MS-CHAP2-Request is rejected

Matthew Newton mcn at freeradius.org
Mon May 20 11:00:35 CEST 2019 

On Mon, 2019-05-20 at 09:45 +0100, william steen via Freeradius-Users
wrote:
> Included below is the debug output on startup and when an attempt to
> connect using PEAP-MSCHAPv2 using just username and password (no
> certificate). The startup contains a few warnings which I assume are
> not material. The login debug has an error MS-CHAP2-Response is
> incorrect 

i.e. the password is wrong

> which comes after a WARNING: Auth-Type already set.  Not setting to
> PAP?

That's fine - it's telling you that something else (in this case the
eap module) already set Auth-Type.

> (6) Virtual server inner-tunnel received request
> (6)   EAP-Message =
> 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd2000000000000000
> 05984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6)   FreeRADIUS-Proxied-To = 127.0.0.1
> (6)   User-Name = "particle"
> (6)   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (6) WARNING: Outer and inner identities are the same.  User privacy
> is compromised.
> (6) server inner-tunnel {
> (6)   session-state: No cached attributes
> (6)   # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6)  

...

> (6) files: users: Matched entry particle at line 1
> (6)       [files] = ok

Does the password in the users file on line 1 exactly match what you're
sending?

You could add a call to debug_control here to check that Cleartext-
Password is correctly set.

> (6) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (6)       [pap] = noop

Set by...

> (6)     } # authorize = updated
> (6)   Found Auth-Type = eap

...eap.

> (6) eap_mschapv2:   authenticate {
> (6) mschap: Found Cleartext-Password, hashing to create NT-Password
> (6) mschap: Found Cleartext-Password, hashing to create LM-Password
> (6) mschap: Creating challenge hash with username: particle
> (6) mschap: Client is using MS-CHAPv2
> (6) mschap: ERROR: MS-CHAP2-Response is incorrect

So Cleartext-Password is set, which pretty much means that the
passwords don't match.

Try with eapol_test and see if that works? If that works OK then
there's an issue with the device you're trying to connect.

-- 
Matthew

More information about the Freeradius-Users mailing list