Hello Alan, AD> It's still base64 encoded. I have no clue why some mail programs AD> thing that base64 encoding text is a good idea.
Fortunately it didn't prevent you from reading my mail. Hope this time it will be plain text. AD> That says to me that you have both User-Password and NT-Password for AD> the user in your SQL database, and that the NT-Password is wrong. AD> Delete the NT-Password from the SQL database. The MS-CHAP module AD> can use a clear-text password to do it's authentication. It will AD> work. It is not actually true. My radcheck table has only one line, namely: mysql> select * from radcheck; +----+----------+---------------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+-------+ | 1 | anton | User-Password | == | anton | +----+----------+---------------+----+-------+ 1 row in set (0.00 sec) To make things clear, there is the content of radreply table: mysql> select * from radreply; +----+----------+-------------------+----+-------------+ | id | UserName | Attribute | op | Value | +----+----------+-------------------+----+-------------+ | 1 | anton | Framed-IP-Address | := | 172.16.1.10 | +----+----------+-------------------+----+-------------+ 1 row in set (0.00 sec) Recently I checked another suggestion, which says that "in some cases WinXP appends \ symbols to login name, which brakes the authentication". This idea was inspired by the patch from recent FreeBSD stable ports collection against freeradius rlm_mschap.c: --- src/modules/rlm_mschap/rlm_mschap.c.orig Tue Apr 8 11:53:05 2003 +++ src/modules/rlm_mschap/rlm_mschap.c Tue Apr 8 11:53:32 2003 @@ -260,10 +260,15 @@ SHA1_CTX Context; char hash[20]; + const char *name; + + name = strchr(user_name, '\\'); + name = name == NULL ? user_name : name + 1; + SHA1Init(&Context); SHA1Update(&Context, peer_challenge, 16); SHA1Update(&Context, auth_challenge, 16); - SHA1Update(&Context, user_name, strlen(user_name)); + SHA1Update(&Context, name, strlen(name)); SHA1Final(hash, &Context); memcpy(challenge, hash, 8); } But it was void try since debugging shows, that user_name has correct value: modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group Auth-Type for request 0 rlm_mschap: doing MS-CHAPv2 with NT-Password user_name=anton <------------------------- DEBUG2("user_name=%s", user_name); rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. I have no other ideas, how to fix it. Any suggestions? Best regards, Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html