[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = testuser1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap
On 06/08/13 16:04, Horatiu Nimigean wrote:
i have pptpd on a centos 6 box configured to use radius for auth.
radius in turn checks credentials in ldap.
the user in ldap has a samba extension and a configured password (i used
ldap account manager to set it up) it also has a sambaNTPassword field
Horatiu Nimigean wrote:
the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
No, you're not.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: testuser1
[mschap] Told
it attempts mschapv1)
and it gives me the same error
[root@be-vpn ~]# radtest -t mschap betatesting1 secret 127.0.0.1
1812 myubersecretpassword
Sending Access-Request of id 13 to 127.0.0.1 port 1812
User-Name = betatesting1
NAS-IP-Address = 127.0.0.1
NAS-Port
however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
No, you're not.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: testuser1
[mschap] Told to do MS-CHAPv2 for testuser1 with NT
Holger Wesser wrote:
I've googled a while and found different solutions for the error
message: [mschap] No Cleartext-Password configured. Cannot create
LM-Password.
There's only one solution: give the server a known good password.
e.g. Cleartext-Password, or NT-Password.
What I've done
users mailing list freeradius-users@lists.freeradius.orgDe : John Dennis <jden...@redhat.com>Envoyé par : freeradius-users-bounces+nicolas.clo=ricoh-industrie...@lists.freeradius.orgDate : 07/06/2013 17:12Objet : [SPAM] Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_authOn 06/07/2013
On 8 Jun 2013, at 10:30, nicolas@ricoh-industrie.fr wrote:
I have the same problem after upgrade Freeradius to version 3.
Before, ntlm worked very well but it seems that the new version used the ntlm
module differently.
Thanks for flagging your email appropriately.
Arran Cudbard-Bell
build-dep freeradius
apt-get install libssl-dev
./configure make make install
The result is the same. The first time i try to authenticate the mschap module
says ERROR: (0) ERROR: mschap : Abnormal child exit: No such file or
directory. The second time it says ERROR: (1) ERROR: mschap
Hi list,
I just tried to upgrade FreeRADIUS to the latest version from git. My goal is
to get the passchange feature working in the mschap module.
I am unable to get ntlm_auth to work in mschap.
debug output,
---
Debug: (0) mschap : expand: '--nt-response=%{%{mschap:NT-Response}:-00
Hi list,
I just tried to upgrade FreeRADIUS to the latest version from git. My goal is
to get the passchange feature working in the mschap module.
I am unable to get ntlm_auth to work in mschap.
debug output,
---
Debug: (0) mschap : expand: '--nt-response=%{%{mschap:NT-Response}:-00
On 06/07/2013 10:46 AM, Bjarni Hardarson wrote:
I am sure that the ntlm_auth file is at /usr/bin/ntlm_auth and if i run it
manually with the expanded attributes i get the NT_KEY.
root@freelab:/#/usr/bin/ntlm_auth --request-nt-key --username=vpntest
--challenge=d9a8b4d1c188ae1b
server Version: 2.1.1-7.16.1
also installed freeradius-server-libs and utils
Why? That version is SEVEN YEARS old.
Upgrade. Really.
And you're using a version of radclient which doesn't support mschap.
So... why are you trying to use mschap?
We presume that you're running a recent
is mschap test function, IIRC 2.1.12 also has it, and
there are packages for SLE 11:
http://download.opensuse.org/repositories/network:/aaa/SLE_11/x86_64/
It will be even better if you can use 2.2.0. Search the list archive,
IIRC you must manually delete references to sqlite3 in spec file to
get
Most likely your host file didnt have entry of your domain name,
dump your hostname and /etc/hosts file here and then we can comment better
On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote:
Hello All,
I'm trying to test mschap with radtest but it gives me strange error
comment better
On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote:
Hello All,
I'm trying to test mschap with radtest but it gives me strange error
message.
I've tried to solve it several days, but had no success.
I'm using syntax like that:
$ radtest -t mschap user
Andres wrote:
this way looks my hosts file:
Well... something is wrong with DNS on your system.
