mschap: ERROR: MS-CHAP2-Response is incorrect
Red Nano
r3dnano at gmail.com
Wed Apr 15 14:39:44 CEST 2020
I think, for some reason, the aerohive test utility was not working right,
at least with my setup: We tested a client and it does do authentication
properly.....
For the sake of closure, and just in case I have to come back to this
thread, should the issue resurface, I'll answer your questions (you've been
kind enough to spend some of your time on my issue, it's the less I can do):
krb5.conf:
[libdefaults]
default_realm = swhr.com
No extra realms on this file.
smb.conf:
workgroup = SWHR
realm = SWHR.COM
Samba version: Version 4.10.7-Ubuntu
Ubuntu 19.10 Server (Packages upgraded and updated last week)
FreeRADIUS Version 3.0.19 (Installed via official repos)
Thanks again.
On Wed, 15 Apr 2020 at 12:31, L.P.H. van Belle via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:
> Hai,
>
> Hm,, still..
>
> whats in krb5.conf ?
> whats the default REALM and did you configure other (optional
> extra REALMS) and which REALM is set/used in smb.conf
>
> Also important, what is your running OS and samba version, you might have
> hit a bug from and older samba version.
> That might help me a bit.
>
>
> Greetz,
>
> Louis
>
>
> Verzonden: woensdag 15 april 2020 12:22
> Aan: L.P.H. van Belle
> CC: FreeRadius users mailing list
> Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect
>
>
>
> Hi, Louis: Thanks for trying to help me.
>
>
> I made the changes you suggested on the mschap module and I still get the
> same error.
> Is it possible that the challenge hash is being created with the wrong
> domain? i.e.: some-user at somewhere.com instead of MailScanner heeft een
> e-mail met mogelijk een poging tot fraude gevonden van "somewhere.com"
> some-user at swhr.com ?
>
>
> (0) mschap: Creating challenge hash with username:
> some-user at somewhere.com
>
>
>
> which might have to be something like:
>
>
> (0) mschap: Creating challenge hash with username: some-user at swhr.com
>
>
>
>
>
>
>
>
>
> What is weird is that local tests with standard tools succeed, but this
> other vendor's test does not.
>
>
> Regards
>
>
>
> On Wed, 15 Apr 2020 at 11:41, L.P.H. van Belle <belle at bazuin.nl> wrote:
>
> Hai Red,
>
> Well, almost.. you mist 1 part.
> This :
> Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> change that to :
>
> /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
>
> I even highlighted it in the samba wiki ..
>
> So edit : /etc/freeradius/3.0/sites-enabled/eduroam
> And correct that and try again.
>
> If it then still is not working, as extra you could try.
> Adduser freeradion to the winbind_priv group
>
> And check if apparmor is running and adjust the needed files there also.
>
>
> Greetz,
>
> Louis
>
>
>
>
> ________________________________
>
> Van: Red Nano [mailto:r3dnano at gmail.com]
> Verzonden: woensdag 15 april 2020 11:27
> Aan: FreeRadius users mailing list
> CC: L.P.H. van Belle
> Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect
>
>
> First of all: Thanks for the help.
>
> I've modified the smb.conf file according to the link you
> suggested.
