Dear [EMAIL PROTECTED],
MS-CHAP-Challenge is required for both MS-CHAPv1 and MS-CHAPv2.
--Thursday, September 12, 2002, 4:56:08 PM, you wrote to
[EMAIL PROTECTED]:
Mdd> Hi,
Mdd> when using MS-CHAP, an incomming authentication request is successfully
Mdd> answered.
Mdd> When using MS-CHAPv2 in the client configuration instead, the call is
Mdd> rejected because mschap doesn't recognize it as MS-CHAP during
Mdd> authenticate.
Mdd> radiusd output is: "No MS-CHAP related attributes in request" - followed by
Mdd> the rejecting of the request.
Mdd> The first difference I saw was, that in case of using MS-CHAPv2 there is no
Mdd> incomming attribute like "MS-CHAP-Challenge" and an attribute
Mdd> "MS-CHAP2-Response" instead of "MS-CHAP-Response".
Mdd> If the missing "MS-CHAP-Challenge" is the reason for that behavior - what I
Mdd> guess because of the corresponding comment in the authorize{}-section of
Mdd> radiusd.conf - what can I do to make it work?
Mdd> 1. my configuration:
Mdd> ====================
Mdd> The installed version of radiusd is freeradius-snapshot-20020909.
Mdd> Dial in client: W2k
Mdd> NAS: Bintec Brick XL/2
Mdd> radiusd.conf:
Mdd> -------------
Mdd> modules {
Mdd> ...
Mdd> mschap {
Mdd> Auth-Type = MS-CHAP
Mdd> use_mppe = no
Mdd> }
Mdd> ...
Mdd> ldap {
Mdd> server = "ebdcbn02.dpeb.de"
Mdd> identity = "\#\#ldap\@dpeb.de"
Mdd> password = xxxx
Mdd> basedn = "dc=DPEB,dc=DE"
Mdd> filter = "(&(objectclass=person)(sAMAccountName=%{User-Name}))"
Mdd> start_tls = no
Mdd> # access_attr = "msNPAllowDialin"
Mdd> dictionary_mapping = ${raddbdir}/ldap.attrmap
Mdd> ldap_connections_number = 5
Mdd> #password_header = "{clear}"
Mdd> password_attribute = userPassword
Mdd> timeout = 4
Mdd> timelimit = 3
Mdd> net_timeout = 1
Mdd> # compare_check_items = yes
Mdd> # access_attr_used_for_allow = yes
Mdd> }
Mdd> authorize {
Mdd> files
Mdd> ldap
Mdd> mschap
Mdd> }
Mdd> authenticate {
Mdd> authtype LDAP {
Mdd> ldap
Mdd> }
Mdd> mschap
Mdd> }
Mdd> users file: (it's reproduceable with any other user)
Mdd> -----------
Mdd> ...
Mdd> DEFAULT Service-Type == Framed-User
Mdd> Idle-Timeout = 300,
Mdd> Port-Limit = 2,
Mdd> BinTec-biboPPPTable += "biboPPPDNSNegotiation=enabled",
Mdd> Fall-Through = Yes
Mdd> DEFAULT Framed-Protocol == PPP
Mdd> Framed-Protocol = PPP,
Mdd> Framed-Compression = Van-Jacobson-TCP-IP,
Mdd> Fall-Through = Yes
Mdd> "##ldap" Service-Type == Framed-User, Auth-Type += MS-CHAP
Mdd> BinTec-biboPPPTable += "biboPPPIpPoolId=3",
Mdd> Fall-Through = No
Mdd> DEFAULT Service-Type == Framed-User, Auth-Type := Reject
Mdd> ...
Mdd> 2. radiusd -X -A output:
Mdd> ========================
>>>>>>>>>>>>>>>
Mdd> ...
Mdd> Nothing to do. Sleeping until we see a request.