The only advantage to using radtest is that it's simpler than
radclient. But it's just a wrapper around radclient. You can edit
radtest to remove the DNS lookups, or write your own wrapper
likely your host file didnt have entry of your domain name,
dump your hostname and /etc/hosts file here and then we can comment better
On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote:
Hello All,
I'm trying to test mschap with radtest but it gives me strange error
message
mschap testing passme 127.0.0.1 0 testing123456
radclient: Failed to find IP address for host testing: Success
.
radius:/etc # radtest testing passme 127.0.0.1 0 testing123456
Sending Access-Request of id 177 to 127.0.0.1 port 1812
User-Name = testing
User-Password
Hi,
what version of FreeRADIUS? are you sure you arent running old copies of
radclient/radtest
ie you THINK you can do -t mschap but the wrapper or binary doesnt
radclient -v ?
which radtest
then cat the resulting file.
alan
-
List info/subscribe/unsubscribe? See http
radius-server[:port] nas-port
-number secret [ppphint] [nasname] 2
echo -d RADIUS_DIR Set radius directory 2
echo -t type Set authentication method 2
echo type can be pap, chap, mschap, or eap-
md5 2
echo
Andres wrote:
FreeRADIUS server Version: 2.1.1-7.16.1
also installed freeradius-server-libs and utils
Why? That version is SEVEN YEARS old.
Upgrade. Really.
And you're using a version of radclient which doesn't support mschap.
So... why are you trying to use mschap?
We presume
Hello All,
I'm trying to test mschap with radtest but it gives me strange error
message.
I've tried to solve it several days, but had no success.
I'm using syntax like that:
$ radtest -t mschap user password 127.0.0.1 0 secret
radclient : Failed to find IP address for host user: Success
it, as
freeradius is using mschap module to autenticate.
+- entering group MS-CHAP {...}
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} - oscarrdg
[mschap] expand:
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -
--username=oscarrdg
[mschap
that. we just have ntlm_auth as required configured in the mschap
module.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about throwing that config away (remove the
Auth-Type, stop using that module) and now configuring the mschap
module, by setting the ntlm_auth helper.
It might be a bit confusing that ntlm_auth is used twice there - once
as the name of an exec instance, once as a config variable for the
mschap
, and is tested by forcing Auth-Type
2. It then talks about throwing that config away (remove the Auth-Type,
stop using that module) and now configuring the mschap module, by setting
the ntlm_auth helper.
It might be a bit confusing that ntlm_auth is used twice there - once as
the name of an exec
file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = chmielewska_d, looking up realm NULL
[suffix
Hey,
I need a bit of assistance. Brief summary: I have two RADIUS servers
connected to different Active Directory domains. I got through the
basic setup, EAP-PEAP / MSCHAP were working successfully
authenticating against both domains.
Then:
- I upgraded freeradius on both from 2.1.10 to 2.2.0
the well known mangling mschap response issue.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This suggests the problem isn't certs, since you're inside the PEAP tunnel
at this point.
Check that samba/winbind are working ok, patched to the same level, etc. -
it looks like the well known mangling mschap response issue.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org
Roger thanks
On Nov 5, 2012 11:35 PM, Fajar A. Nugraha l...@fajar.net wrote:
On Mon, Nov 5, 2012 at 6:47 PM, Ryan Summey ryan.sum...@gmail.com wrote:
Thank you for the help guys really appreciate it. Is there anyway to
automate this?
My best advice would be to read Advanced Bash-Scripting
Thank you for the help guys really appreciate it. Is there anyway to
automate this?
On Nov 5, 2012 12:54 AM, Fajar A. Nugraha l...@fajar.net wrote:
On Mon, Nov 5, 2012 at 6:26 AM, Ryan Summey ryan.sum...@gmail.com wrote:
What do i need to do to enable nt-hash rather than pap?
That question
On Mon, Nov 5, 2012 at 6:47 PM, Ryan Summey ryan.sum...@gmail.com wrote:
Thank you for the help guys really appreciate it. Is there anyway to
automate this?
