Hi,
I've tryied without '@', and it worked fine.
I'll do a revision on my FreeRadius REALM settings.
Thanks a lot for your help!
Abra�os,
Igor
--
[EMAIL PROTECTED]
----- Original Message -----
From: "3APA3A" <[EMAIL PROTECTED]>
To: "Igor Maciel Macaubas" <[EMAIL PROTECTED]>
Sent: Wednesday, March 26, 2003 5:39 AM
Subject: Re[4]: Problems with MS-CHAP/MS-CHAPv2
Dear Igor Maciel Macaubas,
Can you try to use usernames without '@'? '@' and domain has a meaning
of realm in RADIUS and needs special processing.
--Tuesday, March 25, 2003, 8:19:52 PM, you wrote to
[EMAIL PROTECTED]:
IMM> Hi,
IMM> I did it, and the error message changed. The error "Error: rlm_mschap:
No
IMM> LM/NT password configured. Check authorization." doesn't appear
anymore.
IMM> But I still cannot authenticate using MSCHAP. PAP and CHAP still works,
but
IMM> MSCHAP doesn't.
IMM> See bellow:
IMM> Tue Mar 25 14:03:36 2003 : Auth: Login OK: [igor/mypassword123] (from
client
IMM> RAS_TEST port 0)
IMM> Tue Mar 25 14:03:53 2003 : Auth: Login OK: [igor/<CHAP-Password>] (from
IMM> client RAS_TEST port 0)
IMM> Tue Mar 25 14:04:59 2003 : Auth: Login incorrect: [igor/<no
User-Password
IMM> attribute>] (from client RAS_TEST port 0)
IMM> Do I have to store my users password in a different format? Actually,
I'm
IMM> storing it inside a MySQL database, in plain-text format.
IMM> Bellow is the DUMP while trying to authenticate using MSCHAP
(./radiusd -X):
IMM> ----- START -----
IMM> Ready to process requests.
IMM> rad_recv: Access-Request packet from host 192.168.2.6:32863, id=181,
IMM> length=144
IMM> Service-Type = Framed-User
IMM> Framed-Protocol = PPP
IMM> User-Name = "[EMAIL PROTECTED]"
IMM> MS-CHAP-Challenge = 0x145b765d663411cab2d965e70eac8002
IMM> MS-CHAP2-Response =
IMM>
0x0100fae715d8520cfb787004c0cc2e1722b8000000000000000001fdac2f038a970573054b
IMM> 6b8b1fea7a9aed6b902f94c678
IMM> NAS-IP-Address = 192.168.2.6
IMM> NAS-Port = 0
IMM> modcall: entering group authorize
IMM> modcall[authorize]: module "preprocess" returns ok
IMM> rlm_realm: Looking up realm fastbee.net for User-Name =
IMM> "[EMAIL PROTECTED]"
IMM> rlm_realm: Found realm DEFAULT
IMM> rlm_realm: Adding Stripped-User-Name = "igor"
IMM> rlm_realm: Proxying request from user igor to realm DEFAULT
IMM> rlm_realm: Adding Realm = "DEFAULT"
IMM> rlm_realm: Authentication realm is LOCAL.
IMM> modcall[authorize]: module "suffix" returns noop
IMM> users: Checking igor at 154
IMM> rad_check_password: Found Auth-Type Local
IMM> auth: type Local
IMM> auth: No User-Password or CHAP-Password attribute in the request
IMM> users: Matched DEFAULT at 182
IMM> users: Matched DEFAULT at 201
IMM> users: Matched DEFAULT at 213
IMM> modcall[authorize]: module "files" returns ok
IMM> radius_xlat: '[EMAIL PROTECTED]'
IMM> rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
IMM> radius_xlat: 'SELECT id,login,radius_atributo,senha,radius_operacao
FROM
IMM> tb_mercurius_login WHERE login = '[EMAIL PROTECTED]' ORDER BY id'
IMM> rlm_sql (sql): Reserving sql socket id: 4
IMM> radius_xlat: 'SELECT
IMM>
tb_mercurius_radius_radgroupcheck.id,tb_mercurius_radius_radgroupcheck.Group
IMM>
Name,tb_mercurius_radius_radgroupcheck.Attribute,tb_mercurius_radius_radgrou
IMM> pcheck.Value,tb_mercurius_radius_radgroupcheck.op FROM
IMM> tb_mercurius_radius_radgroupcheck,tb_mercurius_login WHERE
IMM> tb_mercurius_login.login = '[EMAIL PROTECTED]' AND
IMM> tb_mercurius_login.radius_grupo =
IMM> tb_mercurius_radius_radgroupcheck.GroupName ORDER BY
IMM> tb_mercurius_radius_radgroupcheck.id'
IMM> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM
IMM> tb_mercurius_radius_radreply WHERE Username = '[EMAIL PROTECTED]' ORDER
BY
IMM> id'
IMM> radius_xlat: 'SELECT
IMM>
tb_mercurius_radius_radgroupreply.id,tb_mercurius_radius_radgroupreply.Group
IMM>
Name,tb_mercurius_radius_radgroupreply.Attribute,tb_mercurius_radius_radgrou
