Francois Gaudreault wrote: > I had a look in the LDAP, and the ntPassword is having the correct lenght : > ntPassword: 44AFA3XXXXXXXXXXXXXXXXXXXXXXX856
Yup. That's the hex version. > I did enable pap, but without success. ... > [pap] Normalizing NT-Password from hex encoding That's something, at least. > [pap] WARNING: Auth-Type already set. Not setting to PAP > ... > [mschap] No Cleartext-Password configured. Cannot create LM-Password. > [mschap] Found NT-Password > [mschap] Creating challenge hash with username: host/dti-dahport > [mschap] Told to do MS-CHAPv2 for host/dti-dahport with NT-Password > [mschap] FAILED: MS-CHAP2-Response is incorrect > > Is it possible that the issue is somewhere else? The nt/lmPassword are > properly handled when we do user auth, and the printout in debug is also > in a 0xsomething format. The issue could be somewhere else. From what I recall, host authentication is... weird. The name in the MS-CHAP blob might *not* be the same as the User-Name field. If that happens, the calculated response using the User-Name will be wrong. Grab the debug output and use it as a test case. You should be able to replay the packets verbatim. Configure a static password. Also try configuring "MS-CHAP-User-Name", which will end up being the name used for the MS-CHAP calculations. Decode the MS-CHAP blobs manually to see if the name in them is the same as the User-Name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