My best advice would be to read Advanced Bash-Scripting Guide, as
well as Awk Introduction Tutorial – 7 Awk Print Examples (hint: use
/freeradius/modules/files
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/mschap
including configuration file
Your only choices are outlined at the url you were given I'm afraid - store the
cleartext or nt hash of the password, which will entail a password change (or
capture); or switch to eap-ttls/pap.
This is a property of the cryptographic aspects of the algorithms in question
and can't be worked
/acct_unique
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius
Hi,
Is there any tutorials on how to do this ?
choose EAP-TTLS/PAP on the client.
so long as you havent butchered your eap.conf (of mods-enabled/eap on FR 3.x)
then it will just work. (EAP-TTLS is one of the EAP methods that FR natively
supports)
you can use eapol_test (part of
yeah i haven't touched anything just setup ubuntu server + pptp +
freeradius + mysql thats it.
My phone is android and in the vpn settings it has pptp options but i cant
select eap-ttls .. its ppp encryption(MPPE) and that uses mschapv2 i
believe. How would i get this to work using a encrypted
Hi,
yeah i haven't touched anything just setup ubuntu server + pptp +
freeradius + mysql thats it.
ah. VPN stuff - you should have clarified the pointers about TTLS etc
from others was for enterprise wireless (WPA2/AES - aka WPA/RADIUS)
2 step approach - secure access to the DB in
Yes this is VPN sorry for the confusion... DB is a mysql and isnt hosted
locally. I created it at my hosting company. I setup a virtual machine
with ubuntu server on my desktop with everything i need. This all works
with clear-text passwords from my phone.
What do i need to do to enable nt-hash
On Mon, Nov 5, 2012 at 6:26 AM, Ryan Summey ryan.sum...@gmail.com wrote:
What do i need to do to enable nt-hash rather than pap?
That question should be: how do I put nt-hash password in the db?
IIRC the attribute name is NT-Password (you use this instead of
Cleartext-Password as attribute in
On 08/24/2012 11:53 PM, McNutt, Justin M. wrote:
The underlying problem is that I have four production RADIUS servers
that all seem to choose the same domain controller, which is not only
a lot of load, but it's a bad idea in terms of fault tolerance.
I agree about the fault tolerance. In my
Grrr...
This is probably a Samba issue - a known one? - but I can't seem to get AD
authentications to hit multiple DCs. Everything goes to the one listed in
/etc/samba/smb.conf (which may be a coincidence).
I set up several mschap instances like so:
mschap mschap1 { ...
ntlm_auth -s /etc
McNutt, Justin M. wrote:
Grrr...
This is probably a Samba issue - a known one? - but I can't seem to get
AD authentications to hit multiple DCs. Everything goes to the one
listed in /etc/samba/smb.conf (which may be a coincidence).
That's how the NT protocols work, IIRC.
You need to
Hi,
Authentication *works*, but all authentications go to the same DC (the one
specified in mschap2). Running radiusd -X shows that all mschap1/2/3
instances are being called, and no authentication *attempts* are being
sent to the other two domain controllers. (1 and 3 aren't
On 08/24/2012 08:11 PM, McNutt, Justin M. wrote:
Grrr...
This is probably a Samba issue - a known one? - but I can't seem to get
AD authentications to hit multiple DCs. Everything goes to the one
This is indeed a Samba issue, and unfortunately a hard one to fix.
ntlm_auth doesn't talk over
@lists.freeradius.org] On
Behalf Of alan buxey
Sent: Friday, August 24, 2012 3:59 PM
To: FreeRadius users mailing list
Subject: Re: redundant load balancing and mschap
Hi,
Authentication *works*, but all authentications go to the same DC (the one
specified in mschap2). Running radiusd
and mschap
On 08/24/2012 08:11 PM, McNutt, Justin M. wrote:
Grrr...
This is probably a Samba issue - a known one? - but I can't seem to
get AD authentications to hit multiple DCs. Everything goes to the
one
This is indeed a Samba issue, and unfortunately a hard one to fix.
ntlm_auth doesn't
@lists.freeradius.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On
Behalf Of Phil Mayers
Sent: Friday, August 24, 2012 4:23 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: redundant load balancing and mschap
On 08/24/2012 08:11 PM, McNutt, Justin M. wrote
config? maybe the mschap stuff bloats the reply too much?