Mdd> rad_recv: Access-Request packet from host 213.68.141.34:1024, id=185,
Mdd> length=129
Mdd> NAS-Identifier = "pmxbn01"
Mdd> Service-Type = Framed-User
Mdd> Framed-Protocol = PPP
Mdd> User-Name = "##ldap"
Mdd> Called-Station-Id = "36903690"
Mdd> NAS-Port = 0
Mdd> NAS-Port-Type = ISDN
Mdd> MS-CHAP2-Response =
Mdd> 0x0100ec160924d8dee377e77c388cb0e669840000000000000000a75
Mdd> 3a221ab3fa0a0d10b6342e22bab1064e6df1c5d11376e
Mdd> modcall: entering group authorize
Mdd> users: Matched DEFAULT at 147
Mdd> users: Matched DEFAULT at 159
Mdd> users: Matched ##ldap at 189
Mdd> modcall[authorize]: module "files" returns ok
Mdd> rlm_ldap: - authorize
Mdd> rlm_ldap: performing user authorization for ##ldap
Mdd> radius_xlat: '(&(objectclass=person)(sAMAccountName=##ldap))'
Mdd> radius_xlat: 'dc=DPEB,dc=DE'
Mdd> ldap_get_conn: Got Id: 0
Mdd> rlm_ldap: performing search in dc=DPEB,dc=DE, with filter
Mdd> (&(objectclass=person)(sAMA
Mdd> ccountName=##ldap))
Mdd> rlm_ldap: Added password 689D3F1884E0423F468C01987A58C3EB in check items
Mdd> rlm_ldap: looking for check items in directory...
Mdd> rlm_ldap: Adding userPassword as NT-Password, value
Mdd> 689D3F1884E0423F468C01987A58C3EB
Mdd> & op=11
Mdd> rlm_ldap: looking for reply items in directory...
Mdd> rlm_ldap: Adding userPassword as NT-Password, value
Mdd> 689D3F1884E0423F468C01987A58C3EB
Mdd> & op=11
Mdd> rlm_ldap: user ##ldap authorized to use remote access
Mdd> ldap_release_conn: Release Id: 0
Mdd> modcall[authorize]: module "ldap" returns ok
Mdd> modcall[authorize]: module "mschap" returns noop
Mdd> modcall: group authorize returns ok
Mdd> rad_check_password: Found Auth-Type MS-CHAP
Mdd> auth: type "MS-CHAP"
Mdd> modcall: entering group authenticate
Mdd> No MS-CHAP related attributes in request
Mdd> modcall[authenticate]: module "mschap" returns reject
Mdd> modcall: group authenticate returns reject
Mdd> auth: Failed to validate the user.
Mdd> Login incorrect: [##ldap] (from client pmxbn01 port 0)
Mdd> Delaying request 1 for 1 seconds
Mdd> Finished request 1
Mdd> Going to the next request
Mdd> ...
Mdd> <<<<<<<<<<<<<<<<<
Mdd> When using MS-CHAP instead (on w2k-client), I get this result:
>>>>>>>>>>>>>>>>>
Mdd> ...
Mdd> Nothing to do. Sleeping until we see a request.
Mdd> rad_recv: Access-Request packet from host 213.68.141.34:1024, id=186,
Mdd> length=145
Mdd> NAS-Identifier = "pmxbn01"
Mdd> Service-Type = Framed-User
Mdd> Framed-Protocol = PPP
Mdd> User-Name = "##ldap"
Mdd> Called-Station-Id = "36903690"
Mdd> NAS-Port = 0
Mdd> NAS-Port-Type = ISDN
Mdd> MS-CHAP-Response =
Mdd> 0x01010ef6eeb0ff66f08516424106209f957a1af2cc00560702509b9d
Mdd> 634251b10b16d4cdb39521f24388b18914bf73549811
Mdd> MS-CHAP-Challenge = 0x6d173708a662ec90
Mdd> modcall: entering group authorize
Mdd> ...
Mdd> modcall: group authorize returns ok
Mdd> rad_check_password: Found Auth-Type MS-CHAP
Mdd> auth: type "MS-CHAP"
Mdd> modcall: entering group authenticate
Mdd> rlm_mschap: doing MS-CHAPv1 with NT-Password
Mdd> modcall[authenticate]: module "mschap" returns ok
Mdd> modcall: group authenticate returns ok
Mdd> Login OK: [##ldap] (from client pmxbn01 port 0)
Mdd> Sending Access-Accept of id 186 to 213.68.141.34:1024
Mdd> Idle-Timeout = 300
Mdd> Port-Limit = 2
Mdd> BinTec-biboPPPTable = "biboPPPDNSNegotiation=enabled"
Mdd> Framed-Protocol = PPP
Mdd> Framed-Compression = Van-Jacobson-TCP-IP
Mdd> BinTec-biboPPPTable = "biboPPPIpPoolId=3"
Mdd> Finished request 2
Mdd> Going to the next request
Mdd> ...
Mdd> <<<<<<<<<<<<<<<<<<
Mdd> Regards,
Mdd> Martin
Mdd> -
Mdd> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
���� ��� ������ ������, ��� ��������� ����� �����. (���)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
