mschap: ERROR: MS-CHAP2-Response is incorrect

L.P.H. van Belle belle at bazuin.nl
Wed Apr 15 12:30:00 CEST 2020


Hai, 
 
Hm,, still.. 
 
whats in krb5.conf ? 
whats the default REALM and did you configure other (optional extra REALMS)  and which REALM is set/used in smb.conf 
 
Also important, what is your running OS and samba version, you might have hit a bug from and older samba version. 
That might help me a bit. 
 
 
Greetz, 
 
Louis
 

Van: Jon Ander MB [mailto:jonandermonleon at gmail.com] 
Verzonden: woensdag 15 april 2020 12:22
Aan: L.P.H. van Belle
CC: FreeRadius users mailing list
Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect



Hi, Louis: Thanks for trying to help me.


I made the changes you suggested on the mschap module and I still get the same error.
Is it possible that the challenge hash is being created with the wrong domain? i.e.: some-user at somewhere.com instead of MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "somewhere.com" some-user at swhr.com ?


(0) mschap: Creating challenge hash with username:  some-user at somewhere.com 



which might have to be something like:


(0) mschap: Creating challenge hash with username:  some-user at swhr.com 









What is weird is that local tests with standard tools succeed, but this other vendor's test does not.


Regards



On Wed, 15 Apr 2020 at 11:41, L.P.H. van Belle <belle at bazuin.nl> wrote:

Hai Red, 

Well, almost.. you mist 1 part. 
This : 
Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
change that to : 

 /usr/bin/ntlm_auth  --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:

I even highlighted it in the samba wiki .. 

So edit :  /etc/freeradius/3.0/sites-enabled/eduroam
And correct that and try again. 

If it then still is not working, as extra you could try. 
Adduser freeradion to the winbind_priv group

And check if apparmor is running and adjust the needed files there also. 


Greetz, 

Louis




________________________________

        Van: Red Nano [mailto:r3dnano at gmail.com] 
        Verzonden: woensdag 15 april 2020 11:27
        Aan: FreeRadius users mailing list
        CC: L.P.H. van Belle
        Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect


        First of all: Thanks for the help.

        I've modified the smb.conf file according to the link you suggested.

        I'm trying to do the auth via ntlm_auth now and this is the response I got:

        (10)   } # authorize = updated
        (10) Found Auth-Type = mschap
        (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
        (10)   Auth-Type mschap {
        (10) mschap: Creating challenge hash with username: some-user at somewhere.com
        (10) mschap: Client is using MS-CHAPv2
        (10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
        (10) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
        (10) mschap:    --> --username=some-user
        (10) mschap: Creating challenge hash with username: some-user at somewhere.com
        (10) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
        (10) mschap:    --> --challenge=39258c5db7d3edb7
        (10) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
        (10) mschap:    --> --nt-response=1a16fe12fb9e1557724bf5a3aad065da38173340a65363ba
        (10) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
        (10) mschap: External script failed
        (10) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
        (10) mschap: ERROR: MS-CHAP2-Response is incorrect
        (10)     [mschap] = reject
        (10)   } # Auth-Type mschap = reject
        (10) Failed to authenticate the user
        (10) Using Post-Auth-Type Reject



        maybe something to point out (which don't know if does matter) is that the user might be providing @somewhere.com, however, the AD domain name I have to do the queries against is really  "swr.com" 


        Operator name is @somewhere.com on the server config file so I can properly filter the local users, but the samba configuration and the domain is configured against the real domain name  "swr.com"- could it be that the challenge hash is being wrongfuly created here?:

        (10) mschap: Creating challenge hash with username: some-user at somewhere.com 


        And somehow, mschap should create the hash with "some-user at swe.com"?
        I sure don't have this issue when testing locally...


        I don't know if this makes sense---


        On Wed, 15 Apr 2020 at 10:52, L.P.H. van Belle via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:


                That samba part is on the free radius site is obsolete

                Configure samba as a member server as shown here : 
                Step 1. 
                https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
                Then what most people dont see/forget is : https://wiki.samba.org/index.php/Idmap_config_rid 
                This is oblicated..

                If its only for authentication just use RID backend, thats fine. 

                When thats done, go here.
                https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

                And verify your settings, this is the most important one for smb.conf 

                ntlm auth = mschapv2-and-ntlmv2-only 

                So all info to fix it is in this mail ;-)

                See how far you get, questions, mail again. 