*** buffer overflow detected ***: radiusd terminated
=== Backtrace: =
Reading doc/bugs would help here.
I can replicate this issue with radtest.
Do you have a minimal config which could help?
Does anybody know
Hi,
I did have a retry_msg which was left as the default value of
retry_msg = Re-enter (or reset) the password
After I commented out this line the problem went away.
Thanks for your help. I'm guessing this shouldn't crash with the example
config? maybe the mschap stuff bloats the reply
? maybe the mschap stuff bloats the reply too much?
doesnt crash here - what code release are you using?
# ntlm_auth -V
Version 3.5.15
# radiusd -X | head -1
FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11
2012 at 11:10:29
alan
-
List info/subscribe/unsubscribe? See
...
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: rer
Matt Richards wrote:
Hello,
I have got radius setup to authenticate wireless clients using MS-CHAP
and everything works correctly if the entered user / pass is correct.
If the password is wrong, however, I get a buffer overflow error and
radiusd dies.
You probably set the retry_msg to
Hi,
Matt Richards wrote:
if you send me the small bits of mschap config you have made i'll run it on my
debug/testing
platform
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log messages for EAP auth
failures; I
On 05/19/2012 12:37 PM, alan buxey wrote:
Hi,
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log
Mayers wrote:
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log messages for EAP auth
failures; I
...@deployingradius.com wrote:
Phil Mayers wrote:
Am I being dumb / getting something wrong or does the post-auth
session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
This is in the context of us not seeing log messages for EAP auth
failures; I suspect that the client may just hang
Phil Mayers wrote:
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log messages for EAP auth
failures
Hi,
I have been unable to get a PEAP user to work, but I was able to get a TLS
User to work.
It keeps on failing for MSCHAP. I tried to change the mschap module
settings but this made no difference.
I am currently using samba 3.5 with active directory. Does my ntlm_auth
path look correct?
Thanks
What does the server try to run when actually dealing with your client? radius
-X will show you, you can then try running that command yourself.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks,
I am Working on Upgrading my Ubuntu to the Ubuntu 12.04 LTS and then I will
retry the PEAP Authentication
I will keep you posted with my results.
root@FreeRadius:/home/sqauser# radius -X
No command 'radius' found, did you mean:
Command 'radiusd' from package 'radiusd-livingston'
Gilmour, Scott wrote:
I am Working on Upgrading my Ubuntu to the Ubuntu 12.04 LTS and then I
will retry the PEAP Authentication
I will keep you posted with my results.
Upgrading won't help.
root@FreeRadius:/home/sqauser# radius -X
No command 'radius' found, did you mean:
Command
Hi,
I am Working on Upgrading my Ubuntu to the Ubuntu 12.04 LTS and then I
will retry the PEAP Authentication
I will keep you posted with my results.
I cant spoon feed you with all your required details - I have a day
job too... if you use Ubuntu, then it uses a different name
denied (0xc022)
Fri May 11 08:08:13 2012 : Debug: Exec-Program: returned: 1
Fri May 11 08:08:13 2012 : Info: [mschap] External script failed.
Fri May 11 08:08:13 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
The ntlm_auth helper is returning errors. Try the command from the CLI
with an access-reject
leaving me to believe it has something to do with the MSCHAP module. I anm
still investigating.
Thanks
Scott
On Mon, May 14, 2012 at 1:55 PM, James J J Hooper [via FreeRadius]
ml-node+s1045715n5709347...@n5.nabble.com wrote:
On 11/05/2012 13:35, Phil Mayers wrote:
On 11/05/12 13
with an access-reject
leaving me to believe it has something to do with the MSCHAP module. I
anm still investigating.
what version of SAMBA? 3.0.x wil be fine, as will 3.5.x and 3.6.x latest
versions,
you may have all kinds of issues with 3.1.x through to 3.4.x.
also, when run in full debug mode
Hi,
I am running freeradius with Ubuntu and with the Active Directory
Configuration. When doing PEAP authentication I keep on getting a MSCHAP
Error. Not sure where to make changes or what changes to make. Is there
something I need to add in the Radiusd.conf or the eap.conf file?
