MS-CHAP2-Response is incorrect

[DeYoung, Brandon]

Hi All,             I am running FreeRADIUS Version 1.0.0 on Suse 9.2 Pro to provide 802.1x authentication for wireless users. I have PEAP / MSChap V2 working from my Windows XP clients utilizing ntlm_auth as well as local users in the /etc/raddb/users file.             I am attempting to add hand held clients running Win CE 4.2 with the Aegis 2.1.2 client. I initially had a TLV error in radiusd’s debug output, this was solved by setting: use_mppe = no in /etc/raddb/radiusd.conf. The error I am now getting is this: -------snip-------   Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 75   rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect   modcall[authenticate]: module "mschap" returns reject for request 75 modcall: group Auth-Type returns reject for request 75 -------snip---------------------------------   I’m thinking it’s a client-side bug, but was wondering even if this is the case whether or not there was a work-around on the server side.   Thanks in advance! ~Brandon   Users file: --------snip---------------------------------------------------------- test    User-Password == "testing", MS-Chap-Use-NTLM-Auth := 0   DEFAULT Service-Type == Framed-User         Framed-IP-Address = 255.255.255.254,         Framed-MTU = 576,         Service-Type = Framed-User,         Fall-Through = Yes     DEFAULT Framed-Protocol == PPP         Framed-Protocol = PPP,         Framed-Compression = Van-Jacobson-TCP-IP     DEFAULT Hint == "CSLIP"         Framed-Protocol = SLIP,         Framed-Compression = Van-Jacobson-TCP-IP   DEFAULT Hint == "SLIP"         Framed-Protocol = SLIP ---------------snip------------------------------------------   raidiusd.conf  (I tried to cut out relevant portions)   ------snip------------------            eap {      default_eap_type = peap       timer_expire     = 60       ignore_unknown_eap_types = no       cisco_accounting_username_bug = no     md5 {    }        leap {       }                tls {                         private_key_password = "this is a secret"                         private_key_file = ${raddbdir}/certs/cert-srv.pem                         certificate_file = ${raddbdir}/certs/cert-srv.pem                           CA_file = ${raddbdir}/certs/demoCA/cacert.pem                           dh_file = ${raddbdir}/certs/dh                         random_file = /dev/urandom                           fragment_size = 1024                           include_length = yes                 }    peap {                         default_eap_type = mschapv2      }    mschapv2 {      } }                       mschap {                         use_mppe = no                         with_ntdomain_hack = no                         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=AM --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" }   ------------------snip--------------------------------------------------   Full debug output:   rad_recv: Access-Request packet from host 43.191.112.164:21650, id=200, length=264         User-Name = "test"         Framed-MTU = 1400         Called-Station-Id = "000f.8fda.481c"         Calling-Station-Id = "00a0.f860.1949"         Message-Authenticator = 0x52f1752456aab0d1b43e5790012896c8         EAP-Message = 0x0208008019001703010020f08caa6e5c14a57351962cdcf393ac89eab0df4b964ad2ae1b073b7a7ad73020170301005021305f63d314665895b400f1bdc073352791c4d9beb1d142db8b7929210e69dea87a46c5bc9f4548471dde9eaf4dfeaddc60f1dc729bf5296c98e0414fa2c82523410bc1c4f5e97f09cc9bc634543f08         NAS-Port-Type = Wireless-802.11         NAS-Port = 321         State = 0x95e558bf10568d557b5155bff9f6a189         Service-Type = Framed-User         NAS-IP-Address = 43.191.112.164         NAS-Identifier = "SDB5Test"   Processing the authorize section of radiusd.conf modcall: entering group authorize for request 75   modcall[authorize]: module "preprocess" returns ok for request 75   modcall[authorize]: module "chap" returns noop for request 75   modcall[authorize]: module "mschap" returns noop for request 75     rlm_realm: No '@' in User-Name = "test", looking up realm NULL     rlm_realm: No such realm "NULL"   modcall[authorize]: module "suffix" returns noop for request 75     rlm_realm: No '\' in User-Name = "test", looking up realm NULL     rlm_realm: No such realm "NULL"   modcall[authorize]: module "ntdomain" returns noop for request 75   rlm_eap: EAP packet type response id 8 length 128   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation   modcall[authorize]: module "eap" returns updated for request 75     users: Matched test at 93   modcall[authorize]: module "files" returns ok for request 75 modcall: group authorize returns updated for request 75   rad_check_password:  Found Auth-Type EAP auth: type "EAP"   Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 75   rlm_eap: Request found, released from the list   rlm_eap: EAP/peap   rlm_eap: processing type peap   rlm_eap_peap: Authenticate   rlm_eap_tls: processing TLS   eaptls_verify returned 7   rlm_eap_tls: Done initial handshake   eaptls_process returned 7   rlm_eap_peap: EAPTLS_OK   rlm_eap_peap: Session established.  Decoding tunneled attributes.   rlm_eap_peap: EAP type mschapv2   rlm_eap_peap: Tunneled data is valid.   PEAP: Setting User-Name to test   PEAP: Adding old state with 3c 90   Processing the authorize section of radiusd.conf modcall: entering group authorize for request 75   modcall[authorize]: module "preprocess" returns ok for request 75   modcall[authorize]: module "chap" returns noop for request 75   modcall[authorize]: module "mschap" returns noop for request 75     rlm_realm: No '@' in User-Name = "test", looking up realm NULL     rlm_realm: No such realm "NULL"   modcall[authorize]: module "suffix" returns noop for request 75     rlm_realm: No '\' in User-Name = "test", looking up realm NULL     rlm_realm: No such realm "NULL"   modcall[authorize]: module "ntdomain" returns noop for request 75   rlm_eap: EAP packet type response id 8 length 63   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation   modcall[authorize]: module "eap" returns updated for request 75     users: Matched test at 93   modcall[authorize]: module "files" returns ok for request 75 modcall: group authorize returns updated for request 75   rad_check_password:  Found Auth-Type EAP auth: type "EAP"   Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 75   rlm_eap: Request found, released from the list   rlm_eap: EAP/mschapv2   rlm_eap: processing type mschapv2   Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 75   rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect   modcall[authenticate]: module "mschap" returns reject for request 75 modcall: group Auth-Type returns reject for request 75   rlm_eap: Freeing handler   modcall[authenticate]: module "eap" returns reject for request 75 modcall: group authenticate returns reject for request 75 auth: Failed to validate the user.   PEAP: Tunneled authentication was rejected.   rlm_eap_peap: FAILURE   modcall[authenticate]: module "eap" returns handled for request 75 modcall: group authenticate returns handled for request 75 Sending Access-Challenge of id 200 to 43.191.112.164:21650         EAP-Message = 0x01090050190017030100206159f59e56d684ee9e2ca1cfd91985aaeae8c3760da3b87805f1f0fb3a9875a21703010020214ac0381fafff789d0e4b9f13b6094b0c9b26416ee0f732282b51e2ca5647ce         Message-Authenticator = 0x00000000000000000000000000000000         State = 0x80e451161f163716617464bf3f741ab9 Finished request 75 Going to the next request Waking up in 6 seconds...