Apologies, I had missed a hyphen out of my mschap config in the -nt-response
section.
Andi
From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 24 July 2013 13:34
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Freeradius ms-chap2 response incorrect
Hi all,
Recently upgraded to 4.0.3 but I'm struggling to get my authentication to AD
via FreeRadius working properly. I have followed the admin guide, my ntlm_auth
and radtest tests result in success. However using the same username and
password combo that I used in the ntlm_auth test through freeradius results in
rejection.
I've attached a full debug output, but I think the key section is:
# Executing group from file
/usr/local/pf/raddb//sites-enabled/packetfence-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/pf/raddb//sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: sm18818
[mschap] Client is using MS-CHAPv2 for sm18818, we need NT-Password
[mschap] expand: %{StrippedUser-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{mschap:User-Name:-None} -> sm18818
[mschap] expand:
--username=%{%{StrippedUser-Name}:-%{mschap:User-Name:-None}} ->
--username=sm18818
[mschap] Creating challenge hash with username: sm18818
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=9567501c765b1dc2
[mschap] expand: --ntresponse=%{mschap:NT-Response:-00} ->
--ntresponse=6c40a14ff7b01b9bfa31b93205cf5b5b1b72b2f6f666bcd6
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Logon failure (0xc000006d)):
[sm18818] (from client 192.168.142.13 port 13 cli 00-26-b6-da-18-42 via TLS
tunnel)
} # server packetfence-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 186 to 192.168.142.13 port 32769
EAP-Message =
0x0109002b19001703010020705314f0ffe8f897bf6c27f2a93c5d4afdf6f8ad81814ea77b792be912103f62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x61cb5e0967c247ae15acced8dd35559b
Finished request 6.
Can anybody on here advise or should I be posting this to the Freeradius
mailing list?
Cheers,
Andi
-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>
--------------------------------------
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