Thanks
: Debug: Exec-Program: returned: 1
Fri May 11 08:08:13 2012 : Info: [mschap] External script failed.
Fri May 11 08:08:13 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
The ntlm_auth helper is returning errors. Try the command from the CLI
and examine the output. Check
Brian Gold wrote:
Ok, new pastebin: http://pastebin.com/5f2W3PjN
I've confirmed that I don't have Auth-Type := LDAP anywhere in my
configuration.
Did you try checking the set_auth_type entry in the ldap module
config, as suggested in another post?
The sambaNTPassword hash was incorrect.
Matthew Newton wrote:
I've just replicated the problem by repeatedly HUPping freeradius,
with about 10 second gaps between. On the 8th or so try, the same
issue hit. Stopping and starting FR fixed it.
Maybe valgrind helps. It doesn't say anything for me...
I'm wondering if the mschap
I'm wondering if the mschap module somehow gets its internal state
muddled on a HUP, and starts sending the wrong challenge response.
ntlm_auth from the command line works fine when FR has a problem.
Hi,
I had some sparetime and was able to have a deeper look at it. What I
did is basically
Jan Weiher wrote:
I had some sparetime and was able to have a deeper look at it. What I
did is basically running freeradius -X and then hup'd it until it got
borked. Seems to me like the mschap module gets somehow lost during the hup:
That's enough to tell what's going on.
Try grabbing
Hi,
On Fri, Apr 13, 2012 at 05:23:22PM +0200, Alan DeKok wrote:
Jan Weiher wrote:
I had some sparetime and was able to have a deeper look at it. What I
did is basically running freeradius -X and then hup'd it until it got
borked. Seems to me like the mschap module gets somehow lost during
like the mschap module gets somehow lost during the hup:
That's enough to tell what's going on.
Try grabbing the v2.1.x branch from git. It has a fix.
Just to confirm, I've been trying to cause 'death by HUP' with the
latest v2.1.x, and can't get it to. Backing out the last patch, I
can
Hi,
I've got a strange problem with FR 2.1.12, sometimes (not always) when
logrotate ran, freeradius goes bonkers and responds to every pap request
with mschap xlat failed. Restarting FR fixes this magically and all
works fine again. I created a small and hackish script, which restarts
FR when
On 04/12/2012 09:59 AM, Jan Weiher wrote:
Hi,
I've got a strange problem with FR 2.1.12, sometimes (not always) when
logrotate ran, freeradius goes bonkers and responds to every pap request
with mschap xlat failed. Restarting FR fixes this magically and all
works fine again. I created a small
(not always) when
logrotate ran, freeradius goes bonkers and responds to every pap request
with mschap xlat failed. Restarting FR fixes this magically and all
works fine again. I created a small and hackish script, which restarts
FR when this happens. The output showed that about every second week
Hi,
On Thu, Apr 12, 2012 at 03:59:56PM +0200, Jan Weiher wrote:
I've got a strange problem with FR 2.1.12, sometimes (not always) when
logrotate ran, freeradius goes bonkers and responds to every pap request
with mschap xlat failed. Restarting FR fixes this magically and all
works fine again
Hi,
Am 12.04.2012 16:32, schrieb Matthew Newton:
I'll dig a bit more, but the easy solution is to change the
logrotate script to restart, rather than reload/HUP.
Yes, that would be a solution for me as well, because when logrotate
runs, the freeradius server is basically idle, but I dont
On Thu, Apr 12, 2012 at 04:45:56PM +0200, Jan Weiher wrote:
Am 12.04.2012 16:32, schrieb Matthew Newton:
I'll dig a bit more, but the easy solution is to change the
logrotate script to restart, rather than reload/HUP.
Yes, that would be a solution for me as well, because when logrotate
So that seems to indicate it's the HUP that causes the problem.
Okay, I thought it might me the config a.k.a me...
