mschap: ERROR: MS-CHAP2-Response is incorrect
Red Nano
r3dnano at gmail.com
Wed Apr 15 12:25:19 CEST 2020
Hi, Louis: Thanks for trying to help me.
I made the changes you suggested on the mschap module and I still get the
same error.
Is it possible that the challenge hash is being created with the wrong
domain? i.e.: some-user at somewhere.com instead of some-user at swhr.com
<some-user at somewhere.com> ?
(0) mschap: Creating challenge hash with username: some-user at somewhere.com
which might have to be something like:
(0) mschap: Creating challenge hash with username: some-user at swhr.com
What is weird is that local tests with standard tools succeed, but this
other vendor's test does not.
Regards
On Wed, 15 Apr 2020 at 11:41, L.P.H. van Belle <belle at bazuin.nl> wrote:
> Hai Red,
>
> Well, almost.. you mist 1 part.
> This :
> Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> change that to :
>
> /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
>
> I even highlighted it in the samba wiki ..
>
> So edit : /etc/freeradius/3.0/sites-enabled/eduroam
> And correct that and try again.
>
> If it then still is not working, as extra you could try.
> Adduser freeradion to the winbind_priv group
>
> And check if apparmor is running and adjust the needed files there also.
>
>
> Greetz,
>
> Louis
>
>
>
>
> ________________________________
>
> Van: Red Nano [mailto:r3dnano at gmail.com]
> Verzonden: woensdag 15 april 2020 11:27
> Aan: FreeRadius users mailing list
> CC: L.P.H. van Belle
> Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect
>
>
> First of all: Thanks for the help.
>
> I've modified the smb.conf file according to the link you
> suggested.
>
> I'm trying to do the auth via ntlm_auth now and this is the
> response I got:
>
> (10) } # authorize = updated
> (10) Found Auth-Type = mschap
> (10) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/eduroam
> (10) Auth-Type mschap {
> (10) mschap: Creating challenge hash with username:
> some-user at somewhere.com
> (10) mschap: Client is using MS-CHAPv2
> (10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (10) mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (10) mschap: --> --username=some-user
> (10) mschap: Creating challenge hash with username:
> some-user at somewhere.com
> (10) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (10) mschap: --> --challenge=39258c5db7d3edb7
> (10) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (10) mschap: -->
> --nt-response=1a16fe12fb9e1557724bf5a3aad065da38173340a65363ba
> (10) mschap: ERROR: Program returned code (1) and output 'The
> attempted logon is invalid. This is either due to a bad username or
> authentication information. (0xc000006d)'
> (10) mschap: External script failed
> (10) mschap: ERROR: External script says: The attempted logon is
> invalid. This is either due to a bad username or authentication
> information. (0xc000006d)
> (10) mschap: ERROR: MS-CHAP2-Response is incorrect
> (10) [mschap] = reject
> (10) } # Auth-Type mschap = reject
> (10) Failed to authenticate the user
> (10) Using Post-Auth-Type Reject
>
>
>
> maybe something to point out (which don't know if does matter) is
> that the user might be providing @somewhere.com, however, the AD domain
> name I have to do the queries against is really "swr.com"
>
>
> Operator name is @somewhere.com on the server config file so I
> can properly filter the local users, but the samba configuration and the
> domain is configured against the real domain name "swr.com"- could it be
> that the challenge hash is being wrongfuly created here?:
>
> (10) mschap: Creating challenge hash with username:
> some-user at somewhere.com
>
>
> And somehow, mschap should create the hash with "some-user at swe.com
> "?
> I sure don't have this issue when testing locally...
>
>
> I don't know if this makes sense---
>
>
> On Wed, 15 Apr 2020 at 10:52, L.P.H. van Belle via
> Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
>
> That samba part is on the free radius site is obsolete
>
> Configure samba as a member server as shown here :
> Step 1.
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Then what most people dont see/forget is :
> https://wiki.samba.org/index.php/Idmap_config_rid
> This is oblicated..
>
> If its only for authentication just use RID backend, thats
> fine.
>
> When thats done, go here.
>
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>
> And verify your settings, this is the most important one
> for smb.conf
>
> ntlm auth = mschapv2-and-ntlmv2-only
>
> So all info to fix it is in this mail ;-)
>
> See how far you get, questions, mail again.
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: Freeradius-Users
> > [mailto:freeradius-users-bounces+belle <mailto:
> freeradius-users-bounces%2Bbelle> =bazuin.nl at lists.freerad
> > ius.org] Namens R3DNano
> > Verzonden: woensdag 15 april 2020 10:35
> > Aan: FreeRadius users mailing list
> > Onderwerp: mschap: ERROR: MS-CHAP2-Response is incorrect
> >
> > I'm trying to deploy a FreeRADIUS server for eduroam
> authentication.
> > The local authentication source is a Microsoft AD that I
> configured
> > following this guide:
> >
> https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-
> > Integration-HOWTO
> > The binding was successful and the eapol_test tests are
> all green too.
