, released from the list
Thu Dec 20 01:10:08 2018 : Debug: (138) eap: Peer sent packet with method
EAP MSCHAPv2 (26)
Thu Dec 20 01:10:08 2018 : Debug: (138) eap: Calling submodule eap_mschapv2
to process data
Thu Dec 20 01:10:08 2018 : Debug: (138) eap_mschapv2: # Executing group
from file /etc/raddb/sites-enabled/default
Thu Dec 20 01:10:08 2018 : Debug: (138) eap_mschapv2:   Auth-Type MS-CHAP {
Thu Dec 20 01:10:08 2018 : Debug: (138) eap_mschapv2:
 modsingle[authenticate]: calling mschap (rlm_mschap)
Thu Dec 20 01:10:08 2018 : WARNING: (138) mschap: NT-Password found but
incorrect length, expected 16 bytes got 17 bytes.  Authentication may fail
Thu Dec 20 01:10:08 2018 : WARNING: (138) mschap: No Cleartext-Password
configured.  Cannot create NT-Password
Thu Dec 20 01:10:08 2018 : WARNING: (138) mschap: No Cleartext-Password
configured.  Cannot create LM-Password
Thu Dec 20 01:10:08 2018 : Debug: (138) mschap: Creating challenge hash
with username: y.lilekov
Thu Dec 20 01:10:08 2018 : Debug: (138) mschap: Client is using MS-CHAPv2
Thu Dec 20 01:10:08 2018 : ERROR: (138) mschap: FAILED: No NT/LM-Password.
Cannot perform authentication
Thu Dec 20 01:10:08 2018 : ERROR: (138) mschap: MS-CHAP2-Response is
incorrect

For the authorize_check_query and authorize_reply_query I'm using the next
queries:

authorize_check_query = "\
        SELECT wifi_id as id, username, 'NT-Password' as attribute,
pass_hash, ':=' as  op \
        FROM ${authcheck_table} \
        WHERE username = '%{SQL-User-Name}' \
        ORDER BY id"

authorize_reply_query = "\
        SELECT wifi_id as id, username, 'NT-Password' as attribute,
pass_hash, ':=' as  op \
        FROM ${authcheck_table} \
        WHERE username = '%{SQL-User-Name}' \
        ORDER BY id"


The error is logical. But I can't remember how it could be work a year
ago...
I'll happy to read any suggestion.

-- 
Best regards,
Anton Kiryushkin

More information about the Freeradius-Users mailing list