Re: PEAP mschapv2 E= 691 R=0 code is correct?

엔트로링크(주) dhpark21 at naver.com
Fri Sep 25 16:51:43 CEST 2020 

Thanks.
my test, put below then work fine.
send_error = yes
Thanks.
 
-----Original Message-----

To: "FreeRadius users mailing list"<freeradius-users at lists.freeradius.org>;
Cc:
Sent: 2020-09-25 (금) 23:05:58 (GMT+09:00)
Subject: Re: PEAP mschapv2 E= 691 R=0 code is correct?
 
Thank reply.

At test case,...(cached password was wrong)
as below document, it will prompt the user for a new password.
but, Windows 10 are not prompt.(FR),
Cisco ISE are prompt ok
my question is it(new password prompt).
Check it.
Thanks.
--
mschapv2 {
               #  Prior to version 2.1.11, the module never
               #  sent the MS-CHAP-Error message to the
               #  client.  This worked, but it had issues
               #  when the cached password was wrong.  The
               #  server *should* send "E=691 R=0" to the
               #  client, which tells it to prompt the user
               #  for a new password.
               #
               #  The default is to behave as in 2.1.10 and
               #  earlier, which is known to work.  If you
               #  set "send_error = yes", then the error
               #  message will be sent back to the client.
               #  This *may* help some clients work better,
               #  but *may* also cause other clients to stop
               #  working.
               #
--


-----Original Message-----
From: "Alan DeKok"<aland at deployingradius.com>
To: "FreeRadius users mailing list"<freeradius-users at lists.freeradius.org>;
Cc:
Sent: 2020-09-25 (금) 22:29:42 (GMT+09:00)
Subject: Re: PEAP mschapv2 E= 691 R=0 code is correct?



> On Sep 25, 2020, at 9:22 AM,
>
> atteched full log.
> Thanks
> <rtest.txt>-

Part of the reason it's so big is you're (again) not following instructions.  DON'T use "radius -Xx" or "radiusd -Xx" or  "radiusd -XXXxxxxxxxxx".  Follow the documentation.  Use "radiusd -X".

Honestly... it really does help to read the documentation and follow the instructions.  Most of the issues you're running into would have been avoided.

And reading the debug output show:


(6) mschap: Found Cleartext-Password, hashing to create NT-Password
(6) mschap: Creating challenge hash with username: user01
(6) mschap: Client is using MS-CHAPv2
ERROR: (6) mschap: MS-CHAP2-Response is incorrect

So... the password is wrong.

You've told FreeRADIUS one password, and the user is entering a different one.  Make sure that the user is entering the correct password.

And no, don't argue that "the password is correct".  It's not.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list