mschap: ERROR: MS-CHAP2-Response is incorrect

L.P.H. van Belle belle at bazuin.nl
Wed Apr 15 14:48:20 CEST 2020


Great to hear its working..
 
And your welkom, its the least we can do.
Everything below looks fine, only one small suggestion. 
 
krb5.conf:
[libdefaults]
        default_realm =  swhr.com    << in caps  ;-) like you did in smb.conf 
 
It is just minor thing, but everything perfectly set means, less chances of hitting problems. 
 
Have good time, be safe and help the needy.. 
 
Greetz, 
 
Louis
 
 
 


Van: Red Nano [mailto:r3dnano at gmail.com] 
Verzonden: woensdag 15 april 2020 14:40
Aan: FreeRadius users mailing list
CC: L.P.H. van Belle
Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect



I think, for some reason, the aerohive test utility was not working right, at least with my setup: We tested a client and it does do authentication properly.....


For the sake of closure, and just in case I have to come back to this thread, should the issue resurface, I'll answer your questions (you've been kind enough to spend some of your time on my issue, it's the less I can do):


krb5.conf:
[libdefaults]
        default_realm =  swhr.com


No extra realms on this file.






smb.conf:
workgroup = SWHR
realm = SWHR.COM




Samba version: Version 4.10.7-Ubuntu




Ubuntu 19.10 Server (Packages upgraded and updated last week) 



FreeRADIUS Version 3.0.19 (Installed via official repos)





Thanks again.





On Wed, 15 Apr 2020 at 12:31, L.P.H. van Belle via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:

Hai, 
 
Hm,, still.. 
 
whats in krb5.conf ? 
whats the default REALM and did you configure other (optional extra REALMS)  and which REALM is set/used in smb.conf 
 
Also important, what is your running OS and samba version, you might have hit a bug from and older samba version. 
That might help me a bit. 
 
 
Greetz, 
 
Louis
 

Verzonden: woensdag 15 april 2020 12:22
Aan: L.P.H. van Belle
CC: FreeRadius users mailing list
Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect



Hi, Louis: Thanks for trying to help me.


I made the changes you suggested on the mschap module and I still get the same error.
Is it possible that the challenge hash is being created with the wrong domain? i.e.: some-user at somewhere.com instead of MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "somewhere.com" some-user at swhr.com ?


(0) mschap: Creating challenge hash with username:  some-user at somewhere.com 



which might have to be something like:


(0) mschap: Creating challenge hash with username:  some-user at swhr.com 









What is weird is that local tests with standard tools succeed, but this other vendor's test does not.


Regards



On Wed, 15 Apr 2020 at 11:41, L.P.H. van Belle <belle at bazuin.nl> wrote:

Hai Red, 

Well, almost.. you mist 1 part. 
This : 
Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
change that to : 

 /usr/bin/ntlm_auth  --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:

I even highlighted it in the samba wiki .. 

So edit :  /etc/freeradius/3.0/sites-enabled/eduroam
And correct that and try again. 

If it then still is not working, as extra you could try. 
Adduser freeradion to the winbind_priv group

And check if apparmor is running and adjust the needed files there also. 


Greetz, 

Louis




________________________________

        Van: Red Nano [mailto:r3dnano at gmail.com] 
        Verzonden: woensdag 15 april 2020 11:27
        Aan: FreeRadius users mailing list
        CC: L.P.H. van Belle
        Onderwerp: Re: mschap: ERROR: MS-CHAP2-Response is incorrect


        First of all: Thanks for the help.

        I've modified the smb.conf file according to the link you suggested.

        I'm trying to do the auth via ntlm_auth now and this is the response I got:

        (10)   } # authorize = updated
        (10) Found Auth-Type = mschap
        (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
        (10)   Auth-Type mschap {
        (10) mschap: Creating challenge hash with username: some-user at somewhere.com
        (10) mschap: Client is using MS-CHAPv2
        (10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
        (10) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
        (10) mschap:    --> --username=some-user
        (10) mschap: Creating challenge hash with username: some-user at somewhere.com
        (10) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
        (10) mschap:    --> --challenge=39258c5db7d3edb7
        (10) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
        (10) mschap:    --> --nt-response=1a16fe12fb9e1557724bf5a3aad065da38173340a65363ba
        (10) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
        (10) mschap: External script failed
        (10) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
        (10) mschap: ERROR: MS-CHAP2-Response is incorrect
        (10)     [mschap] = reject
        (10)   } # Auth-Type mschap = reject
        (10) Failed to authenticate the user
        (10) Using Post-Auth-Type Reject



        maybe something to point out (which don't know if does matter) is that the user might be providing @somewhere.com, however, the AD domain name I have to do the queries against is really  "swr.com" 


        Operator name is @somewhere.com on the server config file so I can properly filter the local users, but the samba configuration and the domain is configured against the real domain name  "swr.com"- could it be that the challenge hash is being wrongfuly created here?:

        (10) mschap: Creating challenge hash with username: some-user at somewhere.com 


        And somehow, mschap should create the hash with "some-user at swe.com"?
        I sure don't have this issue when testing locally...


        I don't know if this makes sense---


        On Wed, 15 Apr 2020 at 10:52, L.P.H. van Belle via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:


                That samba part is on the free radius site is obsolete

                Configure samba as a member server as shown here : 
                Step 1. 
                https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
                Then what most people dont see/forget is : https://wiki.samba.org/index.php/Idmap_config_rid 
                This is oblicated..

                If its only for authentication just use RID backend, thats fine. 

                When thats done, go here.
                https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

                And verify your settings, this is the most important one for smb.conf 

                ntlm auth = mschapv2-and-ntlmv2-only 

                So all info to fix it is in this mail ;-)

                See how far you get, questions, mail again. 