IMM> preply.Value,tb_mercurius_radius_radgroupreply.op FROM
IMM> tb_mercurius_radius_radgroupreply,tb_mercurius_login WHERE
IMM> tb_mercurius_login.login = '[EMAIL PROTECTED]' AND
IMM> tb_mercurius_login.radius_grupo =
IMM> tb_mercurius_radius_radgroupreply.GroupName ORDER BY
IMM> tb_mercurius_radius_radgroupreply.id'
IMM> rlm_sql (sql): Released sql socket id: 4
IMM> modcall[authorize]: module "sql" returns ok
IMM> rlm_chap: Could not find proper Chap-Password attribute in request
IMM> modcall[authorize]: module "chap" returns noop
IMM> modcall[authorize]: module "mschap" returns ok
IMM> modcall: group authorize returns ok
IMM> rad_check_password: Found Auth-Type MS-CHAP
IMM> auth: type "MS-CHAP"
IMM> modcall: entering group authtype
IMM> rlm_mschap: doing MS-CHAPv2 with NT-Password
IMM> rlm_mschap: Authentication failed
IMM> rlm_mschap: Nothing in the packet I recognise: Rejecting the user
IMM> modcall[authenticate]: module "mschap" returns reject
IMM> modcall: group authtype returns reject
IMM> auth: Failed to validate the user.
IMM> Login incorrect: [igor/<no User-Password attribute>] (from client
IMM> develop-rec port 0)
IMM> Delaying request 0 for 1 seconds
IMM> Finished request 0
IMM> Going to the next request
IMM> --- Walking the entire request list ---
IMM> Waking up in 1 seconds...
IMM> --- Walking the entire request list ---
IMM> Waking up in 1 seconds...
IMM> --- Walking the entire request list ---
IMM> Sending Access-Reject of id 181 to 192.168.2.6:32863
IMM> MS-CHAP-Error = "\001E=691 R=1"
IMM> Waking up in 4 seconds...
IMM> --- Walking the entire request list ---
IMM> Cleaning up request 0 ID 181 with timestamp 3e808fbf
IMM> Nothing to do. Sleeping until we see a request.
IMM> ----- END -----
IMM> Any suggestions?
IMM> Regards,
IMM> Igor
IMM> --
IMM> [EMAIL PROTECTED]
IMM> ----- Original Message -----
IMM> From: "3APA3A" <[EMAIL PROTECTED]>
IMM> To: "Igor Maciel Macaubas" <[EMAIL PROTECTED]>
IMM> Sent: Tuesday, March 25, 2003 12:08 PM
IMM> Subject: Re[2]: Problems with MS-CHAP/MS-CHAPv2
IMM> Dear Igor Maciel Macaubas,
IMM> Put chap and mschap into the end of the list.
IMM> Alternatively you can download current version of RADIUS, but you
still
IMM> need to have mschap in the end of the list if you want authentication
to
IMM> be selected automatically.
IMM> --Tuesday, March 25, 2003, 6:05:58 PM, you wrote to
IMM> [EMAIL PROTECTED]:
IMM>> Hi 3APA3A,
IMM>> My authorization section looks like this:
IMM>> authorize {
IMM>> #
IMM>> # The preprocess module takes care of sanitizing some bizarre
IMM>> # attributes in the request, and turning them into attributes
IMM>> # which are more standard.
IMM>> #
IMM>> # It takes care of processing the 'raddb/hints' and the
IMM>> # 'raddb/huntgroups' files.
IMM>> #
IMM>> # It also adds a Client-IP-Address attribute to the request.
IMM>> preprocess
IMM>> #
IMM>> # The chap module will set 'Auth-Type := CHAP' if we are
IMM>> # handling a CHAP request and Auth-Type has not already been
IMM> set
IMM>> chap
IMM>> #
IMM>> # If the users are logging in with an MS-CHAP-Challenge
IMM>> # attribute for authentication, the mschap module will find
IMM>> # the MS-CHAP-Challenge attribute, and add 'Auth-Type :=
IMM> MS-CHAP'
IMM>> # to the request, which will cause the server to then use
IMM>> # the mschap module for authentication.
IMM>> mschap
IMM>> # counter
IMM>> # attr_filter
IMM>> # eap
IMM>> suffix
IMM>> files
IMM>> sql
IMM>> # etc_smbpasswd
IMM>> # The ldap module will set Auth-Type to LDAP if it has not already
been
IMM> set
IMM>> # ldap
IMM>> }
IMM>> Where should I move MSCHAP?
IMM>> Regards,
IMM>> Igor
IMM>> --
IMM>> [EMAIL PROTECTED]
IMM> -
IMM> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
~/ZARAZA
������� �� ������ ���, �� ��������� ������������. ����������� ��� �. (����)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
