Re: pptpd mschap auth fails
On 06/08/13 16:04, Horatiu Nimigean wrote: i have pptpd on a centos 6 box configured to use radius for auth. radius in turn checks credentials in ldap. the user in ldap has a samba extension and a configured password (i used ldap account manager to set it up) it also has a sambaNTPassword field and it's populated. rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64 the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. I you are *really* sure of this (have you created a test user with a simple password?), then it might be the PAP module helpfully fiddling with the password: [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding Try commenting out pap, since you're not using it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd mschap auth fails
Horatiu Nimigean wrote: the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. No, you're not. [mschap] Found NT-Password [mschap] Creating challenge hash with username: testuser1 [mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect The passwords are different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd mschap auth fails
ok so i edited /etc/raddb/sites-enabled/default
and
commented pap from authorize { ... }
and commented
Auth-Type PAP {
pap
}
from authenticate { ... }
but i still have the same error .
i have also created a new user betatesting1
i have also tested in the local shell (although it attempts mschapv1)
and it gives me the same error
[root@be-vpn ~]# radtest -t mschap betatesting1 secret 127.0.0.1
1812 myubersecretpassword
Sending Access-Request of id 13 to 127.0.0.1 port 1812
User-Name = betatesting1
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x
MS-CHAP-Challenge = 0xdca09b5922346674
MS-CHAP-Response =
0x000148cc2307c5dcb95d9cdc59f621d5d7e4b17c391d8ab5b4f4
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=13,
length=112
MS-CHAP-Error = \000E=691 R=1
C=f20ec16aa685d6a06f1ed900857d9c0e V=3 M=Re-enter (or reset) the
password
On 8/6/2013 6:31 PM, Phil Mayers wrote:
On 06/08/13 16:04, Horatiu Nimigean wrote:
i have pptpd on a centos 6 box configured to use radius for auth.
radius in turn checks credentials in ldap.
the user in ldap has a samba extension and a configured password (i used
ldap account manager to set it up) it also has a sambaNTPassword field
and it's populated.
rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64
the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
I you are *really* sure of this (have you created a test user with a
simple password?), then it might be the PAP module helpfully
fiddling with the password:
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
Try commenting out pap, since you're not using it
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd mschap auth fails
oook the damn password is letmein for testing purposes. i can't seriously mistype it that many times. and i did not. it turns out lam successfully reports changing both unix and samba passwords but upon closer inspection and verifying with smbencrypt cli tool the samba hases are NOT updated. Apologies. upon editing with apache directory studio it auths perfectly. both from win8 client as well as radtest. thanks for strongly pointing out that indeed there s a problem with the damn hashes. Cheers. On 8/6/2013 6:36 PM, Alan DeKok wrote: Horatiu Nimigean wrote: the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. No, you're not. [mschap] Found NT-Password [mschap] Creating challenge hash with username: testuser1 [mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect The passwords are different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
