MS-CHAPv2 not working

Manoel bezerra maneo.ufrn at gmail.com
Wed May 1 15:25:44 CEST 2019 

Are you using NT-password in your database?
If not that's why it's not working!
Mschapv2 uses this format in the challege!


Em qua, 1 de mai de 2019 09:51, Alan DeKok <aland at deployingradius.com>
escreveu:

> On Apr 30, 2019, at 7:36 PM, Matthew McTague via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > Does anyone know why MS-CHAPv2 may not be working on a new FreeRADIUS
> implementation we've built?
>
>   You edited the configuration and broke it.  Don't do that.
>
> > I'm trying to do MS-CHAPv2 with a SQL database, not with LDAP.
> >
> > The issue only occurs when a realm is added to the username (on the
> RADIUS client). As I understand, as nostrip is not entered in the relevant
> realm block in /etc/raddb/proxy.conf, this should be stripped.
>
>   The MS-CHAP calculations are done with the User-Name.  If you mangle the
> User-Name, the MS-CHAP calculations will be wrong.
>
> > radiusd -X output is at https://pastebin.com/kK9JYsF0
>
>   Just post it here.  That's what the documentation says to do.
>
> > Information and passwords have been changed / sanitized.
>
>         • rad_recv: Access-Request packet from host 10.11.127.229 port
> 60421, id=170, length=278
>         •     Service-Type = Framed-User
>         •     Framed-Protocol = PPP
>         •     NAS-Port = 15732821
>         •     NAS-Port-Type = Ethernet
>         •     User-Name = "testuser at test.net.nz"
>
>   This is the real User-Name.
>
>         • [preprocess]    expand: %{User-Name} -> testuser at test.net.nz
>         • [preprocess]   hints: Matched DEFAULT at 36
>         • [preprocess]    expand: %{1} -> testuser
>
>   Then you mangle it, for reasons unexplained.
>
>         • [mschap] Creating challenge hash with username: testuser
>
>   Which is not the correct User-Name.
>
>         • [mschap] Client is using MS-CHAPv2 for testuser, we need
> NT-Password
>         • [mschap] FAILED: MS-CHAP2-Response is incorrect
>
>   And MS-CHAP fails.
>
>   Don't re-write the User-Name.  If you need to support realms, the
> "realms" module does this already.  And, it does it in a way that *doesn't*
> break everything.
>
>   Delete the "hints" configuration which re-writes the User-Name.
>
>   Add in "test.net.nz" as a local realm to proxy.conf.
>
>   It *will* work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list