> On 11/16/2012 10:00 AM, Carlos Velasco wrote: > >> windows popup in Cisco VPN client, but the change password process fails: >> ntlm_auth said: Password-Change: No Password-Change-Error: Wrong >> Password . . >> Looking into code I suppose the problem is something with the old NT >> hash, but not an expert here. Any help would be apreciated. >> >> In these logs the user is "NIMASTELECOM\testpw". >> The current password is "y58R41ut8W" (expired). >> And the new password used was "H6eEWu7r65tw38ert1". > > There *might* be a bug in the CPW code, but I can't really see how; it > tested fine when I wrote it, and the crypto/hash/blob stuff doesn't > really leave room for "only if CONDITION X do something invalid". > > I'll take a look a little bit later but in the meantime can you confirm > that if you clear the "must change password", auth works fine with the > old/current password?
Yes, auth works fine without "Must change". I think I have found the problem. MS-CHAP2-CPW = 0x0701000000000000000000000000000000004194697300c611e68e661957a30d0015000000000000000041eb18eb29a0ebb20ff232620f708e68e27f251767ccd3060000 According to RFC2548, after 0x0701 should be the "Encrypted-Hash" 16 octects, but they are all 00. I am trying to find out why, seems a bug in Cisco part. But I think this works fine with Cisco ACS radius. :S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