>
> I'm trying to do the auth via ntlm_auth now and this is the
> response I got:
>
> (10) } # authorize = updated
> (10) Found Auth-Type = mschap
> (10) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/eduroam
> (10) Auth-Type mschap {
> (10) mschap: Creating challenge hash with username:
> some-user at somewhere.com
> (10) mschap: Client is using MS-CHAPv2
> (10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (10) mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (10) mschap: --> --username=some-user
> (10) mschap: Creating challenge hash with username:
> some-user at somewhere.com
> (10) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (10) mschap: --> --challenge=39258c5db7d3edb7
> (10) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (10) mschap: -->
> --nt-response=1a16fe12fb9e1557724bf5a3aad065da38173340a65363ba
> (10) mschap: ERROR: Program returned code (1) and output 'The
> attempted logon is invalid. This is either due to a bad username or
> authentication information. (0xc000006d)'
> (10) mschap: External script failed
> (10) mschap: ERROR: External script says: The attempted logon is
> invalid. This is either due to a bad username or authentication
> information. (0xc000006d)
> (10) mschap: ERROR: MS-CHAP2-Response is incorrect
> (10) [mschap] = reject
> (10) } # Auth-Type mschap = reject
> (10) Failed to authenticate the user
> (10) Using Post-Auth-Type Reject
>
>
>
> maybe something to point out (which don't know if does matter) is
> that the user might be providing @somewhere.com, however, the AD domain
> name I have to do the queries against is really "swr.com"
>
>
> Operator name is @somewhere.com on the server config file so I
> can properly filter the local users, but the samba configuration and the
> domain is configured against the real domain name "swr.com"- could it be
> that the challenge hash is being wrongfuly created here?:
>
> (10) mschap: Creating challenge hash with username:
> some-user at somewhere.com
>
>
> And somehow, mschap should create the hash with "some-user at swe.com
> "?
> I sure don't have this issue when testing locally...
>
>
> I don't know if this makes sense---
>
>
> On Wed, 15 Apr 2020 at 10:52, L.P.H. van Belle via
> Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
>
> That samba part is on the free radius site is obsolete
>
> Configure samba as a member server as shown here :
> Step 1.
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Then what most people dont see/forget is :
> https://wiki.samba.org/index.php/Idmap_config_rid
> This is oblicated..
>
> If its only for authentication just use RID backend, thats
> fine.
>
> When thats done, go here.
>
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>
> And verify your settings, this is the most important one
> for smb.conf
>
> ntlm auth = mschapv2-and-ntlmv2-only
>
> So all info to fix it is in this mail ;-)
>
> See how far you get, questions, mail again.
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: Freeradius-Users
> > [mailto:freeradius-users-bounces+belle <mailto:
> freeradius-users-bounces%2Bbelle> =bazuin.nl at lists.freerad
> > ius.org] Namens R3DNano
> > Verzonden: woensdag 15 april 2020 10:35
> > Aan: FreeRadius users mailing list
> > Onderwerp: mschap: ERROR: MS-CHAP2-Response is incorrect
> >
> > I'm trying to deploy a FreeRADIUS server for eduroam
> authentication.
> > The local authentication source is a Microsoft AD that I
> configured
> > following this guide:
> >
> https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-
> > Integration-HOWTO
> > The binding was successful and the eapol_test tests are
> all green too.
> >
> > However, I'm having a hard time implementing it with an
> > aerohive controller.
> > This controller has a "test" function which lets you
> input an
> > username and
> > a password and does who knows what in order to check the
> > radius server.
> > As far as I understood, it tries to do MSCHAPv2 without
> any
> > encryption as
> > per the logs I'll show below (please, correct me if I'm
> wrong)
> > Other than that, I receive an Access-Reject which looks
> like
> > is pointing at
> > a wrong password being provided, although, it is not the
> case
> > (checked the
> > password)
> >
> > This is what I see on the server side:
> >
> > (0) Received Access-Request Id 155 from MailScanner