                Greetz, 

                Louis

                > -----Oorspronkelijk bericht-----
                > Van: Freeradius-Users 
                > [mailto:freeradius-users-bounces+belle <mailto:freeradius-users-bounces%2Bbelle> =bazuin.nl at lists.freerad
                > ius.org] Namens R3DNano
                > Verzonden: woensdag 15 april 2020 10:35
                > Aan: FreeRadius users mailing list
                > Onderwerp: mschap: ERROR: MS-CHAP2-Response is incorrect
                > 
                > I'm trying to deploy a FreeRADIUS server for eduroam authentication.
                > The local authentication source is a Microsoft AD that I configured
                > following this guide:
                > https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-
                > Integration-HOWTO
                > The binding was successful and the eapol_test tests are all green too.
                > 
                > However, I'm having a hard time implementing it with an 
                > aerohive controller.
                > This controller has a "test" function which lets you input an 
                > username and
                > a password and does who knows what in order to check the 
                > radius server.
                > As far as I understood, it tries to do MSCHAPv2 without any 
                > encryption as
                > per the logs I'll show below (please, correct me if I'm wrong)
                > Other than that, I receive an Access-Reject which looks like 
                > is pointing at
                > a wrong password being provided, although, it is not the case 
                > (checked the
                > password)
                > 
                > This is what I see on the server side:
                > 
                > (0) Received Access-Request Id 155 from MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.50.5:22074 <MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: http://10.10.50.5:22074>  to 
                > MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.168.0.14:1812 <MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: http://10.168.0.14:1812> 
                > length 198
                > (0)   User-Name = "some-user at somewhere.com"
                > (0)   Message-Authenticator = 0x021108ef4ce751de58540e09fc6d0147
                > (0)   Attr-26.26928.212 = 0x43382d36372d35452d35392d46462d4330
                > (0)   Service-Type = Authorize-Only
                > (0)   NAS-Port = 0
                > (0)   NAS-Port-Type = Wireless-802.11
                > (0)   NAS-Identifier = "SOME_ID"
                > (0)   NAS-IP-Address = 10.40.1.186
                > (0)   MS-CHAP-Challenge = 0x451507759c738d0d3792bb6474f55e88
                > (0)   MS-CHAP2-Response =
                > 0xcf0003d0a09c080f1f3981adf41050b91b960000000000000000c568a193
                > 2f0abe2cf1f9908feb851dee780c95ccefcd6aca
                > (0) # Executing section authorize from file
                > /etc/freeradius/3.0/sites-enabled/eduroam
                > (0)   authorize {
                > 
                > [edited]
                > 
                > (0) eap: No EAP-Message, not doing EAP
                > (0)     [eap] = noop
                > (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
                > (0)     [mschap] = ok
                > 
                > [edited, removed log entries]
                > 
                > (0)   } # authorize = updated
                > (0) Found Auth-Type = mschap
                > (0) # Executing group from file 
                > /etc/freeradius/3.0/sites-enabled/eduroam
                > (0)   Auth-Type mschap {
                > (0) mschap: Creating challenge hash with username: 
                > some-user at somewhere.com
                > (0) mschap: Client is using MS-CHAPv2
                > (0) mschap: EXPAND %{Stripped-User-Name}
                > (0) mschap:    --> some-user
                > rlm_mschap (mschap): Closing connection (0): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): Closing connection (1): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): Closing connection (2): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): You probably need to lower "min"
                > rlm_mschap (mschap): Closing connection (3): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): You probably need to lower "min"
                > rlm_mschap (mschap): Closing connection (4): Hit 
                > idle_timeout, was idle for
                > 2240 seconds
                > rlm_mschap (mschap): You probably need to lower "min"
                > rlm_mschap (mschap): 0 of 0 connections in use.  You  may 
                > need to increase
                > "spare"
                > rlm_mschap (mschap): Opening additional connection (5), 1 of 
                > 32 pending
                > slots used
                > rlm_mschap (mschap): Reserved connection (5)
                > (0) mschap: sending authentication request user='some-user' domain='
                > SOMEWHERE.COM'
                > rlm_mschap (mschap): Released connection (5)
                > Need 2 more connections to reach min connections (3)
                > rlm_mschap (mschap): Opening additional connection (6), 1 of 
                > 31 pending
                > slots used
                > (0) mschap: ERROR: When trying to update a password, this 
                > return status
                > indicates that the value provided as the current password is 
                > not correct.
                > [0xC000006A]
                > (0) mschap: ERROR: MS-CHAP2-Response is incorrect
                > (0)     [mschap] = reject
                > (0)   } # Auth-Type mschap = reject
                > (0) Failed to authenticate the user
                > (0) Using Post-Auth-Type Reject
                > 
                > [edited, removed log entries]
                > 
                > (0)   } # Post-Auth-Type REJECT = updated
                > (0) Sent Access-Reject Id 155 from MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.168.0.14:1812 <MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: http://10.168.0.14:1812>  to 
                > MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.50.5:22074 <MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: http://10.10.50.5:22074> 
                > length 0
                > (0)   MS-CHAP-Error = "\317E=691 R=1 
                > C=e7b3f200a3c36896f32a2ecf4adaab39 V=3
                > M=Authentication rejected"
                > (0) Finished request
                > 
                > 
                > 
                > I edited the linelog parts out - yes there's only one single 
                > request (0)
                > Although, It does have an "Authorize-Only" value, which makes 
                > me think this
                > test only does authorization but no authentication and that's 
                > why the test
                > fails?? - any help trying to interpret and troubleshoot this 
                > issue would be
                > welcome.
                > 
                > Thanks.
                > -
                > List info/subscribe/unsubscribe? See 
                > http://www.freeradius.org/list/users.html
                > 


                -
                List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list