On Wed, May 26, 2004 at 11:14:51PM +0200, Dinko Korunic wrote: > I've read this list archives throughly, and I've tried most of the stuff > people were reporting. Is there anything else I could check? Should I > try with NT-hashed passwords? Should I try with auth_ntlm to debug chap > responses?
I'm posting the additional info on MSCHAPv2 problems with latest FreeRADIUS CVS.. in hope someone (Mr. DeKok?) would help me. Using the radauth (Java-based demo RADIUS client available from http://www.axlradius.com), I've been able to narrow problem the already described problem: * auth types of PAP, CHAP, EAPMD5, MSCHAP (v1) work fine, * auth type of MSCHAPv2 doesn't work. I'm positive I'm not sending any domain name, as following logs show (I've changed real IP's and DNS labels): First, I'll try sending MSCHAPv1 request: c:\Program Files\ntradping\theorem\radius3\examples\radauth>"C:\Program Files\Ja va\j2re1.4.1_02\\bin\java.exe" -classpath "..\..\radclient3.jar" com.theorem.rad ius3.radutil.radauth test test123 MSCHAP testhost 1 musaka Radtest running RADIUS client version 3.28 Non-Random Demonstration Version -------------------------------- Authentication ------------------------------- Authenticating: test test123 Sending to server testhost:1812 Sending Attributes: NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C 6991E NAS-Port (5), Length: 6, Data: [# 1], 0x00000001 <81> ------------------- Request Packet ----------------- <81> Address: 127.0.0.1:1812 Packet Length: 112 Type: Access-Request(1) 01 51 00 70 52 53 54 55 - 56 57 58 59 5A 5B 5C 5D .Q.pRSTU - VWXYZ[\] 5E 5F 60 61 04 06 C1 C6 - 99 1E 05 06 00 00 00 01 ^_`a.... - ........ 1A 10 00 00 01 37 0B 0A - 62 63 00 01 02 03 04 05 .....7.. - bc...... 1A 3A 00 00 01 37 01 34 - 15 01 C4 26 DC 63 E3 B2 .:...7.4 - ...&.c.. CA 1F 07 48 91 B1 B9 F3 - 0B 3C 14 A3 22 BB A8 E3 ...H.... - .<.."... 15 B3 5F 88 EA E1 79 07 - 2B B4 B0 2C 5C 3D 19 54 .._...y. - +..,\=.T 54 36 0D 64 95 B8 00 04 - 3C EB 01 06 74 65 73 74 T6.d.... - <...test Attributes: NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C 6991E NAS-Port (5), Length: 6, Data: [# 1], 0x00000001 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-Challenge (11), Length: 10, Data: 0x6263000102030405 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-Response (1), Length: 52, Data: 0x1501C426DC63E3B2CA1F074891B1B9F30B3 C14A322BBA8E315B35F88EAE179072BB4B02C5C3D195454360D6495B800043CEB User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP 116.101.115.116], 0 x74657374 <81> --------------------------------------------------- <81> ------------------- Response Packet ----------------- <81> Address: 127.0.0.1:1812 Packet Length: 84 Type: Access-Accept(2) 02 51 00 54 07 85 18 11 - A2 D3 DF ED FC 2D AC 3B .Q.T.... - .....-.; 21 0C C2 10 1A 28 00 00 - 01 37 0C 22 A5 37 48 30 !....(.. - .7.".7H0 DF 9E 11 F7 16 21 2A B1 - B0 FF EC 7F BE 29 8E E0 .....!*. - .....).. A7 4E 61 D8 3A 29 CD FB - 2A 36 6D 08 1A 0C 00 00 .Na.:).. - *6m..... 01 37 07 06 00 00 00 01 - 1A 0C 00 00 01 37 08 06 .7...... - .....7.. 00 00 00 06 00 00 00 00 - 00 00 00 00 00 00 00 00 ........ - ........ Attributes: Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-MPPE-Keys (12), Length: 34, Data: 0xA5374830DF9E11F716212AB1B0FFEC7FB E298EE0A74E61D83A29CDFB2A366D08 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-MPPE-Encryption-Policy (7), Length: 6, Data: [# 1 (PPP)], 0x00000001 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-MPPE-Encryption-Types (8), Length: 6, Data: [# 6], 0x00000006 <81> --------------------------------------------------- Authenticated Attributes returned from server: Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-MPPE-Keys (12), Length: 34, Data: 0xA5374830DF9E11F716212AB1B0FFEC7FB E298EE0A74E61D83A29CDFB2A366D08 