> warning: numerical links are often malicious: MailScanner warning:
> numerical links are often malicious: 10.10.50.5:22074 <MailScanner
> warning: numerical links are often malicious: http://10.10.50.5:22074>
> to
> > MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 10.168.0.14:1812 <MailScanner warning: numerical links are often
> malicious: http://10.168.0.14:1812>
> > length 198
> > (0) User-Name = "some-user at somewhere.com"
> > (0) Message-Authenticator =
> 0x021108ef4ce751de58540e09fc6d0147
> > (0) Attr-26.26928.212 =
> 0x43382d36372d35452d35392d46462d4330
> > (0) Service-Type = Authorize-Only
> > (0) NAS-Port = 0
> > (0) NAS-Port-Type = Wireless-802.11
> > (0) NAS-Identifier = "SOME_ID"
> > (0) NAS-IP-Address = 10.40.1.186
> > (0) MS-CHAP-Challenge =
> 0x451507759c738d0d3792bb6474f55e88
> > (0) MS-CHAP2-Response =
> >
> 0xcf0003d0a09c080f1f3981adf41050b91b960000000000000000c568a193
> > 2f0abe2cf1f9908feb851dee780c95ccefcd6aca
> > (0) # Executing section authorize from file
> > /etc/freeradius/3.0/sites-enabled/eduroam
> > (0) authorize {
> >
> > [edited]
> >
> > (0) eap: No EAP-Message, not doing EAP
> > (0) [eap] = noop
> > (0) mschap: Found MS-CHAP attributes. Setting
> 'Auth-Type = mschap'
> > (0) [mschap] = ok
> >
> > [edited, removed log entries]
> >
> > (0) } # authorize = updated
> > (0) Found Auth-Type = mschap
> > (0) # Executing group from file
> > /etc/freeradius/3.0/sites-enabled/eduroam
> > (0) Auth-Type mschap {
> > (0) mschap: Creating challenge hash with username:
> > some-user at somewhere.com
> > (0) mschap: Client is using MS-CHAPv2
> > (0) mschap: EXPAND %{Stripped-User-Name}
> > (0) mschap: --> some-user
> > rlm_mschap (mschap): Closing connection (0): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): Closing connection (1): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): Closing connection (2): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): You probably need to lower "min"
> > rlm_mschap (mschap): Closing connection (3): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): You probably need to lower "min"
> > rlm_mschap (mschap): Closing connection (4): Hit
> > idle_timeout, was idle for
> > 2240 seconds
> > rlm_mschap (mschap): You probably need to lower "min"
> > rlm_mschap (mschap): 0 of 0 connections in use. You
> may
> > need to increase
> > "spare"
> > rlm_mschap (mschap): Opening additional connection (5),
> 1 of
> > 32 pending
> > slots used
> > rlm_mschap (mschap): Reserved connection (5)
> > (0) mschap: sending authentication request
> user='some-user' domain='
> > SOMEWHERE.COM'
> > rlm_mschap (mschap): Released connection (5)
> > Need 2 more connections to reach min connections (3)
> > rlm_mschap (mschap): Opening additional connection (6),
> 1 of
> > 31 pending
> > slots used
> > (0) mschap: ERROR: When trying to update a password,
> this
> > return status
> > indicates that the value provided as the current
> password is
> > not correct.
> > [0xC000006A]
> > (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> > (0) [mschap] = reject
> > (0) } # Auth-Type mschap = reject
> > (0) Failed to authenticate the user
> > (0) Using Post-Auth-Type Reject
> >
> > [edited, removed log entries]
> >
> > (0) } # Post-Auth-Type REJECT = updated
> > (0) Sent Access-Reject Id 155 from MailScanner warning:
> numerical links are often malicious: MailScanner warning: numerical links
> are often malicious: 10.168.0.14:1812 <MailScanner warning: numerical
> links are often malicious: http://10.168.0.14:1812> to
> > MailScanner warning: numerical links are often
> malicious: MailScanner warning: numerical links are often malicious:
> 10.10.50.5:22074 <MailScanner warning: numerical links are often
> malicious: http://10.10.50.5:22074>
> > length 0
> > (0) MS-CHAP-Error = "\317E=691 R=1
> > C=e7b3f200a3c36896f32a2ecf4adaab39 V=3
> > M=Authentication rejected"
> > (0) Finished request
> >
> >
> >
> > I edited the linelog parts out - yes there's only one
> single
> > request (0)
> > Although, It does have an "Authorize-Only" value, which
> makes
> > me think this
> > test only does authorization but no authentication and
> that's
> > why the test
> > fails?? - any help trying to interpret and troubleshoot
> this
> > issue would be
> > welcome.
> >
> > Thanks.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list