MSCHAP Issues
Sven Hartge
sven at svenhartge.de
Fri Jul 26 23:59:48 CEST 2019
On 26.07.19 21:34, J Kephart wrote:
> Let me see if I can be a little more clear. I'm pretty sure that,
> reading the debug output, the problem is that the user password is not
> present in the packet that FR receives from the NAS.
MSCHAP is a Challenge-Response protcol, there is *no* password coming
from the NAS.
Everything the protocol does is contained in MS-CHAP-Challenge and
MS-CHAP2-Response.
Both the client and the server need the cleartext-password (or the
NT/LM-Hash for MSCHAP) to be able to do the math for the handshake.
The server complains it has no Cleartext-Password or NT-Hash or LM-Hash
in the data it got from the database and thus rejects the client,
because there is nothing more it can do.
Solution: You need to have the users cleartext-password in your database.
And just in case the question comes up: no, it can't be hashed or
encrypted. If you want to do *any* challenge-response protocol like
MSCHAP, the server needs the cleartext-password, there is no
mathematical way around this.
Grüße,
Sven.
More information about the Freeradius-Users
mailing list