                Greetz, 

                Louis

                > -----Oorspronkelijk bericht-----
                > Van: Freeradius-Users 
                > [mailto:freeradius-users-bounces+belle <mailto:freeradius-users-bounces%2Bbelle> =bazuin.nl at lists.freerad
                > ius.org] Namens R3DNano
                > Verzonden: woensdag 15 april 2020 10:35
                > Aan: FreeRadius users mailing list
                > Onderwerp: mschap: ERROR: MS-CHAP2-Response is incorrect
                > 
                > I'm trying to deploy a FreeRADIUS server for eduroam authentication.
                > The local authentication source is a Microsoft AD that I configured
                > following this guide:
                > https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-
                > Integration-HOWTO
                > The binding was successful and the eapol_test tests are all green too.
                > 
                > However, I'm having a hard time implementing it with an 
                > aerohive controller.
                > This controller has a "test" function which lets you input an 
                > username and
                > a password and does who knows what in order to check the 
                > radius server.
                > As far as I understood, it tries to do MSCHAPv2 without any 
                > encryption as
                > per the logs I'll show below (please, correct me if I'm wrong)
                > Other than that, I receive an Access-Reject which looks like 
                > is pointing at
                > a wrong password being provided, although, it is not the case 
                > (checked the
                > password)
                > 
                > This is what I see on the server side:
                > 
                > (0) Received Access-Request Id 155 from MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.50.5:22074 <MailScanner warning: numerical links are often malicious: http://10.10.50.5:22074>  to 
                > MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.168.0.14:1812 <MailScanner warning: numerical links are often malicious: http://10.168.0.14:1812> 
                > length 198
                > (0)   User-Name = "some-user at somewhere.com"
                > (0)   Message-Authenticator = 0x021108ef4ce751de58540e09fc6d0147
                > (0)   Attr-26.26928.212 = 0x43382d36372d35452d35392d46462d4330
                > (0)   Service-Type = Authorize-Only
                > (0)   NAS-Port = 0
                > (0)   NAS-Port-Type = Wireless-802.11
                > (0)   NAS-Identifier = "SOME_ID"
                > (0)   NAS-IP-Address = 10.40.1.186
                > (0)   MS-CHAP-Challenge = 0x451507759c738d0d3792bb6474f55e88
                > (0)   MS-CHAP2-Response =
                > 0xcf0003d0a09c080f1f3981adf41050b91b960000000000000000c568a193
                > 2f0abe2cf1f9908feb851dee780c95ccefcd6aca
                > (0) # Executing section authorize from file
                > /etc/freeradius/3.0/sites-enabled/eduroam
                > (0)   authorize {
                > 
                > [edited]
                > 
                > (0) eap: No EAP-Message, not doing EAP
                > (0)     [eap] = noop
                > (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
                > (0)     [mschap] = ok
                > 
                > [edited, removed log entries]
                > 
                > (0)   } # authorize = updated
                > (0) Found Auth-Type = mschap
                > (0) # Executing group from file 
                > /etc/freeradius/3.0/sites-enabled/eduroam
                > (0)   Auth-Type mschap {
                > (0) mschap: Creating challenge hash with username: 
                > some-user at somewhere.com
                > (0) mschap: Client is using MS-CHAPv2
                > (0) mschap: EXPAND %{Stripped-User-Name}
                > (0) mschap:    --> some-user
                > rlm_mschap (mschap): Closing connection (0): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): Closing connection (1): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): Closing connection (2): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): You probably need to lower "min"
                > rlm_mschap (mschap): Closing connection (3): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): You probably need to lower "min"
                > rlm_mschap (mschap): Closing connection (4): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): You probably need to lower "min"
                > rlm_mschap (mschap): 0 of 0 connections in use.  You  may 
                > need to increase
                > "spare"
                > rlm_mschap (mschap): Opening additional connection (5), 1 of 
                > 32 pending
                > slots used
                > rlm_mschap (mschap): Reserved connection (5)
                > (0) mschap: sending authentication request user='some-user' domain='
                > SOMEWHERE.COM'
                > rlm_mschap (mschap): Released connection (5)
                > Need 2 more connections to reach min connections (3)
                > rlm_mschap (mschap): Opening additional connection (6), 1 of 
                > 31 pending
                > slots used
                > (0) mschap: ERROR: When trying to update a password, this 
                > return status
                > indicates that the value provided as the current password is 
                > not correct.
                > [0xC000006A]
                > (0) mschap: ERROR: MS-CHAP2-Response is incorrect
                > (0)     [mschap] = reject
                > (0)   } # Auth-Type mschap = reject
                > (0) Failed to authenticate the user
                > (0) Using Post-Auth-Type Reject
                > 
                > [edited, removed log entries]
                > 
                > (0)   } # Post-Auth-Type REJECT = updated
                > (0) Sent Access-Reject Id 155 from MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.168.0.14:1812 <MailScanner warning: numerical links are often malicious: http://10.168.0.14:1812>  to 
                > MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.50.5:22074 <MailScanner warning: numerical links are often malicious: http://10.10.50.5:22074> 
                > length 0
                > (0)   MS-CHAP-Error = "\317E=691 R=1 
                > C=e7b3f200a3c36896f32a2ecf4adaab39 V=3
                > M=Authentication rejected"
                > (0) Finished request
                > 
                > 
                > 
                > I edited the linelog parts out - yes there's only one single 
                > request (0)
                > Although, It does have an "Authorize-Only" value, which makes 
                > me think this
                > test only does authorization but no authentication and that's 
                > why the test
                > fails?? - any help trying to interpret and troubleshoot this 
                > issue would be
                > welcome.
                > 
                > Thanks.
                > -
                > List info/subscribe/unsubscribe? See 
                > http://www.freeradius.org/list/users.html
                > 


                -
                List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-- 
--- Jon Ander Monleón Besteiro ---


More information about the Freeradius-Users mailing list