Hello Alan,
AD> It's still base64 encoded. I have no clue why some mail programs
AD> thing that base64 encoding text is a good idea.
Fortunately it didn't prevent you from reading my mail. Hope this time
it will be plain text.
AD> That says to me that you have both User-Password and NT-Password for
AD> the user in your SQL database, and that the NT-Password is wrong.
AD> Delete the NT-Password from the SQL database. The MS-CHAP module
AD> can use a clear-text password to do it's authentication. It will
AD> work.
It is not actually true. My radcheck table has only one line, namely:
mysql> select * from radcheck;
+----+----------+---------------+----+-------+
| id | UserName | Attribute | op | Value |
+----+----------+---------------+----+-------+
| 1 | anton | User-Password | == | anton |
+----+----------+---------------+----+-------+
1 row in set (0.00 sec)
To make things clear, there is the content of radreply table:
mysql> select * from radreply;
+----+----------+-------------------+----+-------------+
| id | UserName | Attribute | op | Value |
+----+----------+-------------------+----+-------------+
| 1 | anton | Framed-IP-Address | := | 172.16.1.10 |
+----+----------+-------------------+----+-------------+
1 row in set (0.00 sec)
Recently I checked another suggestion, which says that "in some cases
WinXP appends \ symbols to login name, which brakes the
authentication". This idea was inspired by the patch from recent
FreeBSD stable ports collection against freeradius rlm_mschap.c:
--- src/modules/rlm_mschap/rlm_mschap.c.orig Tue Apr 8 11:53:05 2003
+++ src/modules/rlm_mschap/rlm_mschap.c Tue Apr 8 11:53:32 2003
@@ -260,10 +260,15 @@
SHA1_CTX Context;
char hash[20];
+ const char *name;
+
+ name = strchr(user_name, '\\');
+ name = name == NULL ? user_name : name + 1;
+
SHA1Init(&Context);
SHA1Update(&Context, peer_challenge, 16);
SHA1Update(&Context, auth_challenge, 16);
- SHA1Update(&Context, user_name, strlen(user_name));
+ SHA1Update(&Context, name, strlen(name));
SHA1Final(hash, &Context);
memcpy(challenge, hash, 8);
}
But it was void try since debugging shows, that user_name has correct
value:
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type for request 0
rlm_mschap: doing MS-CHAPv2 with NT-Password
user_name=anton <------------------------- DEBUG2("user_name=%s",
user_name);
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
I have no other ideas, how to fix it. Any suggestions?
Best regards,
Anton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