I think I'm going to modify the logrotate script until this issue is fixed.
best,
Jan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
We currently have an existing freeradius setup using eap-ttls/pap with an
openldap backend. Up until now, our userPassword has
always been SHA encoded. I've been working to add sambaNTPassword hashes so
that we can use either eap-ttls/mschap or peap/mschap.
I've got the nt hashes set, but I'm
Am 12.04.2012 17:49, schrieb Brian Gold:
We currently have an existing freeradius setup using eap-ttls/pap with an
openldap backend. Up until now, our userPassword has
always been SHA encoded. I've been working to add sambaNTPassword hashes so
that we can use either eap-ttls/mschap or peap
Brian Gold wrote:
We currently have an existing freeradius setup using eap-ttls/pap with an
openldap backend. Up until now, our userPassword has
always been SHA encoded. I've been working to add sambaNTPassword hashes so
that we can use either eap-ttls/mschap or peap/mschap.
I've got the nt
Hi,
I think I had a similar problem and fixed it by setting set_auth_type = no in
modules/ldap. But I'm not sure if this is the only
thing I
changed...
all the best,
Jan
I have the same behavior after making this change unfortunately.
-
List info/subscribe/unsubscribe? See
: adding mschap to an existing ttls/pap setup
Brian Gold wrote:
We currently have an existing freeradius setup using eap-ttls/pap with
an openldap backend. Up until now, our userPassword has always been SHA
encoded. I've been working to add sambaNTPassword
hashes so that we can use either
James J J Hooper wrote:
--- mschap-orig2012-04-08 00:39:44.0 +0100
+++ mschap-new2012-04-08 00:41:06.0 +0100
@@ -78,3 +78,3 @@
#ntlm_auth_username = username: %{mschap:User-Name}
-#ntlm_auth_domain = username: %{mschap:NT-Domain
--- mschap-orig 2012-04-08 00:39:44.0 +0100
+++ mschap-new 2012-04-08 00:41:06.0 +0100
@@ -78,3 +78,3 @@
# ntlm_auth_username = username: %{mschap:User-Name}
-# ntlm_auth_domain = username: %{mschap:NT-Domain}
+# ntlm_auth_domain = nt
to users:
DEFAULT Auth-Type = mschap
This is the output from radtest:
radtest -t mschap User001 USERPW localhost 0 s3cr3t
Sending Access-Request of id 61 to 127.0.0.1 port 1812
User-Name = User001
NAS-IP-Address = 172.16.28.168
NAS-Port = 0
Message-Authenticator
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap]... expanding second conditional
[mschap]expand: %{mschap:User-Name:-None
Tested both at radtest USER@DOMAIN and DOMAIN\\USER, nothing worked.
Configured krb5.conf and smb.conf with domain and local ntlm_auth works fine on
the machine.
And in mschap module this line has beed added:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None
Just looked at this line in my config there is a --ntresponse instead
of #ntresponse
[mschap]expand: #ntresponse=%{mschap:NT-Response:-00} -
#ntresponse=f7b8cd66af90b5791fb4b09421dbbf2cbed180e7e72304b5
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon
Weber, Felix wrote:
Just looked at this line in my config there is a --ntresponse instead
of #ntresponse
That's bad.
In my mschap module the ntresponse parameter is written with --, so
why is radtest interpreting it with an # ??
Because it's written with a '#' in the mschap module
Alan DeKok
Gesendet: Mittwoch, 4. April 2012 18:43
An: FreeRadius users mailing list
Betreff: Re: AW: MSCHAP Auth fails
Go back and ensure that there is only ONE mschap module in the modules
directory.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
successfully been able to send Access Accept for any Access
Request by configuring the following :
authorize {
preprocess
auth_log
chap
mschap
unix
files
if (!ok) {
reject
}
else
On Fri, Mar 30, 2012 at 4:22 AM, Thomas Fagart tfag...@brozs.net wrote:
As I was not very familiar with MS-CHAP, I've google a little and it seems
to me that my goal (ie ms chapv2 welcome server without having user/passwd
of users) is not reachable as the home server MUST have users/passwd to
1 - 100 of 641 matches
Mail list logo