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-MPPE-Encryption-Policy (7), Length: 6, Data: [# 1 (PPP)], 0x00000001 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-MPPE-Encryption-Types (8), Length: 6, Data: [# 6], 0x00000006 FreeRADIUS logs show us the success: modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: Told to do MS-CHAPv1 with NT-Password modcall[authenticate]: module "mschap" returns ok for request 6 modcall: group Auth-Type returns ok for request 6 Login OK: [test] (from client testgate port 1) Sending Access-Accept of id 91 to 127.0.0.2:3507 Let us now send an MSCHAPv2 request: c:\Program Files\ntradping\theorem\radius3\examples\radauth>"C:\Program Files\Ja va\j2re1.4.1_02\\bin\java.exe" -classpath "..\..\radclient3.jar" com.theorem.rad ius3.radutil.radauth test test123 MSCHAP2 testhost 1 musaka Radtest running RADIUS client version 3.28 Non-Random Demonstration Version -------------------------------- Authentication ------------------------------- Authenticating: test test123 Sending to server testhost:1812 Sending Attributes: NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C 6991E NAS-Port (5), Length: 6, Data: [# 1], 0x00000001 <70> ------------------- Request Packet ----------------- <70> Address: 127.0.0.1:1812 Packet Length: 120 Type: Access-Request(1) 01 46 00 78 47 48 49 4A - 4B 4C 4D 4E 4F 50 51 52 .F.xGHIJ - KLMNOPQR 53 54 55 56 04 06 C1 C6 - 99 1E 05 06 00 00 00 01 STUV.... - ........ 1A 18 00 00 01 37 0B 12 - 03 04 05 06 07 08 09 0A .....7.. - ........ 0B 0C 0D 0E 0F 10 11 12 - 1A 3A 00 00 01 37 19 34 ........ - .:...7.4 0D 00 57 58 59 5A 5B 5C - 5D 5E 5F 60 61 62 63 00 ..WXYZ[\ - ]^_`abc. 01 02 00 00 00 00 00 00 - 00 00 5A 2F 0F DC 76 1D ........ - ..Z/..v. 16 D1 15 E7 C3 41 B5 85 - 5E 5B 5B D0 81 09 2D 47 .....A.. - ^[[...-G 9D BC 01 06 74 65 73 74 - 00 00 00 00 00 00 00 00 ....test - ........ Attributes: NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C 6991E NAS-Port (5), Length: 6, Data: [# 1], 0x00000001 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-Challenge (11), Length: 18, Data: 0x030405060708090A0B0C0D0E0F101112 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP2-Response (25), Length: 52, Data: 0x0D005758595A5B5C5D5E5F60616263000 10200000000000000005A2F0FDC761D16D115E7C341B5855E5B5BD081092D479DBC User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP 116.101.115.116], 0 x74657374 <70> --------------------------------------------------- <70> ------------------- Response Packet ----------------- <70> Address: 127.0.0.1:1812 Packet Length: 38 Type: Access-Reject(3) 03 46 00 26 21 0D 73 76 - 05 3D 8F 0F 33 A2 A9 2F .F.&!.sv - .=..3../ 73 DA 45 5B 1A 12 00 00 - 01 37 02 0C 0D 45 3D 36 s.E[.... - .7...E=6 39 31 20 52 3D 31 00 00 - 00 00 00 00 00 00 00 00 91 R=1.. - ........ Attributes: Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-Error (2), Length: 12, Data: 0x0D453D36393120523D31 <70> --------------------------------------------------- <70> -- MSCHAP2 MS-CHAP-Error found E=691 R= --- MS-CHAP V2: Failed to authenticate the server. Failed to authenticate And FreeRADIUS logs show: rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect: [test] (from client testgate port 1) I'm especially confused with following data, extracted from RADIUS response: User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP 116.101.115.116], 0 x74657374 How that *invalid* IP happened to be there? Isn't that a bug? From all the info, seems that latest rlm_chap isn't working properly with MSCHAPv2. Is there anything I can do? -- | |--.----.-----. Dinko 'kreator' Korunic #include <stddisclaimer.h> | <| _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com |__|__|__| |_____| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
