Hi,
I did it, and the error message changed. The error "Error: rlm_mschap: No
LM/NT password configured. Check authorization." doesn't appear anymore.
But I still cannot authenticate using MSCHAP. PAP and CHAP still works, but
MSCHAP doesn't.
See bellow:
Tue Mar 25 14:03:36 2003 : Auth: Login OK: [igor/mypassword123] (from client
RAS_TEST port 0)
Tue Mar 25 14:03:53 2003 : Auth: Login OK: [igor/<CHAP-Password>] (from
client RAS_TEST port 0)
Tue Mar 25 14:04:59 2003 : Auth: Login incorrect: [igor/<no User-Password
attribute>] (from client RAS_TEST port 0)
Do I have to store my users password in a different format? Actually, I'm
storing it inside a MySQL database, in plain-text format.
Bellow is the DUMP while trying to authenticate using MSCHAP (./radiusd -X):
----- START -----
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.6:32863, id=181,
length=144
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0x145b765d663411cab2d965e70eac8002
MS-CHAP2-Response =
0x0100fae715d8520cfb787004c0cc2e1722b8000000000000000001fdac2f038a970573054b
6b8b1fea7a9aed6b902f94c678
NAS-IP-Address = 192.168.2.6
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm fastbee.net for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = "igor"
rlm_realm: Proxying request from user igor to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop
users: Checking igor at 154
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
users: Matched DEFAULT at 182
users: Matched DEFAULT at 201
users: Matched DEFAULT at 213
modcall[authorize]: module "files" returns ok
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,login,radius_atributo,senha,radius_operacao FROM
tb_mercurius_login WHERE login = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
tb_mercurius_radius_radgroupcheck.id,tb_mercurius_radius_radgroupcheck.Group
Name,tb_mercurius_radius_radgroupcheck.Attribute,tb_mercurius_radius_radgrou
pcheck.Value,tb_mercurius_radius_radgroupcheck.op FROM
tb_mercurius_radius_radgroupcheck,tb_mercurius_login WHERE
tb_mercurius_login.login = '[EMAIL PROTECTED]' AND
tb_mercurius_login.radius_grupo =
tb_mercurius_radius_radgroupcheck.GroupName ORDER BY
tb_mercurius_radius_radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
tb_mercurius_radius_radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY
id'
radius_xlat: 'SELECT
tb_mercurius_radius_radgroupreply.id,tb_mercurius_radius_radgroupreply.Group
Name,tb_mercurius_radius_radgroupreply.Attribute,tb_mercurius_radius_radgrou
preply.Value,tb_mercurius_radius_radgroupreply.op FROM
tb_mercurius_radius_radgroupreply,tb_mercurius_login WHERE
tb_mercurius_login.login = '[EMAIL PROTECTED]' AND
tb_mercurius_login.radius_grupo =
tb_mercurius_radius_radgroupreply.GroupName ORDER BY
tb_mercurius_radius_radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authtype
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: Authentication failed
rlm_mschap: Nothing in the packet I recognise: Rejecting the user
modcall[authenticate]: module "mschap" returns reject
modcall: group authtype returns reject
auth: Failed to validate the user.
Login incorrect: [igor/<no User-Password attribute>] (from client
develop-rec port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 181 to 192.168.2.6:32863
MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 181 with timestamp 3e808fbf
Nothing to do. Sleeping until we see a request.
----- END -----
Any suggestions?
Regards,
Igor
--
[EMAIL PROTECTED]
----- Original Message -----
From: "3APA3A" <[EMAIL PROTECTED]>
To: "Igor Maciel Macaubas" <[EMAIL PROTECTED]>
Sent: Tuesday, March 25, 2003 12:08 PM
Subject: Re[2]: Problems with MS-CHAP/MS-CHAPv2
Dear Igor Maciel Macaubas,
Put chap and mschap into the end of the list.
Alternatively you can download current version of RADIUS, but you still
need to have mschap in the end of the list if you want authentication to
be selected automatically.
--Tuesday, March 25, 2003, 6:05:58 PM, you wrote to
[EMAIL PROTECTED]:
IMM> Hi 3APA3A,
IMM> My authorization section looks like this:
IMM> authorize {
IMM> #
IMM> # The preprocess module takes care of sanitizing some bizarre
IMM> # attributes in the request, and turning them into attributes
IMM> # which are more standard.
IMM> #
IMM> # It takes care of processing the 'raddb/hints' and the
IMM> # 'raddb/huntgroups' files.
IMM> #
IMM> # It also adds a Client-IP-Address attribute to the request.
IMM> preprocess
IMM> #
IMM> # The chap module will set 'Auth-Type := CHAP' if we are
IMM> # handling a CHAP request and Auth-Type has not already been
set
IMM> chap
IMM> #
IMM> # If the users are logging in with an MS-CHAP-Challenge
IMM> # attribute for authentication, the mschap module will find
IMM> # the MS-CHAP-Challenge attribute, and add 'Auth-Type :=
MS-CHAP'
IMM> # to the request, which will cause the server to then use
IMM> # the mschap module for authentication.
IMM> mschap
IMM> # counter
IMM> # attr_filter
IMM> # eap
IMM> suffix
IMM> files
IMM> sql
IMM> # etc_smbpasswd
IMM> # The ldap module will set Auth-Type to LDAP if it has not already been
set
IMM> # ldap
IMM> }
IMM> Where should I move MSCHAP?
IMM> Regards,
IMM> Igor
IMM> --
IMM> [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
