Hi,

I did it, and the error message changed. The error "Error: rlm_mschap: No
LM/NT password configured. Check authorization." doesn't appear anymore.
But I still cannot authenticate using MSCHAP. PAP and CHAP still works, but
MSCHAP doesn't.
See bellow:

Tue Mar 25 14:03:36 2003 : Auth: Login OK: [igor/mypassword123] (from client
RAS_TEST port 0)
Tue Mar 25 14:03:53 2003 : Auth: Login OK: [igor/<CHAP-Password>] (from
client RAS_TEST port 0)
Tue Mar 25 14:04:59 2003 : Auth: Login incorrect: [igor/<no User-Password
attribute>] (from client RAS_TEST port 0)

Do I have to store my users password in a different format? Actually, I'm
storing it inside a MySQL database, in plain-text format.

Bellow is the DUMP while trying to authenticate using MSCHAP (./radiusd -X):
----- START -----
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.6:32863, id=181,
length=144
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "[EMAIL PROTECTED]"
        MS-CHAP-Challenge = 0x145b765d663411cab2d965e70eac8002
        MS-CHAP2-Response =
0x0100fae715d8520cfb787004c0cc2e1722b8000000000000000001fdac2f038a970573054b
6b8b1fea7a9aed6b902f94c678
        NAS-IP-Address = 192.168.2.6
        NAS-Port = 0
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
    rlm_realm: Looking up realm fastbee.net for User-Name =
"[EMAIL PROTECTED]"
    rlm_realm: Found realm DEFAULT
    rlm_realm: Adding Stripped-User-Name = "igor"
  rlm_realm: Proxying request from user igor to realm DEFAULT
    rlm_realm: Adding Realm = "DEFAULT"
rlm_realm:  Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop
    users: Checking igor at 154
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
    users: Matched DEFAULT at 182
    users: Matched DEFAULT at 201
    users: Matched DEFAULT at 213
  modcall[authorize]: module "files" returns ok
radius_xlat:  '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat:  'SELECT id,login,radius_atributo,senha,radius_operacao FROM
tb_mercurius_login WHERE login = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT
tb_mercurius_radius_radgroupcheck.id,tb_mercurius_radius_radgroupcheck.Group
Name,tb_mercurius_radius_radgroupcheck.Attribute,tb_mercurius_radius_radgrou
pcheck.Value,tb_mercurius_radius_radgroupcheck.op  FROM
tb_mercurius_radius_radgroupcheck,tb_mercurius_login WHERE
tb_mercurius_login.login = '[EMAIL PROTECTED]' AND
tb_mercurius_login.radius_grupo =
tb_mercurius_radius_radgroupcheck.GroupName ORDER BY
tb_mercurius_radius_radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM
tb_mercurius_radius_radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY
id'
radius_xlat:  'SELECT
tb_mercurius_radius_radgroupreply.id,tb_mercurius_radius_radgroupreply.Group
Name,tb_mercurius_radius_radgroupreply.Attribute,tb_mercurius_radius_radgrou
preply.Value,tb_mercurius_radius_radgroupreply.op  FROM
tb_mercurius_radius_radgroupreply,tb_mercurius_login WHERE
tb_mercurius_login.login = '[EMAIL PROTECTED]' AND
tb_mercurius_login.radius_grupo =
tb_mercurius_radius_radgroupreply.GroupName ORDER BY
tb_mercurius_radius_radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
  modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authtype
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: Authentication failed
rlm_mschap: Nothing in the packet I recognise: Rejecting the user
  modcall[authenticate]: module "mschap" returns reject
modcall: group authtype returns reject
auth: Failed to validate the user.
Login incorrect: [igor/<no User-Password attribute>] (from client
develop-rec port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 181 to 192.168.2.6:32863
        MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 181 with timestamp 3e808fbf
Nothing to do.  Sleeping until we see a request.
----- END -----

Any suggestions?

Regards,
Igor
--
[EMAIL PROTECTED]


----- Original Message -----
From: "3APA3A" <[EMAIL PROTECTED]>
To: "Igor Maciel Macaubas" <[EMAIL PROTECTED]>
Sent: Tuesday, March 25, 2003 12:08 PM
Subject: Re[2]: Problems with MS-CHAP/MS-CHAPv2


Dear Igor Maciel Macaubas,

Put chap and mschap into the end of the list.

Alternatively  you can download current version of RADIUS, but you still
need to have mschap in the end of the list if you want authentication to
be selected automatically.

--Tuesday, March 25, 2003, 6:05:58 PM, you wrote to
[EMAIL PROTECTED]:

IMM> Hi 3APA3A,

IMM> My authorization section looks like this:

IMM> authorize {
IMM>         #
IMM>         #  The preprocess module takes care of sanitizing some bizarre
IMM>         #  attributes in the request, and turning them into attributes
IMM>         #  which are more standard.
IMM>         #
IMM>         #  It takes care of processing the 'raddb/hints' and the
IMM>         #  'raddb/huntgroups' files.
IMM>         #
IMM>         #  It also adds a Client-IP-Address attribute to the request.
IMM>         preprocess

IMM>         #
IMM>         #  The chap module will set 'Auth-Type := CHAP' if we are
IMM>         #  handling a CHAP request and Auth-Type has not already been
set
IMM>         chap

IMM>         #
IMM>         #  If the users are logging in with an MS-CHAP-Challenge
IMM>         #  attribute for authentication, the mschap module will find
IMM>         #  the MS-CHAP-Challenge attribute, and add 'Auth-Type :=
MS-CHAP'
IMM>         #  to the request, which will cause the server to then use
IMM>         #  the mschap module for authentication.
IMM>         mschap

IMM> #       counter
IMM> #       attr_filter
IMM> #       eap
IMM>         suffix
IMM>         files
IMM>         sql
IMM> #       etc_smbpasswd
IMM> # The ldap module will set Auth-Type to LDAP if it has not already been
set
IMM> #       ldap
IMM> }

IMM> Where should I move MSCHAP?

IMM> Regards,
IMM> Igor
IMM> --
IMM> [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to