MS-CHAPv2 not working

Alan DeKok aland at deployingradius.com
Sun May 19 14:17:18 CEST 2019 

On May 19, 2019, at 4:28 AM, Matthew McTague via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I've removed the change to hints.

  That's good.

> In case it's relevant, this FreeRADIUS deployment was deployed using the DaloRADIUS instructions, including their web GUI.

  That doesn't really matter.

> MS-CHAPv2 works perfectly when I try to connect as testlane5, but when I authenticate as testlane5 at test.net.nz, it doesn't work.

  Which is what you said before.

> I understand the suggestion to use NT-Password.
> I have two questions:
> - How do I hash to get NT-Password prior to INSERT into the database?

  There are many tools to do this.    The server comes with a program called "smbencrypt" that does this.

> - If this is the issue, why does it connect normally without the realm?

  It isn't the issue.  As I explained before.

> The user information is in the MySQL database, and does not include realm, i.e. I've used testlane5 rather than testlane5 at test.net.nz as the username in the database
> I need this to work, to enable a user to use any realm configured in FreeRADIUS.

  You've said that before...

> I'm using ClearText-Password, shown below:

  That's fine.

> Current debug output:
> 
> [root at radius-220q ~]# radiusd -X
> radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built on Jul 18 2017 at 12:13:14

  2.2.26 is many years out of date.

  As for the rest of the debug output, you're *proxying* the packets to localhost:

> radiusd: #### Loading Realms and Home Servers ####
> realm other.test.net.nz {
>        authhost = 127.0.0.1
>        accthost = 127.0.0.1
>        secret = s7f9876dg6sg85shd5s9
> }
> realm test.net.nz {
>        authhost = 127.0.0.1
>        accthost = 127.0.0.1
>        secret = s7f9876dg6sg85shd5s9
> }

  Don't do that.  I said create a *local* realm.  The comments in the proxy.conf file tell you how to do this.

  Just do:

realm.test.net.nz {
}

  And it should work.

  And PLEASE edit your posts.  There's no need to include 100's of lines of prior messages at the bottom of your post.  Follow best practices and you can get problems solved.  Have poor practices, and you'll be stumbling in the dark for a long time.

  Alan DeKok.

More information about the Freeradius-Users mailing list