mschap: ERROR: MS-CHAP2-Response is incorrect

Red Nano r3dnano at gmail.com
Wed Apr 15 11:27:19 CEST 2020 

First of all: Thanks for the help.

I've modified the smb.conf file according to the link you suggested.

I'm trying to do the auth via ntlm_auth now and this is the response I got:

(10)   } # authorize = updated
(10) Found Auth-Type = mschap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
(10)   Auth-Type mschap {
(10) mschap: Creating challenge hash with username: some-user at somewhere.com
(10) mschap: Client is using MS-CHAPv2
(10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(10) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(10) mschap:    --> --username=some-user
(10) mschap: Creating challenge hash with username: some-user at somewhere.com
(10) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(10) mschap:    --> --challenge=39258c5db7d3edb7
(10) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(10) mschap:    -->
--nt-response=1a16fe12fb9e1557724bf5a3aad065da38173340a65363ba
(10) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(10) mschap: External script failed
(10) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(10) mschap: ERROR: MS-CHAP2-Response is incorrect
(10)     [mschap] = reject
(10)   } # Auth-Type mschap = reject
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject



maybe something to point out (which don't know if does matter) is that the
user might be providing @somewhere.com, however, the AD domain name I have
to do the queries against is really  "swr.com"

Operator name is @somewhere.com on the server config file so I can properly
filter the local users, but the samba configuration and the domain is
configured against the real domain name  "swr.com"- could it be that the
challenge hash is being wrongfuly created here?:

(10) mschap: Creating challenge hash with username: some-user at somewhere.com

And somehow, mschap should create the hash with "some-user at swe.com"?
I sure don't have this issue when testing locally...

I don't know if this makes sense---

On Wed, 15 Apr 2020 at 10:52, L.P.H. van Belle via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> That samba part is on the free radius site is obsolete
>
> Configure samba as a member server as shown here :
> Step 1.
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Then what most people dont see/forget is :
> https://wiki.samba.org/index.php/Idmap_config_rid
> This is oblicated..
>
> If its only for authentication just use RID backend, thats fine.
>
> When thats done, go here.
>
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>
> And verify your settings, this is the most important one for smb.conf
>
> ntlm auth = mschapv2-and-ntlmv2-only
>
> So all info to fix it is in this mail ;-)
>
> See how far you get, questions, mail again.
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: Freeradius-Users
> > [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> > ius.org] Namens R3DNano
> > Verzonden: woensdag 15 april 2020 10:35
> > Aan: FreeRadius users mailing list
> > Onderwerp: mschap: ERROR: MS-CHAP2-Response is incorrect
> >
> > I'm trying to deploy a FreeRADIUS server for eduroam authentication.
> > The local authentication source is a Microsoft AD that I configured
> > following this guide:
> > https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-
> > Integration-HOWTO
> > The binding was successful and the eapol_test tests are all green too.
> >
> > However, I'm having a hard time implementing it with an
> > aerohive controller.
> > This controller has a "test" function which lets you input an
> > username and
> > a password and does who knows what in order to check the
> > radius server.
> > As far as I understood, it tries to do MSCHAPv2 without any
> > encryption as
> > per the logs I'll show below (please, correct me if I'm wrong)
> > Other than that, I receive an Access-Reject which looks like
> > is pointing at
> > a wrong password being provided, although, it is not the case
> > (checked the
> > password)
> >
> > This is what I see on the server side:
> >
> > (0) Received Access-Request Id 155 from 10.10.50.5:22074 to
> > 10.168.0.14:1812
> > length 198
> > (0)   User-Name = "some-user at somewhere.com"
> > (0)   Message-Authenticator = 0x021108ef4ce751de58540e09fc6d0147
> > (0)   Attr-26.26928.212 = 0x43382d36372d35452d35392d46462d4330
> > (0)   Service-Type = Authorize-Only
> > (0)   NAS-Port = 0
> > (0)   NAS-Port-Type = Wireless-802.11
> > (0)   NAS-Identifier = "SOME_ID"
> > (0)   NAS-IP-Address = 10.40.1.186
> > (0)   MS-CHAP-Challenge = 0x451507759c738d0d3792bb6474f55e88
> > (0)   MS-CHAP2-Response =
> > 0xcf0003d0a09c080f1f3981adf41050b91b960000000000000000c568a193
> > 2f0abe2cf1f9908feb851dee780c95ccefcd6aca
> > (0) # Executing section authorize from file
> > /etc/freeradius/3.0/sites-enabled/eduroam
> > (0)   authorize {
> >
> > [edited]
> >
> > (0) eap: No EAP-Message, not doing EAP
> > (0)     [eap] = noop
> > (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> > (0)     [mschap] = ok
> >
> > [edited, removed log entries]
> >
> > (0)   } # authorize = updated
> > (0) Found Auth-Type = mschap
> > (0) # Executing group from file
> > /etc/freeradius/3.0/sites-enabled/eduroam
> > (0)   Auth-Type mschap {
> > (0) mschap: Creating challenge hash with username:
> > some-user at somewhere.com
> > (0) mschap: Client is using MS-CHAPv2
> > (0) mschap: EXPAND %{Stripped-User-Name}
> > (0) mschap:    --> some-user
> > rlm_mschap (mschap): Closing connection (0): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): Closing connection (1): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): Closing connection (2): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): You probably need to lower "min"
> > rlm_mschap (mschap): Closing connection (3): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): You probably need to lower "min"
> > rlm_mschap (mschap): Closing connection (4): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): You probably need to lower "min"
> > rlm_mschap (mschap): 0 of 0 connections in use.  You  may
> > need to increase
> > "spare"
> > rlm_mschap (mschap): Opening additional connection (5), 1 of
> > 32 pending
> > slots used
> > rlm_mschap (mschap): Reserved connection (5)
> > (0) mschap: sending authentication request user='some-user' domain='
> > SOMEWHERE.COM'
> > rlm_mschap (mschap): Released connection (5)
> > Need 2 more connections to reach min connections (3)
> > rlm_mschap (mschap): Opening additional connection (6), 1 of
> > 31 pending
> > slots used
> > (0) mschap: ERROR: When trying to update a password, this
> > return status
> > indicates that the value provided as the current password is
> > not correct.
> > [0xC000006A]
> > (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> > (0)     [mschap] = reject
> > (0)   } # Auth-Type mschap = reject
> > (0) Failed to authenticate the user
> > (0) Using Post-Auth-Type Reject
> >
> > [edited, removed log entries]
> >
> > (0)   } # Post-Auth-Type REJECT = updated
> > (0) Sent Access-Reject Id 155 from 10.168.0.14:1812 to
> > 10.10.50.5:22074
> > length 0
> > (0)   MS-CHAP-Error = "\317E=691 R=1
> > C=e7b3f200a3c36896f32a2ecf4adaab39 V=3
> > M=Authentication rejected"
> > (0) Finished request
> >
> >
> >
> > I edited the linelog parts out - yes there's only one single
> > request (0)
> > Although, It does have an "Authorize-Only" value, which makes
> > me think this
> > test only does authorization but no authentication and that's
> > why the test
> > fails?? - any help trying to interpret and troubleshoot this
> > issue would be
> > welcome.
> >
> > Thanks.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list