Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RE: Problem with MSCHAP

4,763 views
Skip to first unread message

Mark Holmes

unread,
Oct 12, 2010, 4:25:41 AM10/12/10
to
OK,

Just to recap, I'm working on setting Freeradius up to authenticate users to our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against Active Directory. I'm using samba and ntlm_auth.

Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29

Needless to say it's failing.

I set the mydomain.ox.ac.uk realm in proxy.conf as someone on here suggested on Friday, and that has cleared up the warning about unknown realms.

When connecting, I still get several errors before auth fails.

I've pasted my debug output into the web tool and it picks out the following in red

security {
max_attributes = 200
reject_delay = 1 (This line in red)
status_server = yes
}


(all in red)
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"


[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. (In yellow)


I also see (not highlighted) that I'm still getting

[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect


I have configured modules/mschap to use ntlm_auth as follows

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

Am I missing something in the MSCHAP config?

Cheers,

Mark

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan Buxey

unread,
Oct 12, 2010, 5:40:32 AM10/12/10
to
Hi,

> I've pasted my debug output into the web tool and it picks out the following in red
>
> security {
> max_attributes = 200
> reject_delay = 1 (This line in red)
> status_server = yes
> }
>
>
> (all in red)
> Module: Instantiating attr_filter.access_reject
> attr_filter attr_filter.access_reject {
> attrsfile = "/etc/raddb/attrs.access_reject"

ignore those - the word 'reject' is being flagged without context.

> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. (In yellow)

okay.

> I also see (not highlighted) that I'm still getting
>
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for hol...@mydomain.ox.ac.uk with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect

and that will mean that MSCHAPv2 wont be working

> I have configured modules/mschap to use ntlm_auth as follows
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
> Am I missing something in the MSCHAP config?

how are you testing this - a real client, command line tool etc? when you run it in full
debug mode - and you arent helping yourself by failing to post that here - you should
see the incantation of the ntlm_auth line - if not, then its not being called...and it
would be with the default configuration files.

alan

Mark Holmes

unread,
Oct 12, 2010, 6:24:43 AM10/12/10
to
Alan,

Thanks for your reply.

>how are you testing this - a real client, command line tool etc? when you run it in full
>debug mode - and you arent helping yourself by failing to post that here

I'm testing with a real client and access point.

OK - I wasn't sure posting the whole debug would be appreciated, but I have posted it at

http://www.nuffield.ox.ac.uk/scratch/debug-log-2.txt

> you should see the incantation of the ntlm_auth line - if not, then it's not being called

I can only see two references to ntlm_auth, this:-


Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}

And another line indicating the ntlm_auth config file is being included:-

including configuration file /etc/raddb/modules/ntlm_auth

Should I also see ntlm_auth being called during the authentication - presumably I should...

Thanks,

Mark

Mark Holmes

unread,
Oct 12, 2010, 6:45:19 AM10/12/10
to
Ah - I think I see the issue - the ntlm auth line in modules/mschap is after the } so presumably not being read...
0 new messages