Hi, when using MS-CHAP, an incomming authentication request is successfully answered. When using MS-CHAPv2 in the client configuration instead, the call is rejected because mschap doesn't recognize it as MS-CHAP during authenticate. radiusd output is: "No MS-CHAP related attributes in request" - followed by the rejecting of the request.
The first difference I saw was, that in case of using MS-CHAPv2 there is no incomming attribute like "MS-CHAP-Challenge" and an attribute "MS-CHAP2-Response" instead of "MS-CHAP-Response". If the missing "MS-CHAP-Challenge" is the reason for that behavior - what I guess because of the corresponding comment in the authorize{}-section of radiusd.conf - what can I do to make it work? 1. my configuration: ==================== The installed version of radiusd is freeradius-snapshot-20020909. Dial in client: W2k NAS: Bintec Brick XL/2 radiusd.conf: ------------- modules { ... mschap { Auth-Type = MS-CHAP use_mppe = no } ... ldap { server = "ebdcbn02.dpeb.de" identity = "\#\#ldap\@dpeb.de" password = xxxx basedn = "dc=DPEB,dc=DE" filter = "(&(objectclass=person)(sAMAccountName=%{User-Name}))" start_tls = no # access_attr = "msNPAllowDialin" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #password_header = "{clear}" password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } authorize { files ldap mschap } authenticate { authtype LDAP { ldap } mschap } users file: (it's reproduceable with any other user) ----------- ... DEFAULT Service-Type == Framed-User Idle-Timeout = 300, Port-Limit = 2, BinTec-biboPPPTable += "biboPPPDNSNegotiation=enabled", Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Fall-Through = Yes "##ldap" Service-Type == Framed-User, Auth-Type += MS-CHAP BinTec-biboPPPTable += "biboPPPIpPoolId=3", Fall-Through = No DEFAULT Service-Type == Framed-User, Auth-Type := Reject ... 2. radiusd -X -A output: ======================== >>>>>>>>>>>>>> ... Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 213.68.141.34:1024, id=185, length=129 NAS-Identifier = "pmxbn01" Service-Type = Framed-User Framed-Protocol = PPP User-Name = "##ldap" Called-Station-Id = "36903690" NAS-Port = 0 NAS-Port-Type = ISDN MS-CHAP2-Response = 0x0100ec160924d8dee377e77c388cb0e669840000000000000000a75 3a221ab3fa0a0d10b6342e22bab1064e6df1c5d11376e modcall: entering group authorize users: Matched DEFAULT at 147 users: Matched DEFAULT at 159 users: Matched ##ldap at 189 modcall[authorize]: module "files" returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for ##ldap radius_xlat: '(&(objectclass=person)(sAMAccountName=##ldap))' radius_xlat: 'dc=DPEB,dc=DE' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=DPEB,dc=DE, with filter (&(objectclass=person)(sAMA ccountName=##ldap)) rlm_ldap: Added password 689D3F1884E0423F468C01987A58C3EB in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as NT-Password, value 689D3F1884E0423F468C01987A58C3EB & op=11 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as NT-Password, value 689D3F1884E0423F468C01987A58C3EB & op=11 rlm_ldap: user ##ldap authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group authenticate No MS-CHAP related attributes in request modcall[authenticate]: module "mschap" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Login incorrect: [##ldap] (from client pmxbn01 port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request ... <<<<<<<<<<<<<<<<< When using MS-CHAP instead (on w2k-client), I get this result: >>>>>>>>>>>>>>>> ... Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 213.68.141.34:1024, id=186, length=145 NAS-Identifier = "pmxbn01" Service-Type = Framed-User Framed-Protocol = PPP User-Name = "##ldap" Called-Station-Id = "36903690" NAS-Port = 0 NAS-Port-Type = ISDN MS-CHAP-Response = 0x01010ef6eeb0ff66f08516424106209f957a1af2cc00560702509b9d 634251b10b16d4cdb39521f24388b18914bf73549811 MS-CHAP-Challenge = 0x6d173708a662ec90 modcall: entering group authorize ... modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group authenticate rlm_mschap: doing MS-CHAPv1 with NT-Password modcall[authenticate]: module "mschap" returns ok modcall: group authenticate returns ok Login OK: [##ldap] (from client pmxbn01 port 0) Sending Access-Accept of id 186 to 213.68.141.34:1024 Idle-Timeout = 300 Port-Limit = 2 BinTec-biboPPPTable = "biboPPPDNSNegotiation=enabled" Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP BinTec-biboPPPTable = "biboPPPIpPoolId=3" Finished request 2 Going to the next request ... <<<<<<<<<<<<<<<<<< Regards, Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html