> >
> > However, I'm having a hard time implementing it with an
> > aerohive controller.
> > This controller has a "test" function which lets you
> input an
> > username and
> > a password and does who knows what in order to check the
> > radius server.
> > As far as I understood, it tries to do MSCHAPv2 without
> any
> > encryption as
> > per the logs I'll show below (please, correct me if I'm
> wrong)
> > Other than that, I receive an Access-Reject which looks
> like
> > is pointing at
> > a wrong password being provided, although, it is not the
> case
> > (checked the
> > password)
> >
> > This is what I see on the server side:
> >
> > (0) Received Access-Request Id 155 from MailScanner
> warning: numerical links are often malicious: 10.10.50.5:22074 <
> http://10.10.50.5:22074> to
> > MailScanner warning: numerical links are often
> malicious: 10.168.0.14:1812 <http://10.168.0.14:1812>
> > length 198
> > (0) User-Name = "some-user at somewhere.com"
> > (0) Message-Authenticator =
> 0x021108ef4ce751de58540e09fc6d0147
> > (0) Attr-26.26928.212 =
> 0x43382d36372d35452d35392d46462d4330
> > (0) Service-Type = Authorize-Only
> > (0) NAS-Port = 0
> > (0) NAS-Port-Type = Wireless-802.11
> > (0) NAS-Identifier = "SOME_ID"
> > (0) NAS-IP-Address = 10.40.1.186
> > (0) MS-CHAP-Challenge =
> 0x451507759c738d0d3792bb6474f55e88
> > (0) MS-CHAP2-Response =
> >
> 0xcf0003d0a09c080f1f3981adf41050b91b960000000000000000c568a193
> > 2f0abe2cf1f9908feb851dee780c95ccefcd6aca
> > (0) # Executing section authorize from file
> > /etc/freeradius/3.0/sites-enabled/eduroam
> > (0) authorize {
> >
> > [edited]
> >
> > (0) eap: No EAP-Message, not doing EAP
> > (0) [eap] = noop
> > (0) mschap: Found MS-CHAP attributes. Setting
> 'Auth-Type = mschap'
> > (0) [mschap] = ok
> >
> > [edited, removed log entries]
> >
> > (0) } # authorize = updated
> > (0) Found Auth-Type = mschap
> > (0) # Executing group from file
> > /etc/freeradius/3.0/sites-enabled/eduroam
> > (0) Auth-Type mschap {
> > (0) mschap: Creating challenge hash with username:
> > some-user at somewhere.com
> > (0) mschap: Client is using MS-CHAPv2
> > (0) mschap: EXPAND %{Stripped-User-Name}
> > (0) mschap: --> some-user
> > rlm_mschap (mschap): Closing connection (0): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): Closing connection (1): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): Closing connection (2): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): You probably need to lower "min"
> > rlm_mschap (mschap): Closing connection (3): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): You probably need to lower "min"
> > rlm_mschap (mschap): Closing connection (4): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): You probably need to lower "min"
> > rlm_mschap (mschap): 0 of 0 connections in use. You
> may
> > need to increase
> > "spare"
> > rlm_mschap (mschap): Opening additional connection (5),
> 1 of
> > 32 pending
> > slots used
> > rlm_mschap (mschap): Reserved connection (5)
> > (0) mschap: sending authentication request
> user='some-user' domain='
> > SOMEWHERE.COM'
> > rlm_mschap (mschap): Released connection (5)
> > Need 2 more connections to reach min connections (3)
> > rlm_mschap (mschap): Opening additional connection (6),
> 1 of
> > 31 pending
> > slots used
> > (0) mschap: ERROR: When trying to update a password,
> this
> > return status
> > indicates that the value provided as the current
> password is
> > not correct.
> > [0xC000006A]
> > (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> > (0) [mschap] = reject
> > (0) } # Auth-Type mschap = reject
> > (0) Failed to authenticate the user
> > (0) Using Post-Auth-Type Reject
> >
> > [edited, removed log entries]
> >
> > (0) } # Post-Auth-Type REJECT = updated
> > (0) Sent Access-Reject Id 155 from MailScanner warning:
> numerical links are often malicious: 10.168.0.14:1812 <
> http://10.168.0.14:1812> to
> > MailScanner warning: numerical links are often
> malicious: 10.10.50.5:22074 <http://10.10.50.5:22074>
> > length 0
> > (0) MS-CHAP-Error = "\317E=691 R=1
> > C=e7b3f200a3c36896f32a2ecf4adaab39 V=3
> > M=Authentication rejected"
> > (0) Finished request
> >
> >
> >
> > I edited the linelog parts out - yes there's only one
> single
> > request (0)
> > Although, It does have an "Authorize-Only" value, which
> makes
> > me think this
> > test only does authorization but no authentication and
> that's
> > why the test
> > fails?? - any help trying to interpret and troubleshoot
> this
> > issue would be
> > welcome.
> >
> > Thanks.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
More information about the Freeradius-Users
mailing list